On Wednesday, July 1, 2009, the recently enacted Alaska and South Carolina notice of security breach laws will take effect. Alaska and South Carolina join forty-three other jurisdictions with notice of security breach laws. Some of the key provisions of these laws are described below.

The “Trigger Event”

Both laws require businesses to provide notice of security breaches when an unauthorized person acquires unencrypted computerized “personal information.” Alaska is one of six states that also requires notice in response to the unauthorized acquisition of paper records containing personal information. Under both laws, personal information includes the affected individual’s first name or initial and last name, plus social security number, driver’s license number, or credit or debit card or financial account number in combination with any required security code.

The “Harm Requirement”

In Alaska, notice is not required, if, after an investigation and notice to the Attorney General, the business determines that there is not a reasonable likelihood of harm to the consumer. Likewise, the South Carolina law does not require businesses to notify residents if illegal use of the information has not occurred, or is not reasonably likely to occur, or if use of the information does not create a material risk of harm to the resident.

Required Notices To Third Parties

If an entity is required to notify 1,000 or more Alaska residents, it also must provide the three national credit bureaus (such as TransUnion®, Experian®, and Equifax®) with the timing, distribution, and content of the notices to state residents.

If a business is required to notify 1,000 or more South Carolina residents of a security breach, that entity must notify the Consumer Protection Division of the South Carolina Department of Consumer Affairs as well as the national credit bureaus.

Penalties

Both statutes provide stiff penalties for businesses that fail to provide the required notice to affected individuals. In Alaska, offending business are subject to a civil penalty of up to $500 per resident not notified, with the total penalty capped at $50,000. Moreover, the offending business may be held liable for any actual economic damages suffered by affected individuals as a result of the failure to provide notice.

In South Carolina, businesses that fail to provide notice to affected individuals are subject to civil lawsuits by residents who are injured. Injured individuals may also recover attorneys’ fees and court costs, if successful. Moreover, the law permits the Department of Consumer Affairs to administratively fine knowing and willful violators $1,000 for each resident whose information was accessible by reason of the breach.

Scope Of Alaska’s New Law

In addition to the notice of security breach law, Alaska enacted a comprehensive statute involving protection of social security numbers, care of records, disposal of records and security freezes.

This entry was written by Katherine Dix.