Alaska Security Breach Law Required “Expeditious” Personal Notification To Residents

Democratic candidate for governor Les Gara issued a press release this morning writing that the state of Alaska was required to personally notify all Alaskans by email or text what personal information was stolen in the Alaska DHSS cyberattack.

“It’s been four months, and Alaskans still don’t know what information was stolen, or whether they need to freeze their credit so their finances can be protected,” said Gara.

Gara's press release about the cyberattack is below.

FOR IMMEDIATE RELEASE

September 17, 2021

Alaska Security Breach Required “Expeditious” Personal Notification To Residents

2008 Law Written by Reps. Gara and Coghill Requires Notification To Residents So They Can Seek Credit Freeze, Protect Their Finances & Personal Information

Yesterday the State revealed it has known that significant “personal information” of Alaskans, including their Social Security Numbers, was possibly stolen. Under a privacy and consumer protection law passed in 2008, written and sponsored by then-Reps. Les Gara and John Coghill, the State was required to personally notify all Alaskans by e-mail or text what information was stolen. The State is required to investigate a breach, and inform Alaskans, in “the most expeditious time possible”. Currently the state says it won’t send out notices to Alaskans until September 27 or later about a breach that has been known about since May.

“It’s been four months, and Alaskans still don’t know what information was stolen, or whether they need to freeze their credit so their finances can be protected,” said Gara. “The state mentions “Federal laws”, but not our own state law protections it may have violated, or the state’s potential liability. “Delay of another ten days, on a breach the State has known about for months, puts people and their finances at potential risk,” said Gara.

"Alaskans deserve to know whether they should be concerned about their finances, and whether thieves might take our loans or credit under their names. That information is required to be sent to Alaskans directly, not in a press release most people don’t read,“ said Gara.

“Citizens have a right to know what information has been stolen,” said Gara. Under Gara and Coghill’s legislation, Alaska Law 45.48.010, and 45.48.090(7), the State has a duty to directly inform residents when their name, along with a Social Security Number, Drivers License Number, State ID, financial account or credit card number, or personal  identification or security code information, may have been stolen.

The state is only allowed to delay telling consumers if it would interfere with a criminal investigation. “A four-month delay raises a lot of questions that should be answered,” said Gara.

“Information that the state’s website was breached was revealed four months ago. Those who stole this information knew the breach had been made public in May. They knew they were likely being investigated. It’s hard to see how informing Alaskans that their personal information was stolen could have compromised an investigation. Regardless, even today the state says it still won’t notify Alaskans for another 10 – 15 days. That’s not ‘expeditious,’” said Gara.

Alaska’s Information Security Breach laws can be found in House Bill 65, Section 4 and Alaska Statute 45.48.010 - 990.

https://www.govtech.com/security/alaska-house-passes-personal-information-protection.html

Contact: Les Gara can be contacted at lesgara@gmail.com or 907-250-0106.

###