Alaska Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Alaska's data breach notification law took effect on July 1, 2009, making it one of the later states to adopt breach notification requirements. What sets Alaska apart from most states is its private right of action provision, which allows individual consumers to take companies to court for failing to provide proper breach notification.

The law is part of Alaska's Personal Information Protection Act, codified at AS 45.48.010 through 45.48.090. It applies to any person or entity that owns, licenses, or maintains personal information about Alaska residents, regardless of where the business is located.

For a broader overview of privacy protections in the state, see the parent guide to [Alaska Data Privacy Laws](/us-laws/data-privacy-laws/alaska-data-privacy-laws).

Who Must Comply with Alaska's Breach Notification Law

The statute applies broadly to two categories of entities that it calls "covered persons":

• Businesses and organizations that own, license, or maintain personal information about Alaska residents in the course of business
• Government agencies at the state and local level that collect or maintain personal information

Third parties also have obligations. If you maintain personal information on behalf of another entity and discover a breach, you must notify the information owner "immediately" and cooperate by sharing relevant details about the breach. The only exception is that you do not have to share confidential business information or trade secrets.

The law applies regardless of where the business is physically located. If you hold personal information on Alaska residents, you are subject to the notification requirement.

What Triggers a Notification Obligation

A breach of security under AS 45.48.090 means the unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the data.

The word "acquisition" is defined broadly. It includes obtaining data through:

• Digital means (hacking, unauthorized access to a computer system)
• Photocopying or facsimile
• Any other paper-based method
• Devices including computers and radio frequency identification (RFID) readers

What Counts as Personal Information

Alaska defines protected personal information as an individual's name (first name or first initial and last name) combined with one or more of the following data elements, when not encrypted or redacted:

Data Element	Example
Social Security number	Full or partial SSN
Driver's license or state ID number	Alaska DL or ID card number
Financial account number	Bank account, credit card, or debit card number with any required security code, access code, PIN, or password

This definition is narrower than many other states. Alaska's law does not cover biometric identifiers, medical records, health insurance information, email credentials, or taxpayer identification numbers. For information about Alaska's approach to biometric data, see Alaska Biometric Privacy Laws.

The Encryption Safe Harbor

If the personal information was encrypted at the time of the breach and the encryption key was not accessed or acquired by the unauthorized party, notification is not required. The same applies to data that has been redacted.

This safe harbor gives businesses a strong incentive to encrypt personal information at rest and in transit. If you can demonstrate that encryption was intact and keys were not compromised, you avoid the entire notification process.

Notification Timeline and Process

How Quickly You Must Notify

Alaska does not set a hard deadline in days. Instead, the statute requires disclosure "in the most expedient time possible and without unreasonable delay." This flexible standard allows time to:

• Determine the scope of the breach
• Restore the reasonable integrity of the information system
• Comply with any law enforcement delay request

While the law does not specify a number of days, "most expedient time possible" has real teeth. The Alaska Attorney General can take enforcement action if a covered person delays notification beyond what is reasonable under the circumstances.

Methods of Notification

Under AS 45.48.030, notification must be delivered through one of these methods:

Written notice sent directly to the affected individual.

Electronic notice that complies with the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act, 15 U.S.C. 7001).

Substitute notice is available when:

• The cost of direct notification exceeds $150,000
• The affected class exceeds 300,000 residents
• The entity lacks sufficient contact information

Substitute notice requires all three of the following: email notification (where an address is available), conspicuous posting on the entity's website, and notification to major statewide media outlets.

Consumer Reporting Agency Notification

If a breach affects more than 1,000 Alaska residents, the entity must also notify all nationwide consumer reporting agencies. This notification must include the timing, distribution, and content of the notices sent to consumers. Entities subject to the Gramm-Leach-Bliley Act (GLBA) are exempt from this consumer reporting agency notification requirement.

The Harm Threshold Exception

Alaska's law includes a notable exception. An entity may avoid sending consumer notifications if, after an appropriate investigation, it determines there is "not a reasonable likelihood that harm to the consumers whose personal information has been acquired has resulted or will result."

To use this exception, the entity must:

1. Conduct an appropriate investigation
2. Provide written notification to the Alaska Attorney General explaining the determination
3. Document the determination in writing
4. Retain that documentation for five years

This is the only situation where notification to the Attorney General is required under the statute. Alaska does not require routine AG notification for every breach.

Law Enforcement Delay

Under AS 45.48.020, an information collector may delay notification if a law enforcement agency determines that disclosure would interfere with a criminal investigation. The delay lasts only as long as law enforcement determines is necessary.

Penalties and Enforcement

Government Agency Violations

A government agency that violates the notification requirements faces a civil penalty of up to $500 per resident who was not notified, with a total cap of $50,000 per breach.

