Breach Notification Timelines — Alaska: Expeditious Notice, 1,000+ CRA Trigger & AG “No-Harm” Filing

Jurisdiction: Alaska (Alaska Personal Information Protection Act, “APIPA”).

Focus: breach notification timelines and operational requirements for businesses and public agencies handling Alaskan residents’ personal information.

Key takeaway: Alaska does not impose a fixed day-count to notify individuals. Notices must be sent in the most expeditious time possible and without unreasonable delay, with limited law-enforcement delay permitted. Special notices apply if 1,000+ residents are affected and when an entity uses the risk-of-harm exception (written notice to the Attorney General and five-year recordkeeping).

1) Who must comply

APIPA applies broadly to any covered person that owns or licenses personal information on Alaska residents. “Covered person” includes (a) a person doing business; (b) a governmental agency; or (c) a person with more than ten employees. Alaska uses the terms information collector (the owner/licensor of PI) and, for certain duties, information distributor and information recipient.

2) What triggers notice (breach + personal information)

A “breach of the security” means unauthorized acquisition—or reasonable belief of such—of personal information that compromises its security, confidentiality, or integrity. Acquisition can occur by physical copying, electronic means, or other methods.

“Personal information” (PI) is an individual’s first name (or first initial) and last name combined with one or more of the following data elements, when the data are not encrypted or redacted, or are encrypted but the encryption key was accessed or acquired:

• Social Security number;
• Driver’s license number or state ID number;
• Financial account, credit card, or debit card number (in many cases with the security code, PIN, or password that permits account access);
• Passwords, PINs, or other access codes for financial accounts.

Good-faith acquisitions by an employee or agent for the entity’s legitimate purposes are generally excluded if the information is not used improperly.

3) Who must be notified

• Affected Alaska residents. Primary audience for breach notifications.
• Consumer reporting agencies (CRAs). If you must notify more than 1,000 Alaska residents, you must also notify all nationwide CRAs without unreasonable delay, providing the timing, distribution, and content of the notices. (Financial institutions subject to GLBA are exempt from this CRA notice obligation.)
• Alaska Attorney General (AG). If, after an appropriate investigation, you determine there is no reasonable likelihood of harm and therefore you will not notify residents, you must send a written notice to the AG and maintain your written determination for five years.

4) Timelines and allowable delays

5) How to notify (methods, substitute notice)

Alaska authorizes three methods:

1. Written notice sent to the resident’s last known postal address.
2. Electronic notice if it is your primary communication channel or if compliant with the federal E-SIGN Act.
3. Substitute notice only if you can show that (a) direct notice would cost more than $150,000; or (b) the affected class exceeds 300,000 residents; or (c) you lack sufficient contact information. Substitute notice consists of: (i) email notice if you have email addresses; (ii) conspicuous posting on your website; and (iii) a notice to major statewide media.

6) Content of the notice

APIPA does not prescribe a rigid form, but best practice is to include:

• a clear description of what happened (date range, systems affected);
• the types of PI involved (e.g., SSNs, account numbers);
• what you have done to contain and remediate;
• how residents can protect themselves (credit reports, fraud alerts, freezes);
• contact points (toll-free number, email, postal address); and
• if applicable, details about complimentary monitoring or identity theft assistance.

7) Third-party/service-provider breaches

When an information recipient (e.g., a service provider) experiences a breach involving PI it received from an information distributor (e.g., the data owner), the recipient must promptly notify the distributor and cooperate by sharing relevant breach information. After that notice, the distributor must carry out the resident-notification duties as though the breach occurred on its own systems.

8) Penalties and enforcement

Violations trigger civil penalties. For both governmental and non-governmental information collectors, the state may seek up to $500 per resident not notified (capped at $50,000 total per incident), plus injunctive relief. For non-government entities, violations are treated as unfair or deceptive acts or practices under the Alaska Unfair Trade Practices Act, with monetary damages limited to actual economic losses (subject to statutory caps).

9) Visual: operational timeline (no fixed day-count)

Quick Guide — Alaska breach notification (300+ words)

FAQ — Alaska breach notification (10)

1. Is there a 30- or 45-day deadline? No. Alaska requires notice “as expeditiously as possible and without unreasonable delay,” with LE delay permitted.
2. Do I have to notify the Attorney General in every breach? No. AG notice is required only if you decline to notify residents because you determine there is no reasonable likelihood of harm; keep your written determination for five years.
3. What if more than 1,000 residents are affected? Notify all nationwide CRAs without unreasonable delay and provide them the timing, distribution, and content of the resident notices.
4. Can I email notices? Yes, if email is your primary channel with the resident or if the notice complies with E-SIGN. Otherwise use postal mail. Substitute notice is available if statutory thresholds are met.
5. What if the police ask me to hold off? You may delay while LE determines notice would interfere with an investigation. Once LE gives written clearance, notify without unreasonable delay.
6. Is encrypted data exempt? Yes, generally; however, if the encryption key was accessed/acquired, the safe harbor may not apply.
7. Do vendors have to notify my customers? The service provider must promptly notify you and cooperate. The legal duty to notify residents attaches to the information distributor (data owner).
8. Does Alaska define required notice content? No. Use best practices: what happened, what data, what you’re doing, what residents can do, and how to contact you.
9. What about non-Alaska residents? Apply the law of each resident’s state. For a multi-state event, coordinate notices to meet the most stringent overlapping requirements.
10. What are the penalties? Up to $500 per resident not notified (max $50,000 incident cap) and injunctive relief; for private entities, violations are unfair or deceptive acts with damages limited to actual economic loss.

Technical basis and legal sources (Alaska)

This summary is based on Alaska statutes addressing breach disclosure, allowable delay, notice methods, CRA notice threshold, definitions, service-provider duties, and penalties. See citations below.

• Disclosure and timing; harm-threshold/AG notice; 5-year recordkeeping.
• Allowable LE delay.
• Notice methods and substitute notice thresholds.
• CRA notice (1,000+); GLBA exemption for CRA notice (practice guidance).
• Definitions of covered person, breach, personal information.
• Service-provider/distributor-recipient duties.
• Penalties and UDAP treatment.

Conclusion

In Alaska, speed and documentation drive compliance. Because there is no fixed day-count, regulators will examine whether you acted expeditiously and whether any delay was truly necessary to scope the incident, restore integrity, or comply with a written law-enforcement hold. When you decide resident notice is unnecessary, document the analysis, notify the AG in writing, and retain the file for five years. If 1,000+ residents are affected, remember your CRA notices. Establish vendor obligations up front, rehearse your substitute-notice playbook, and keep precise records—those are the levers that convert a chaotic incident into a compliant response in Alaska.