Alaska Personal Information Protection Act

House Bill 65 was passed by the Legislature during the 2007-2008 session, and became law on July 1, 2009.  It is found in the Alaska Statutes at AS 45.48. The law provides several protections for personal information, including: (1) a notice requirement when a breach of security concerning personal information has occurred; (2) the ability to place a security freeze on a consumer credit report; (3) various restrictions on the use of personal information and credit information; (4) the disposal of records containing personal information; (5) allowing a victim of identity theft to petition the court for a determination of factual innocence; and (6) truncation of credit card information.  These protections are contained in various sections of the statute as follows:

Sec. 45.48.010 - .090 – Breach of
Security Involving Personal Information.

This article contains provisions that require notification to consumers when there is a breach of security of an information system containing personal information.  "Personal information" is defined to include information on an individual, that is not encrypted, that consists of the individual's name and one or more of several other pieces of information, including a social security number, driver's license number, account number, password, or other access codes.

Notice of the breach must be done expeditiously.  Notice can be delayed if it will interfere with a criminal investigation, or if the breach is unlikely to cause harm to the consumer.  Notice must be given in writing, but can also be given by electronic means under certain circumstances.

Violations of this section subject the violator (including a state agency) to a civil penalty of up to $500 for each consumer who was not provided notice, up to a maximum penalty of $50,000.  In addition, the injured person can seek injunctive relief, and can recover actual economic harm.

Sec. 45.48.100 - .290 – Credit Report and
Credit Score Security Freeze.

This article contains provisions that allow a consumer to place a security freeze on the consumer's credit report.  The effect of a freeze will prevent a third person from accessing the individual's credit report.  A freeze can be placed by mail or other means if the credit reporting agency allows a freeze by another means.  Once a freeze is in place, the consumer can remove it by submitting a request in a similar manner.

A credit reporting agency can charge $5 to place a freeze, and $2 to remove the freeze.  Because there are currently three major credit reporting agencies, this equates to $15 and $6 respectively to place and remove a freeze at all three companies.

There are several exemptions that allow access by certain entities even when a freeze is in place, including (1) use of the credit report to review or collect a financial obligation; (2) persons acting under court order; (3) a municipal or state agency  that administers child support enforcement obligations; (4) the department of Health and Social Services when investigating fraud; (5) the Department of Revenue when investigating or collecting taxes or implementing other statutory responsibilities; (6) prescreening allowed by the Fair Credit Reporting Act; and (7) for insurance purposes.

Knowing  violations of this section subject the violator to actual economic damages, including punitive damages up to $5,000 for each violation.

Sec. 45.48.400 - .480 – Protection of Social Security Number.

This article contains provisions that restrict the use of social security numbers ("SSN's") in a number of ways.  There are four sections that address specific uses of a SSN:

Section 45.48.400 prohibits a person from making a SSN available to the public.  This section also prohibits a person from requiring a SSN to access products or services, including internet access, and prohibits the printing of a SSN on material mailed to a consumer unless required by state or federal law.  The prohibitions of the section do not apply to government agencies if use of the SSN is authorized by law or required for the performance of the person's duties or responsibilities as provided by law.

Section 45.48.410 prohibits the request and collection of SSN's.  The prohibition on the request or collection does not apply:

  1. if the person is authorized by law to request or collect a SSN;
  2. to a government agency if the agency is authorized by law to request or collect the SSN, or the request or collection is required for the performance of the person's duties or responsibilities as provided by law;
  3. to a person subject to the Gramm-Leach-Bliley Act;
  4. to a person subject to the Fair Credit Reporting Act;
  5. if the request or collection is for a background check, law enforcement, employment, or verifying a person's age;
  6. if the request or collection is part of a larger transaction and does not have independent economic value;
  7. to an insurer regulated by AS 21; or
  8. to a hospital/medical service corporation regulated by AS 21.87.

Section 45.48.420 prohibits the sale, lease, loan, or trade of a SSN unless the sale, lease, loan, or trade is:

  1. authorized by law;
  2. by a person subject to the Gramm-Leach-Bliley Act;
  3. by a person subject to the Fair Credit Reporting Act; or
  4. part of a report prepared by a consumer reporting agency in response to a request by a person who submits the SSN as part of the request.

Knowing violations of the section are a class A misdemeanor.

Section 45.48.430 prohibits the disclosure of a SSN, unless the disclosure:

  1. is authorized by law;
  2. is by a government agency and the disclosure is required for the performance of the person's duties;
  3. is to a person subject to the Gramm-Leach-Bliley Act;
  4. is to a person subject to the Fair Credit Reporting Act;
  5. is part of a report prepared by a consumer reporting agency in response to a request by a person who submits the SSN as part of the request; or
  6. is for a background check, identity verification, fraud prevention, medical treatment, law enforcement, or employment.

Other sections of Article 3 allows for the interagency disclosure of a SSN, and use by employers when administrating a claim, benefit or procedure related to the individual's employment.  A person may also disclose a SSN to an employee or agent of the person for legitimate purposes directed by the person.

Knowing violations of AS 45.48.400 - .430 are subject to a $3,000 penalty plus actual economic damages, court costs, and full reasonable attorneys fees.

Sec. 45.48.500 - .590 – Disposal of Records

This article contains provisions that require a business and a government agency to take reasonable measures to protect against unauthorized access to, or use of, records when disposing of records containing personal information.  To comply with this requirement, a business or government agency can implement compliance and monitoring policies that require the destruction of personal information, or enter a contract with a third party for the disposal and destruction of the records.  A business or government agency is not liable for the disposal after relinquishing control of the records to a third party that is in the business of record destruction.

Knowing violations of this section are subject to a $3,000 penalty plus actual economic damages, court costs, and full reasonable attorneys fees.

Sec. 45.48.600 - .690 – Factual Declaration of Innocence After Identity Theft; Right to File Police Report.

This article contains provisions that allow a victim of identity theft to petition the Alaska Superior Court for a declaration that the individual is factually innocent of the crime if the perpetrator was arrested, cited, or convicted of the crime.  The court has broad discretion to make a determination based on declarations, affidavits, or other relevant material.  This section also allows the Department of Law to establish and maintain a database of individuals who have been the victims of identity theft and who have been declared innocent of the crime.

There is also a provision that allows a person who has learned or reasonable suspects that she has been the victim of identity theft to file a police report with the local law enforcement agency, even if the agency does not have jurisdiction over the identity theft.

Sec. 45.48.750 – Truncation of Card Information.

This article contains provisions that prohibit the printing of more than the last four digits of a credit or debit card number on any receipt provided at the point of sale.  In addition, a person may not sell a device that electronically prints more than the last four digits of a credit or debit card.

Knowing violations of this section are subject to a $3,000 penalty plus actual economic damages, court costs, and full reasonable attorneys fees.

For a full text of the law, visit the Alaska State Legislature's infobase under 2008 Alaska Statute 45.48