Non-Government Entity Violations

For private businesses and organizations, a violation of the breach notification law is treated as an unfair or deceptive act or practice under Alaska's Unfair Trade Practices and Consumer Protection Act (AS 45.50.471-561). This means the Attorney General can pursue enforcement using the full range of consumer protection remedies.

However, the statute places specific limits:

• The entity is not subject to the general civil penalties under AS 45.50.551
• Instead, the entity faces a civil penalty of up to $500 per unnotified resident, capped at $50,000 total
• Damages awarded to individuals are limited to actual economic damages not exceeding $500 per person

Private Right of Action

This is where Alaska's law stands out. Under AS 45.48.080, an individual whose personal information was involved in a breach may bring a civil action to:

1. Recover damages suffered as a result of the violation
2. Obtain an injunction to stop further violations by the information collector

Damages are limited to actual economic damages up to $500, plus court costs and attorney's fees. While the per-person cap is modest, the right to sue directly without waiting for the Attorney General to act is significant. Only about 12 states provide this type of private right of action for breach notification violations.

The rights and remedies under this section are in addition to any other rights or remedies available under other laws.

Waivers Are Void

Under AS 45.48.060, any waiver of the protections in AS 45.48.010 through 45.48.090 is void and unenforceable. A business cannot make consumers sign away their breach notification rights through terms of service, contracts, or other agreements.

Alaska AG Enforcement in Action

Alaska has participated in several major multistate data breach enforcement actions:

Blackbaud Settlement (2023): Alaska joined 49 other states in a $49.5 million settlement with Blackbaud Inc. over a 2020 ransomware attack that exposed personal information of millions of consumers. Alaska received $358,925. The AG found that Blackbaud had failed to implement reasonable data security measures and did not provide timely or complete breach notifications.

Marriott Settlement (2024): Alaska joined a $52 million multistate settlement with Marriott International over data breaches in the Starwood guest reservation system that went undetected from 2014 to 2018, exposing records of 131.5 million U.S. customers. Alaska received $376,629. Marriott agreed to implement a comprehensive information security program with zero-trust principles, multi-factor authentication, and independent third-party security audits every two years for 20 years.

Equifax Settlement (2019): Alaska was part of the 50-state, $600 million settlement with Equifax over the 2017 breach that exposed personal data of approximately 147 million Americans.

Interaction with Federal Laws

Alaska's breach notification law operates alongside federal data security regulations:

GLBA (Gramm-Leach-Bliley Act): Financial institutions covered by GLBA are exempt from the consumer reporting agency notification requirement in AS 45.48.040, but must still comply with the core notification obligations to affected individuals.

HIPAA: The statute does not contain a specific HIPAA exemption. Healthcare entities covered by HIPAA must comply with both federal breach notification rules under the HITECH Act and Alaska's state notification requirements, though the narrower definition of personal information in Alaska's law means HIPAA-covered health data alone would not trigger the state statute.

SB 134 Insurance Data Security (2024): Alaska enacted SB 134 establishing data security and breach reporting requirements for insurance licensees under AS 21.23, with provisions taking effect on a staggered schedule from January 1, 2025 through January 1, 2027. This supplements, rather than replaces, the general breach notification requirements.

What to Do if You Experience a Data Breach in Alaska

If you believe your personal information was compromised in a data breach, take these steps:

1. Document what you received. Save any breach notification letters or emails. Note the date you received them and the date the company says the breach occurred.

2. Place a fraud alert or credit freeze. Contact any one of the three major credit bureaus (Equifax, Experian, or TransUnion) to place a fraud alert, which lasts one year. For stronger protection, place a credit freeze with all three bureaus.

3. Monitor your accounts. Watch bank statements, credit card statements, and credit reports closely for unauthorized activity.

4. File a complaint. If a company failed to notify you of a breach or delayed notification unreasonably, you can file a complaint with the Alaska Attorney General's Consumer Protection Unit.

5. Consider legal action. Alaska's private right of action means you can consult with an attorney about filing a civil lawsuit to recover actual economic damages if a company violated the notification requirements.

More Alaska Laws

• Alaska Recording Laws
• Alaska Recording Laws
• Alaska Data Privacy Laws
• Alaska Recording Laws
• Alaska Dog Bite Laws
• Alaska Recording Laws
• Alaska Recording Laws
• Alaska Recording Laws

Sources and References

This article references Alaska statutes and official government publications. For the full text of Alaska's Personal Information Protection Act, visit the Alaska State Legislature website. For consumer protection resources and breach complaint forms, visit the Alaska Department of Law Consumer Protection Unit.

This article provides general legal information about Alaska data breach notification laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Alaska government sources.