00 SENATE BILL NO. 134 01 "An Act relating to insurance data security; amending Rule 26, Alaska Rules of Civil 02 Procedure, and Rules 402 and 501, Alaska Rules of Evidence; and providing for an 03 effective date." 04 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA: 05  * Section 1. AS 21.96 is amended by adding new sections to read: 06 Sec. 21.96.250. Risk assessment. (a) A licensee shall conduct a risk 07 assessment to evaluate the security and confidentiality of nonpublic information. In 08 conducting the risk assessment, the licensee shall 09 (1) identify reasonably foreseeable internal or external threats in each 10 area of the licensee's operations that could result in unauthorized access, transmission, 11 disclosure, misuse, alteration, or destruction of nonpublic information, including the 12 security of information systems and nonpublic information that are accessible to, or 13 held by, third-party service providers; 14 (2) assess the likelihood and potential damage of the threats identified 01 in (1) of this subsection, taking into consideration the sensitivity of nonpublic 02 information; and 03 (3) assess the sufficiency in each area of the licensee's operations of 04 the licensee's policies, procedures, information systems, and other safeguards in place 05 to manage the threats identified in (1) of this subsection, including the areas of 06 (A) employee training and management; 07 (B) network and software design, information classification, 08 governance, processing, storage, transmission, and disposal; and 09 (C) detecting, preventing, and responding to attacks or 10 intrusions on information systems and nonpublic information, or other 11 information system failures. 12 (b) A licensee shall use the licensee's risk assessment to design the licensee's 13 information security program required under AS 21.96.260(a). 14 Sec. 21.96.260. Information security program. (a) A licensee shall develop, 15 implement, and maintain a comprehensive written information security program based 16 on the licensee's risk assessment conducted under AS 21.96.250(a). A licensee shall 17 designate one or more employees, an outside vendor, or a third-party service provider 18 to act on behalf of the licensee as the person responsible for the licensee's information 19 security program. 20 (b) A licensee's information security program must 21 (1) contain administrative, technical, and physical safeguards to protect 22 the security and confidentiality of nonpublic information and the security of the 23 licensee's information system; 24 (2) protect against a threat or hazard to the security or integrity of 25 nonpublic information and the information system; 26 (3) protect against unauthorized access to or use of nonpublic 27 information and minimize the likelihood of harm to a consumer; 28 (4) establish and periodically reevaluate a schedule for retention of 29 nonpublic information; and 30 (5) establish and implement a mechanism for the destruction of 31 nonpublic information when the information is no longer needed. 01 (c) In developing, implementing, and maintaining a licensee's information 02 security program, the licensee shall 03 (1) based on the licensee's risk assessment conducted under 04 AS 21.96.250(a), implement the following security measures if the licensee 05 determines that the security measure is appropriate: 06 (A) place and use effective access controls on information 07 systems, including controls to authenticate and permit access only by 08 authorized individuals, to protect against the unauthorized acquisition of 09 nonpublic information; the controls may include multi-factor authentication 10 procedures; 11 (B) identify and manage the data, personnel, devices, 12 information systems, and facilities that enable the organization to achieve its 13 business objectives in accordance with the relative importance of the data, 14 personnel, devices, information systems, and facilities to the organization's 15 business objectives and risk strategy; 16 (C) allow only authorized individuals to access physical 17 locations containing nonpublic information; 18 (D) protect by encryption or other appropriate means nonpublic 19 information transmitted over an external network or stored on a laptop 20 computer or other portable computing or storage device or media; 21 (E) adopt secure development practices for applications used 22 by the licensee that are developed in-house; the licensee shall adopt procedures 23 for evaluating, assessing, or testing the security of externally developed 24 applications used by the licensee; 25 (F) modify information systems in accordance with the 26 licensee's information security program; 27 (G) regularly test and monitor information systems and 28 procedures to detect actual and attempted attacks on, or intrusions into, 29 information systems; 30 (H) include audit trails inside the information security program 31 that are designed to detect and respond to cybersecurity events and to 01 reconstruct material financial transactions sufficient to support normal 02 operations and obligations of the licensee; 03 (I) implement measures to protect against destruction, loss, or 04 damage of nonpublic information