Alabama Data Breach Notification Act of 2018

Apr 10, 2018

This executive summary addresses our discussion at the April 10, 2018 inaugural meeting of the Birmingham chapter of Infragard about Alabama’s new data breach law.

The new law requires businesses to maintain reasonable security measures and make data breach notifications, as described below. Effective June 1, 2018.

WHO is covered?

The law applies to any business entity or governmental agency that acquires or uses “sensitive personally identifiable information” (“SPII”). Defined as a “Covered Entity” (“CE”).

  • This includes individuals acting as businesses and sole proprietorships.
  • Only the notice requirements apply to governmental agencies.
  • HIPAA and GLBA-compliant businesses are excluded.

Certain provisions apply also to “Third-Party Agents”, defined as an entity with which a Covered Entity contracts with “to maintain, store, [or] process” SPII “or is “otherwise permitted to access” SPII in the course of performing services for a Covered Entity.

  • This includes data processors and other subcontractors.
  • The language indicates that it applies to lawyers, accountants, and other professionals.

WHAT information is protected?

SPII includes the usual types of information protected by similar state laws:

The first name or initial and last name of an Alabama resident plus any one of the following:

  • A full SSN or TIN; or
  • A full drivers license or comparable unique governmental id number; or
  • A financial account number plus access credentials; or
  • A user name or e-mail plus access credentials to an online account with the CE. And includes the typical exclusions regarding public or encrypted information.

The new law also follows a more recent state trend by including medical information and health insurance policy number plus the subscriber identifier.

WHO is protected?

Alabama residents whose SPII was (or is reasonably believed by the CE to have been) the subject of a security breach. Defined as an “Individual”.

The definition of “breach” or “security breach” includes unauthorized acquisition of electronic SPII but does not appear to include ransomware.

WHEN must notice be given?

The law requires that a data breach notice in writing or by e-mail including the prescribed content (comparable to other state law and Federal Trade Commission guidance) sufficient to empower the Individual to mitigate the risks of the breach must be given within 45 days of the CE’s (1) receipt of notice from a Third Party Agent that a breach has occurred or (2) determination that a (a) breach has occurred and (b) the breach is “reasonably likely to cause substantial harm” to the Individual. The usual exceptions for delays for law enforcement purposes and substitute notice are included and notice is required to the state AG and/or nationwide consumer reporting agencies if more than 1000 Individuals are involved in the breach.

  • “Substantial harm” is not defined.
  • It does not appear that that determination is relevant when breach notice is received from the Third-Party Agent; notice is triggered automatically upon receipt of Third-Party Agent notice.
  • The Third-Party Agent must notify the CE within 10 days of its determination of the breach or reason to believe the breach occurred.

WHAT SECURITY measures are required?

Both the CE and Third-Party Agent must each implement and maintain “reasonable security measures” to protect SPII. “Reasonable” means “practicable” in relation to a cost-benefit analysis, the type and volume of SPII involved, and the size of the entity and with emphasis to be placed on “data security failures that are multiple or systemic” and taking into account consideration of all of the following measures:

  • Designation of one or more managers of the security program;
  • Risk inventory – both internal and external;
  • Vendor management with contractual security obligations;
  • Continuous monitoring and evaluation of threats and measures; and
  • Board or management oversight.

The security measure requirements of the new law are consistent with the case law and FTC enforcement activity and are likely currently being met by many businesses in Alabama. The key will be to ensure that the measures and any exceptions are clearly documented. Also, the new notice requirements should be built into existing or new data breach response programs. There is no regulatory oversight of compliance or private right of action under the new law. Enforcement is by the AG. There may, however, be litigation consequences if failures resulting in a breach are considered to be negligent or worse.

Helpful Links

Please note that this summary is not intended to be legal advice or a comprehensive assessment of the new law. You are welcome to contact me directly at pboshell@privacycounselllc.com or follow me on Twitter @PrivacyCoLLC.

Download a Printer-Friendly Version of this Article

© 2018 Privacy Counsel LLC

Certified Information Privacy Professional (CIPP): USCertified Information Privacy Professional (CIPP): EuropeCertified Information Privacy ManagerRecognized by Best LawyersAlabama State BarMartindale Hubbell AV Preeminent for Etical Standards and Legal AbilityAvvo RatedFellow of Information Privacy (FIP)Privacy Law Specialist (PLS)GDRP Ready