Alaska Cybersecurity Laws You Should Know (2026)

Mitch Wolverton

Although Alaska does not yet have a comprehensive state privacy law, it does enforce data breach notification requirements and other sector-specific cybersecurity standards. For businesses handling personal information in the state, staying compliant with Alaska cybersecurity laws helps protect consumers and avoid enforcement actions. Below is a detailed explanation of the key laws that apply in 2026.

Alaska Cybersecurity and Privacy Laws

Alaska Personal Information Protection Act (APIPA) – Data Breach Notification (AS 45.48)

Alaska’s core cybersecurity statute governing breach notifications is the Alaska Personal Information Protection Act (APIPA), codified at AS 45.48.010–090. It applies to persons and entities that own or license personal information about Alaska residents.

  • Breach disclosure requirements: If a covered person discovers a breach of security involving personal information, they must notify affected residents in the most expeditious time possible and without unreasonable delay. Notice may be delayed to investigate or restore systems, or if law enforcement determines notice would interfere with a criminal investigation.
  • Harm exception: Notification is not required if, after an appropriate investigation and written notice to the Alaska Attorney General, the entity determines there is no reasonable likelihood that harm has occurred or will occur. Documentation of this determination must be retained for five years.
  • Methods of notice: Written notice is required, but electronic notification may be acceptable if consistent with the entity’s communication practices.
  • Large breach reporting: If more than 1,000 Alaska residents must be notified, the entity must also notify all nationwide consumer credit reporting agencies with timing and content details of the consumer notices.
  • Enforcement and penalties: Failure to provide required notice is treated as an unfair or deceptive act or practice under Alaska consumer protection law (AS 45.50) and may carry civil remedies and other penalties.

Personal information generally includes a resident’s name in combination with Social Security number, driver’s license or state ID number, account number with access code, password, or other unique identifiers.

Alaska Consumer Personal Information Privacy Act (Proposed/Updating)

The Alaska legislature has been advancing a Consumer Personal Information Privacy Act that creates notice and transparency requirements for businesses before collecting consumer personal data, establishes rights to access or deletion, and introduces data  While not fully codified yet statewide, this reflects a broader trend toward privacy governance in the state.

(Note: Depending on legislative action in 2025–2026, additional privacy obligations may become effective. Businesses should monitor the Alaska Legislature and Attorney General guidance for updates.)

Insurance-Specific Cybersecurity Requirements (SB 134)

In 2024, Alaska enacted SB 134, establishing insurance data security requirements within Alaska Statute AS 21.23. These go into effect on a staggered schedule beginning January 1, 2025, January 1, 2026, and January 1, 2027. They require:

  • Data security standards for licensees and admitted insurers
  • Investigation and reporting of cybersecurity events
  • Annual certifications of compliance
  • Notification requirements to independent producers and regulators

This makes Alaska one of the states with insurance-sector cybersecurity mandates, similar to model laws adopted by other U.S. states.

Federal and Industry-Specific Cybersecurity Regulations That Affect Alaska Businesses

Because Alaska lacks a broad state data privacy law, many organizations must also comply with federal cybersecurity and data protection laws that apply nationwide:

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS applies to Alaska businesses that process credit card transactions. Compliance requires encryption, firewalls, and continuous vulnerability scanning to protect payment data.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA applies to Alaska healthcare providers and business associates that handle personal health information (PHI). It mandates strict administrative, physical, and technical safeguards for protecting patient data.

Gramm-Leach-Bliley Act (GLBA)

Financial institutions in Alaska must comply with GLBA, which requires written information security programs and transparent consumer privacy notices.

General Data Protection Regulation (GDPR)

GDPR applies to Alaska businesses that collect or process personal data of EU residents. It requires explicit consent, the right to erasure, and transparency in data use.

Cybersecurity Requirements for Financial Services Companies (NYDFS 23 NYCRR 500)

Alaska financial institutions operating in New York must comply with NYDFS cybersecurity regulations requiring encryption, multifactor authentication, and timely reporting of cyber incidents.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework provides best practices that many Alaska organizations follow to identify, protect, detect, respond to, and recover from cyber incidents.