caused by environmental hazards, including 05 fire and water damage, or other catastrophes or technological failures; and 06 (J) develop, implement, and maintain procedures for the secure 07 disposal of nonpublic information in any format; 08 (2) determine the cybersecurity risks to include in the licensee's risk 09 management process; 10 (3) stay informed of emerging threats or vulnerabilities and, when 11 sharing information, use reasonable security measures in accordance with the 12 character of the sharing and the type of information shared; 13 (4) include cybersecurity risks in the licensee's enterprise risk 14 management process; 15 (5) provide personnel of the licensee with cybersecurity awareness 16 training that is updated as necessary to reflect the risks identified in the risk 17 assessment; 18 (6) implement information safeguards to manage the threats identified 19 in a risk assessment, and, not less than once a year, assess the effectiveness of the key 20 controls, information systems, and procedures of the safeguards; 21 (7) exercise due diligence in selecting a third-party service provider; 22 (8) require a third-party service provider to implement appropriate 23 administrative, technical, and physical measures to protect and secure the information 24 systems and nonpublic information that are accessible to, or held by, the third-party 25 service provider; 26 (9) monitor, evaluate, and adjust, as appropriate, the information 27 security program consistent with relevant changes in technology, the sensitivity of its 28 nonpublic information, internal or external threats to nonpublic information, and the 29 licensee's own changing business arrangements, including mergers, acquisitions, 30 alliances, joint ventures, outsourcing arrangements, and changes to information 31 systems; and 01 (10) establish a written incident response plan designed to promptly 02 respond to, and recover from, a cybersecurity event that compromises the 03 confidentiality, integrity, or availability of nonpublic information in the licensee's 04 possession, the licensee's information systems, or the continuing functionality of an 05 aspect of the licensee's business or operations; the incident response plan must address 06 the following: 07 (A) the internal process for responding to a cybersecurity 08 event; 09 (B) the goals of the incident response plan; 10 (C) the definition of clear roles, responsibilities, and levels of 11 decision-making authority; 12 (D) the licensee's internal process used for external and internal 13 communication and information sharing; 14 (E) the identification of requirements for the remediation of an 15 identified weakness in information systems and associated controls; 16 (F) the documentation and reporting of cybersecurity events 17 and related incident response activities; and 18 (G) the evaluation and revision as necessary of the incident 19 response plan following a cybersecurity event. 20 (d) A licensee's board of directors or an appropriate committee of the 21 licensee's board of directors shall, at a minimum, require that 22 (1) the licensee's executive management or the executive 23 management's delegate develop, implement, and maintain the licensee's information 24 security program; and 25 (2) at least once a year, the licensee's executive management or the 26 executive management's delegate report to the licensee's board of directors or an 27 appropriate committee of the licensee's board of directors the following in writing: 28 (A) the overall status of the information security program and 29 the licensee's compliance with AS 21.96.250 - 21.96.399; and 30 (B) material matters related to the information security 31 program, including risk assessment, risk management and control decisions, 01 third-party service provider arrangements, results of testing, cybersecurity 02 events or violations, management's responses to the cybersecurity events or 03 violations, and recommendations for changes in the information security 04 program. 05 (e) If a licensee's executive management meets a requirement under (d) of this 06 section through a delegate, the executive management shall oversee the development, 07 implementation, and maintenance of the licensee's information security program 08 prepared by the delegate. The delegate shall provide a report to the executive 09 management that complies with the requirements of (d)(2) of this section. 10 (f) Each licensee who is an insurer domiciled in this state shall 11 (1) submit to the director a written statement by February 15 of each 12 year certifying that the insurer is in compliance with the requirements under 13 AS 21.96.250 and this section; 14 (2) maintain and allow the director to examine for a period of five 15 years after the insurer submits the written statement described in (1) of this subsection 16 all records, schedules, and data supporting the written statement; and 17 (3) provide documentation of any areas, information systems, or 18 processes that the insurer has identified as requiring material improvement, updating, 19 or redesign, and provide documentation of the remedial efforts planned and underway 20 to address the areas, information systems, or processes; the insurer shall make the 21 documentation available for examination by the director at the director's request. 