Alabama Data Breach Rule Summary

Alabama Data Breach Notification Act of 2018

Ala. Code 1975, § 8-38-3

EFFECTIVE.  May 1, 2018

WHO DOES THIS LAW APPLY TO.  “Covered Entities” and their “third-party agents” who acquires or uses sensitive personally identifying information.  Anyone who maintains, stores, processes, or is permitted access to sensitive personal identifying information for someone else.  Covered Entity is a person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information.

WHAT IS A BREACH.  The unauthorized acquisition of data in electronic form containing sensitive personally identifying information.  Acquisition occurring over a period of time committed by the same entity constitutes one breach.  The term does not include any of the following: (i) Good faith acquisition of sensitive personally identifying information by an employee or agent of a covered entity, unless the information is used for a purpose unrelated to the business or subject to further unauthorized use; (ii) The release of a public record not otherwise subject to confidentiality or nondisclosure requirements; or (iii) Any lawful investigative, protective, or intelligence activity of a law enforcement or intelligence agency of the state, or a political subdivision of the state.

WHAT IS PERSONAL INFORMATION.  An individual’s first name or first initial, plus last name in combination with one or more of the following with respect to the same Alabama resident:

• A non-truncated Social Security number or tax identification number.

• A non-truncated driver's license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual.

• A financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account.

• Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.

• An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.

• A user name or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.

WHO TO NOTIFY OF THE BREACH.  Written notice to the affected individuals and to the Alabama Attorney General if over 1,000 Alabama residents are notified.  Notice to all consumer reporting agencies is also required without unreasonable delay if over 1,000 Alabama residents are notified.  Third-party agents are required to notify the covered entity within 10 days of discovery of a breach of security.

EXCEPTION.  An entity subject to or regulated by state laws, rules, regulations, procedures, or guidance on data breach notification that are established or enforced by state government, and are at least as thorough as the notice requirements provided by this act, is exempt from this act so long as the entity does all of the following: 

• Maintains procedures pursuant to those laws, rules, regulations, procedures, or guidance.

• Provides notice to customers pursuant to the notice requirements of those laws, rules, regulations, procedures, or guidance.

• Timely provides a copy of the notice to the Attorney General when the number of individuals the entity notified exceeds 1,000.

WHEN TO NOTIFY OF THE BREACH.  As expeditiously as possible and without unreasonable delay but within 45 days of a determination that the breach of security is reasonably likely to cause substantial harm to affected individuals.  Notice to all consumer reporting agencies is also required without unreasonable delay if over 1,000 Alabama residents are notified.  Third-party agents are required to notify the covered entity within 10 days of discovery of a breach of security.

If a federal or state law enforcement agency determines that notice to individuals required under this section would interfere with a criminal investigation or national security, the notice shall be delayed upon the written request of the law enforcement agency for a period that the law enforcement agency determines is necessary. A law enforcement agency, by a subsequent written request, may revoke the delay as of a specified date or extend the period set forth in the original request made under this section if further delay is necessary.

HOW TO NOTIFY OF THE BREACH.  Notice may be provided by one of the following methods:

• Written notice to the affected individuals to the mailing address in the records.

• By email notice sent to the email address in the records:

  • The Consumer Notice must include:  Date, estimated date or estimated date range of the breach; description of the sensitive personally identifying information that was acquired; general description of the actions taken by the covered entity to restore the security and confidentiality of the personal information; general description of the steps a consumer can take to protect themselves from identity theft; information that the consumer can use to contact the covered entity to inquire about the breach.

• Written notice to the Alabama Attorney General’s Office and Must Include:

  • A synopsis of the events surrounding the breach at the time that notice is provided.

  • The approximate number of individuals in the state who were affected by the breach.

  • Any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, and instructions on how to use the services.

  • The name, address, telephone number, and email address of the employee or agent of the covered entity from whom additional information may be obtained about the breach.

SUBSTITUTE NOTICE AVAILABLE.  A covered entity required to provide notice to any individual under this section may provide substitute notice in lieu of direct notice, if direct notice is not feasible due to any of the following:

• Excessive cost to the covered entity required to provide such notification relative to the resources of the covered entity, provided that the cost of the individual notification is considered excessive if it exceeds five hundred thousand dollars ($500,000).

• Lack of sufficient contact information for the individual required to be notified.

• The affected individuals exceed 100,000 persons.

Substitute notice shall include both of the following:

• A conspicuous notice on the Internet website of the covered entity, if the covered entity maintains a website, for a period of 30 days.

• Notice in print and in broadcast media, including major media in urban and rural areas where the affected individuals reside.

• An alternative form of substitute notice may be used with the approval of the Attorney General.

NOTICE TO THIRD-PARTIES.  Third-party agents are required to notify the covered entity within 10 days of discovery of a breach of security.

CONSEQUENCES FOR FAILING TO NOTIFY.  There is no private right of action, but the Attorney General may enforce the Act in a “representative capacity” on behalf of individuals affected by the breach.  The Act allows civil penalties of not more than $5,000 per day to be assessed to entities that fail to take reasonable action to comply with the notice provisions of the Act.  While a knowing or reckless disregard in failing to comply with the notice requirements could subject covered entities to fines up to $500,000 per breach.

PRIVATE RIGHT OF ACTION.  A violation of this Act does not establish a private cause of action.

REQUIREMENTS OF REASONABLE SECURITY MEASURES.  Each covered entity and third-party agent shall implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security.  Reasonable security measures mean security measures practicable for the covered entity to implement and maintain, including consideration of all of the following:

• Designation of an employee or employees to coordinate the covered entity's security measures to protect against a breach of security. An owner or manager may designate himself or herself.

• Identification of internal and external risks of a breach of security.

• Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards.

• Retention of service providers, if any, that are contractually required to maintain appropriate safeguards for sensitive personally identifying information.

• Evaluation and adjustment of security measures to account for changes in circumstances affecting the security of sensitive personally identifying information.

• Keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.

DATA DISPOSAL PROVISIONS.  Section 10. A covered entity or third-party agent shall take reasonable measures to dispose, or arrange for the disposal, of records containing sensitive personally identifying information within its custody or control when the records are no longer to be retained pursuant to applicable law, regulations, or business needs. Disposal shall include shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any reasonable means consistent with industry standards.

LEGISLATIVE UPDATES.

 

For more information, see here:  http://alisondb.legislature.state.al.us/alison/CodeOfAlabama/1975/Coatoc.htm

AND

https://legiscan.com/AL/text/SB318/2018

 

These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only.  No Claim to Original State Government Works.  This may not be the most recent version.  The State may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information or the information linked to.  Please check the linked sources directly.