Federal Trade Commission (FTC) Act

Under the FTC Act, Alaska businesses must maintain reasonable cybersecurity protections and cannot mislead consumers about data security practices.

Children’s Online Privacy Protection Act (COPPA)

If your Alaska business collects data from children under 13, COPPA applies. It requires verified parental consent and restricts data sharing.

Sarbanes-Oxley Act (SOX)

Publicly traded companies in Alaska must comply with SOX, ensuring accurate financial reporting and internal control integrity.

Family Educational Rights and Privacy Act (FERPA)

FERPA applies to Alaska schools and education vendors, protecting student data and requiring consent before disclosure.

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

CIRCIA requires critical infrastructure organizations, such as those in energy, technology, and manufacturing, to report significant cyber incidents to CISA within 72 hours.

CAN-SPAM Act

The CAN-SPAM Act governs commercial email marketing practices, requiring truthful subject lines, accurate sender information, and opt-out options.

Defense Federal Acquisition Regulation Supplement (DFARS)

Alaska defense contractors must comply with DFARS cybersecurity requirements aligned with NIST SP 800-171, ensuring data protection for controlled unclassified information.

Section 5 of the FTC Act (Unfair or Deceptive Practices)

Section 5 prohibits deceptive or negligent cybersecurity practices, holding Alaska businesses accountable for protecting consumer information and privacy.

Best Practices for Alaska Businesses

Even without a comprehensive state privacy law, Alaska businesses should adopt cybersecurity best practices to reduce risk and demonstrate compliance with breach notification and federal requirements:

  • Conduct regular risk assessments and penetration testing
  • Implement access controls, encryption, and multi-factor authentication
  • Maintain written incident response plans and breach notification procedures
  • Train employees on phishing, social engineering, and secure handling of personal data
  • Document breach investigations and the rationale for any risk-of-harm determinations

Adopting recognized frameworks like NIST, CIS Controls, or ISO 27001 helps establish strong governance and can support legal defenses if a breach occurs.

Conclusion

Alaska’s cybersecurity landscape is evolving. While it does not yet have a broad state privacy law, it imposes strict data breach notification requirements under APIPA, is expanding privacy protections through legislative proposals, and has new insurance-sector cybersecurity rules taking effect in 2026.

Staying compliant with these laws, and aligning with federal security standards, helps protect your customers, avoid penalties, and strengthen your organization’s security posture.

Frequently Asked Questions About Alaska Cybersecurity Laws

  1. What is Alaska’s main cybersecurity law?
    The Alaska Personal Information Protection Act (APIPA) requires companies to notify residents of data breaches involving personal information without unreasonable delay.
  2. How quickly must Alaska businesses notify residents after a breach?
    Notification must occur in the most expeditious time possible and without unreasonable delay once the breach is discovered and the scope is understood.
  3. Do Alaska businesses have to notify consumer reporting agencies?
    Yes. If a breach affects 1,000 or more Alaska residents, the entity must also notify nationwide consumer reporting agencies.
  4. What new cybersecurity requirements are taking effect in Alaska in 2026?
    The insurance data security statute (SB 134) includes new data security and reporting requirements for insurance licensees, with portions effective January 1, 2026.
  5. Does Alaska have a comprehensive privacy law like California’s CCPA/CPRA?
    No comprehensive privacy law is currently in force, but Alaska is considering a Consumer Personal Information Privacy Act that would add broader notice, access, and deletion requirements.

Read More Cybersecurity Laws by State:

Florida Cybersecurity Laws You Should Know (2026)

Ohio Cybersecurity Laws You Should Know (2026)

Virginia Cybersecurity Laws You Should Know (2026)

North Carolina Cybersecurity Laws You Should Know (2026)

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Readers should consult qualified legal counsel for advice specific to their organization or situation.

Mitch Wolverton

Mitch, Marketing Manager at PivIT Strategy, brings over many years of marketing and content creation experience to the company. He began his career as a content writer and strategist, honing his skills on some of the industry’s largest websites, before advancing to specialize in SEO and digital marketing at PivIT Strategy.