22 (g) In this section, 23 (1) "authorized individual" means an individual known to and screened 24 by the licensee and for whom the licensee has determined access to the nonpublic 25 information held by the licensee and its information systems is appropriate and 26 necessary; 27 (2) "multi-factor authentication" means authentication through 28 verification of at least two of the following types of authentication factors: 29 (A) a knowledge factor, including a password; 30 (B) a possession factor, including a token or text message on a 31 mobile telephone; or 01 (C) an inherence factor, including a biometric characteristic. 02 Sec. 21.96.270. Investigation of cybersecurity event. (a) If a licensee 03 becomes aware that a cybersecurity event has or may have occurred, the licensee or an 04 outside vendor or third-party service provider designated to act on behalf of the 05 licensee shall promptly investigate the cybersecurity event. During the investigation, if 06 the licensee, outside vendor, or third-party service provider determines that a 07 cybersecurity event has occurred, the licensee, outside vendor, or third-party service 08 provider shall, to the extent possible, 09 (1) assess the nature and scope of the cybersecurity event; 10 (2) identify nonpublic information that may have been involved in the 11 cybersecurity event; and 12 (3) perform or oversee reasonable measures to restore the security of 13 the information systems compromised in the cybersecurity event to prevent further 14 unauthorized acquisition, release, or use of nonpublic information in the licensee's 15 possession, custody, or control. 16 (b) If a licensee becomes aware that a cybersecurity event has or may have 17 occurred in an information system maintained by a third-party service provider, the 18 licensee shall, to the extent possible, complete the actions described in (a) of this 19 section or confirm and document that the third-party service provider has completed 20 those actions. 21 (c) A licensee shall maintain records concerning all cybersecurity events for a 22 period of at least five years from the date of the cybersecurity event and shall produce 23 the records at the request of the director. 24 Sec. 21.96.280. Notification of cybersecurity event. (a) A licensee shall 25 notify the director as soon as possible and not later than 72 hours after a licensee 26 determines that a cybersecurity event has occurred, if 27 (1) the licensee is an insurer and domiciled in this state; 28 (2) the licensee is an insurance producer and this state is the licensee's 29 home state as defined in AS 21.27.990; or 30 (3) the licensee reasonably believes that the cybersecurity event 31 involves the nonpublic information of 250 or more consumers residing in this state and 01 the cybersecurity event 02 (A) affects the licensee, and a state or federal law requires the 03 licensee to provide notice of the cybersecurity event to a government agency; 04 or 05 (B) has a reasonable likelihood of materially harming a 06 consumer residing in this state or a material part of the normal operation of the 07 licensee. 08 (b) The notification to the director under (a) of this section must include, to 09 the extent possible and in a form and format prescribed by the director, the following 10 information: 11 (1) the date of the cybersecurity event; 12 (2) a description of how nonpublic information was exposed, lost, 13 stolen, or breached, including the specific roles and responsibilities of third-party 14 service providers, if any; 15 (3) an explanation of how the cybersecurity event was discovered; 16 (4) whether the lost, stolen, or breached nonpublic information has 17 been recovered and, if so, how the nonpublic information was recovered; 18 (5) the identity of the source of the cybersecurity event; 19 (6) whether the licensee has filed a police report, or has notified a 20 regulatory, government, or law enforcement agency about the cybersecurity event and, 21 if so, the time and date that the licensee notified the agency; 22 (7) a description of the specific types of information acquired without 23 authorization, such as medical information, financial information, or information 24 allowing identification of the consumer; 25 (8) the period during which the information system was compromised 26 by the cybersecurity event; 27 (9) the number of total consumers in this state affected by the 28 cybersecurity event; the licensee shall provide the licensee's best estimate in the 29 licensee's initial notification to the director under (a) of this section, and shall update 30 the estimate with each subsequent notification to the director under (c) of this section; 31 (10) the results of an internal review identifying a lapse in either the 01 licensee's automated controls or internal procedures or confirming that the licensee 02 followed all automated controls or internal procedures; 03 (11) a description of efforts the licensee is taking or has taken to 04 remediate the situation that permitted the cybersecurity event to occur; 05 (12) a copy of the licensee's privacy policy and a statement outlining 06 the steps the licensee will take to investigate and notify consumers affected by the 07 cybersecurity event; and 08 (13) the name of a contact person who is familiar with the 09 cybersecurity event and authorized to act on behalf of the licensee. 