Alaska passed a breach notification law in June, making it state number 44 to do so. As most are aware by now, Alaska’s new law, Alaska Stat. § 45.48.010 et seq., includes breach notification requirements, restrictions on use of Social Security numbers, and allows consumers to place a security [deep] freeze on their credit reports. Notification of a breach is not required if, after an appropriate investigation and written notification to Alaska’s attorney general, the covered entity determines that there is not a reasonable likelihood that harm to consumers has resulted or will result from the breach. By popular demand, following is our updated list of security breach notification laws.

On Monday, the Court of Appeal, Second Appellate District upheld the validity of California’s “security freeze” law, section 1785.11.2 of the California Civil Code, but nonetheless enjoined under the First Amendment its application to the U.D. Registry (“U.D.”), a provider of credit reports drawn in material part from public records.  U.D. Registry, Inc. v. State of California, B179653 & B186012 (October 30, 2006).

California’s Security Freeze Law

Section 1785.11.2, authored by Senator Debra Bowen, was enacted to enhance protection of consumers from identity theft by allowing them to place fraud alerts on their credit reports and to prevent or control the release of those reports, and by prohibiting specified government and business uses of social security numbers.

The security freeze law provides, among other things, that “[a] consumer may elect to place a security freeze on his or her credit report by making a request in writing by certified mail to a consumer credit reporting agency.”  If such a security freeze is in place, “information from a consumer’s credit report may not be released to a third party without prior express authorization from the consumer.”  A consumer credit reporting agency has five business days to place a freeze on a credit report after receiving a written request.

Section 1785.11.2 was intended in part to shift some of the identity theft burden from consumers to credit reporting agencies.  Also of concern to California lawmakers, as noted by the U.D. Registry court, was “a consumer’s right to control the use of his or her personal and financial information.”