10 (c) After a licensee provides notice of a cybersecurity event to the director 11 under (a) of this section, the licensee shall, in a form, format, and frequency prescribed 12 by the director, update and supplement the information provided under (b) of this 13 section. 14 (d) In addition to the requirements of this section, a licensee shall comply with 15 all applicable provisions of AS 45.48 (Alaska Personal Information Protection Act). If 16 a licensee is required to notify the director of a cybersecurity event under (a) of this 17 section and is also required to provide notice under AS 45.48, the licensee shall 18 provide to the director a copy of the notice sent to consumers under AS 45.48. 19 (e) If a licensee becomes aware of a cybersecurity event that affects an 20 information system maintained by a third-party service provider of the licensee, the 21 licensee shall comply with the requirements of this section, except that the time 22 prescribed in (a) of this section begins the day after the third-party service provider 23 notifies the licensee of the cybersecurity event or the day after the date the licensee has 24 actual knowledge of the cybersecurity event, whichever is earlier. 25 (f) A licensee acting as an assuming insurer that determines that a 26 cybersecurity event has occurred shall, not later than 72 hours after the determination, 27 notify the licensee's affected ceding insurers and the insurance supervisory official of 28 the licensee's state of domicile if 29 (1) the cybersecurity event involves nonpublic information and the 30 nonpublic information is information used by or in the possession, custody, or control 31 of the licensee acting as an assuming insurer; and 01 (2) the licensee does not have a direct contractual relationship with a 02 consumer affected by the cybersecurity event. 03 (g) A licensee acting as an assuming insurer that receives notification from the 04 licensee's third-party service provider that a cybersecurity event has occurred shall, not 05 later than 72 hours after receiving notification, notify the licensee's affected ceding 06 insurers and the insurance supervisory official of the licensee's state of domicile if the 07 cybersecurity event involves nonpublic information and the nonpublic information is 08 in the possession, custody, or control of the third-party service provider. 09 (h) A ceding insurer notified under (f) or (g) of this section that has a direct 10 contractual relationship with an affected consumer shall comply with this section and 11 all applicable provisions of AS 45.48 (Alaska Personal Information Protection Act). 12 (i) A licensee that is an insurer and that becomes aware that a cybersecurity 13 event involving nonpublic information has occurred shall, as soon as possible and in a 14 form and format prescribed by the director, notify each independent insurance 15 producer of record of a consumer affected by the cybersecurity event if 16 (1) the nonpublic information is in the possession, custody, or control 17 of the licensee or the licensee's third-party service provider; 18 (2) the consumer accessed the insurer's services through the producer; 19 and 20 (3) the insurer has the current producer of record information for the 21 consumer. 22 Sec. 21.96.290. Confidentiality. (a) Any document, material, or information in 23 the possession or control of the division that is provided by a licensee or an employee 24 or agent acting on behalf of a licensee under AS 21.96.260(f) or 21.96.280(b)(2) - (5), 25 (8), (10), or (11) or that is obtained by the director in an investigation or examination 26 under AS 21.96.310 27 (1) is confidential and privileged; 28 (2) is not subject to inspection and copying under AS 40.25.110 - 29 40.25.220; 30 (3) may not be obtained by subpoena or discovery; and 31 (4) is not admissible in evidence in a private civil action. 01 (b) The director may use a document, material, or information described in (a) 02 of this section in a regulatory or legal proceeding brought in the performance of the 03 duties of the director under this title. 04 (c) The director or an individual acting under the authority of the director who 05 receives a document, material, or information described in (a) of this section may not 06 testify about the document, material, or information in a private civil action. 07 (d) In the performance of duties under AS 21.96.250 - 21.96.399, the director 08 may 09 (1) disclose a document, material, or information, including a 10 document, material, or information that is confidential and privileged or subject to (a) 11 of this section, to state, federal, and international regulatory or law enforcement 12 agencies, or to the National Association of Insurance Commissioners and its affiliates 13 or subsidiaries, if the recipient agrees in writing to maintain the confidentiality and 14 privileged status of the document, material, or information; 15 (2) receive a document, material, or information, including a 16 document, material, or information that is confidential and privileged, from the 17 National Association of Insurance Commissioners and its affiliates or subsidiaries, and 18 from state, federal, and international regulatory or law enforcement agencies; the 19 director shall maintain as confidential or privileged the document, material, or 20 information if the entity that provided the director with the document, material, or 21 information requests the director to do so or gives notice to the director that the 22 document, material, or information is confidential or privileged under the law of the 23 jurisdiction supplying it; 24 (3) disclose a document, material, or information that is subject to (a) 25 of this section with a third-party service provider if the third-party service provider 26 agrees in writing to maintain the confidentiality and privileged status of the document, 27 material, or information; and 28 (4) enter into agreements consistent with this section governing the 29 sharing and use of a document, material, or information that is confidential or 30 privileged or subject to (a) of this section. 31 (e) A person does not waive a claim of privilege or confidentiality that the 01 person possesses by providing a document, material, or information to the director 02 under AS 21.96.250 - 21.96.399 or by the disclosure, receipt, or sharing of a 03 document, material, or information under (d) of this section. 04 Sec. 21.96.300. Applicability. (a) AS 21.96.250 and 21.96.260 do not apply to 05 (1) a licensee, including an independent contractor, with fewer than 10 06 employees; 07 (2) a licensee if the licensee is an employee, agent, representative, or 08 designee of another licensee covered by an information security program. 09 (b) AS 21.96.250 - 21.96.399 do not apply to a licensee subject to the Health 10 Insurance Portability and Accountability Act of 1996 (P.L. 104-191) if the licensee 11 (1) has established and maintains an information security program 12 under statutes, regulations, procedures, or guidelines established under the Health 13 Insurance Portability and Accountability Act of 1996 (P.L. 104-191); 14 (2) is in compliance with the statutes, regulations, procedures, and 15 guidelines established under the Health Insurance Portability and Accountability Act 16 of 1996 (P.L. 104-191); and 17 (3) submits to the director a written statement certifying that the 18 licensee is in compliance with the statutes, regulations, procedures, and guidelines 19 established under the Health Insurance Portability and Accountability Act of 1996 20 (P.L. 104-191). 21 (c) If a licensee no longer qualifies for an exception to the applicability of 22 AS 21.96.250 - 21.96.399 under this section, the licensee shall comply with 23 AS 21.96.250 - 21.96.399 within 180 days after the licensee no longer qualifies for the 24 exception. 25 Sec. 21.96.310. Enforcement; penalties. (a) In addition to the director's power 26 to examine or investigate under AS 21.06.120, the director may examine and 27 investigate the affairs of a licensee to determine whether the licensee is or has been in 28 violation of AS 21.96.250 - 21.96.399. The director shall conduct an examination or 29 investigation under this section following the same procedures applicable to an 30 examination or investigation under AS 21.06.120. The director may take necessary or 31 appropriate action to enforce AS 21.96.250 - 21.96.399. 01 (b) In addition to any other penalty provided by law, a person who violates 02 AS 21.96.250 - 21.96.399 is subject to the penalties provided under AS 21.27.440. 03 (c) AS 21.96.250 - 21.96.399 do not create or imply a private cause of action 04 for a violation of AS 21.96.250 - 21.96.399. 05 Sec. 21.96.399. Definitions. In AS 21.96.250 - 21.96.399, 06 (1) "consumer" means an individual who is a resident of this state and 07 whose nonpublic information is in a licensee's possession, custody, or control; 08 (2) "cybersecurity event" 09 (A) means an event resulting in unauthorized access to or 10 disruption or misuse of an information system or information stored on the 11 information system; 12 (B) does not include 13 (i) the unauthorized acquisition of encrypted nonpublic 14 information if the encryption's process or key is not also acquired, 15 released, or used without authorization; or 16 (ii) an event in which the licensee has determined that 17 nonpublic information accessed by an unauthorized person has not been 18 used or released and has been returned or destroyed; 19 (3) "encrypt" means transforming of data into a form that results in a 20 low probability of assigning meaning without the use of a protective process or key; 21 (4) "information security program" means the administrative, 22 technical, and physical safeguards that a licensee uses to access, collect, distribute, 23 process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic 24 information; 25 (5) "information system" means 26 (A) a discrete set of electronic information resources organized 27 for the collection, processing, maintenance, use, sharing, dissemination, or 28 disposition of electronic information; or 29 (B) a specialized system that may include an industrial or 30 process control system, a telephone switching and private branch exchange 31 system, or an environmental control system; 01 (6) "licensee" 02 (A) means a person licensed, authorized to operate, or 03 registered, or required to be licensed, authorized, or registered, under the 04 insurance laws of this state; 05 (B) does not include a purchasing group or a risk retention 06 group chartered and licensed in a state other than this state or a licensee that is 07 acting as an assuming insurer that is domiciled in another state or jurisdiction; 08 (7) "nonpublic information" means information that is not publicly 09 available information and that is 10 (A) business-related information of a licensee, the tampering 11 with which, or unauthorized disclosure, access, or use of which, would cause a 12 material adverse effect to the business, operations, or security of the licensee; 13 (B) information concerning a consumer that, because of a 14 name, number, personal mark, or other identifier, can be used to identify the 15 consumer in combination with one or more of the following data elements: 16 (i) a social security number; 17 (ii) a driver's license number or identification card 18 number; 19 (iii) an account, credit card, or debit card number; 20 (iv) a security code, access code, or password that 21 would permit access to a consumer's financial account; or 22 (v) a biometric record; or 23 (C) information or data, except age or gender, in any form or 24 medium created by or derived from a health care provider or a consumer that 25 relates to 26 (i) the past, present, or future physical, mental, or 27 behavioral health or condition of a consumer or a member of the 28 consumer's family; 29 (ii) the provision of health care to a consumer; or 30 (iii) payment for the provision of health care to a 31 consumer; 01 (8) "person" means an individual or a nongovernmental entity; 02 (9) "publicly available information" means information that a licensee 03 has determined is made available to the general public from 04 (A) a federal, state, or local government record; 05 (B) a widely distributed media; or 06 (C) a disclosure to the general public that is required under 07 federal, state, or local law; 08 (10) "third-party service provider" means a person that is not a licensee 09 that, through a contract with a licensee, is permitted access to and maintains, 10 processes, or stores nonpublic information through its provision of services to the 11 licensee. 12  * Sec. 2. The uncodified law of the State of Alaska is amended by adding a new section to 13 read: 14 INDIRECT COURT RULE AMENDMENTS. (a) AS 21.96.290(a)(3), enacted by sec. 15 1 of this Act, has the effect of changing Rule 26, Alaska Rules of Civil Procedure, by 16 prohibiting discovery of evidence in the possession or control of the division of insurance that 17 is provided by a licensee or an employee or agent acting on behalf of a licensee under 18 AS 21.96.260(f) or 21.96.280(b)(2) - (5), (8), (10), or (11) or that is obtained by the director 19 in an investigation or examination under AS 21.96.310. 20 (b) AS 21.96.290(a)(4) and (c), enacted by sec. 1 of this Act, have the effect of 21 changing Rules 402 and 501, Alaska Rules of Evidence, by 22 (1) creating a new privilege that would prevent the director of the division of 23 insurance, or an individual acting under the authority of the director, from being permitted or 24 compelled to testify about confidential or privileged documents, materials, or information in a 25 private civil action; and 26 (2) precluding admissibility of evidence in a private action of documents, 27 materials, or other information in the possession or control of the division of insurance that is 28 provided by a licensee or an employee or agent acting on behalf of a licensee under 29 AS 21.96.260(f) or 21.96.280(b)(2) - (5), (8), (10), or (11) or that is obtained by the director 30 in an investigation or examination under AS 21.96.310. 31  * Sec. 3. The uncodified law of the State of Alaska is amended by adding a new section to 01 read: 02 TRANSITION: REGULATIONS. The director of the division of insurance may adopt 03 regulations necessary to implement this Act. The regulations take effect under AS 44.62 04 (Administrative Procedure Act), but not before the effective date of the law implemented by 05 the regulation. 06  * Sec. 4. The uncodified law of the State of Alaska is amended by adding a new section to 07 read: 08 CONDITIONAL EFFECT. AS 21.96.290(a)(3) and(4) and (c), enacted by sec. 1 of 09 this Act, take effect only if sec. 2 of this Act receives the two-thirds majority vote of each 10 house required by art. IV, sec. 15, Constitution of the State of Alaska. 11  * Sec. 5. Section 3 of this Act takes effect immediately under AS 01.10.070(c). 12  * Sec. 6. AS 21.96.250 and 21.96.260(a), (b), (c)(1) - (6), (9), and (10), and (d) - (g), 13 enacted by sec. 1 of this Act, take effect January 1, 2025. 14  * Sec. 7. AS 21.96.260(c)(7) and (8), enacted by sec. 1 of this Act, take effect January 1, 15 2026. 16  * Sec. 8. Except as provided in secs. 5 - 7 of this Act, this Act takes effect January 1, 2024.