On March 28, 2018, exactly one week after South Dakota enacted a data breach notification law, and a little over sixteen years since California became the first state to pass a data breach law, Alabama became the fiftieth and final state to pass a data breach notification law. Until recently, Alabama and South Dakota were the only states that did not have data breach notification laws.
Under Senate Bill 318, any person or business entity, including government entities, who handle electronically stored “sensitive personally identifying information” regarding Alabama residents must comply with the new data breach notification law. The law is effective on June 1, 2018 (which is, incidentally, one month before the South Dakota law goes into effect).
What Information Is Covered, When Is There a Breach, and Who Has to Comply?
Alabama’s breach notification law is similar to many other states in terms of defining what is “sensitive personally identifying information” and “breach of security” and follows the trend of expansive definitions of a data breach.
- Covered Data. Under the law, “sensitive personally identifying information” is defined as an Alabama resident’s first name or first initial and last name in combination with one or more data elements applicable to that individual and listed in the law (e.g., social security number/tax identification number, non-truncated government-issued identification numbers, financial account numbers in combination with a access code, information regarding individual’s medical history or insurance policy number, and email or user name in combination with a password or security questions).
The term does not include information that is: (1) lawfully made public by a federal, state, or local government record or a widely distributed media; or (2) truncated, encrypted, secured, or otherwise modified to remove elements that personally identify an individual. The law does not specify a minimum encryption standard.
- Definition of Breach. A “breach of security” is defined as the unauthorized acquisition of data containing the above described sensitive personally identifying information in electronic form.
- Entities Subject to the Law. The law applies to “covered entities” and their “third-party agents.” “Covered entities” is a term familiar to those in the health care data privacy and security space, but Alabama’s law uses the term in a broader sense than HIPAA covered entities to mean any person, business entity, or government entity that acquires or uses sensitive personally identifying information (though the law does exclude certain entities subject to other federal data breach notification obligations).
Alabama’s law also applies to “third-party agents,” i.e., entities contracted to maintain, store, process, or otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity.
Breach Assessment and Notification Obligations
Alabama’s law is not limited to breach notification obligations. The law specifies how entities must conduct a good faith and prompt investigation if it suspects a breach of security has or may have occurred, including a number of specific factors to identify the nature and scope of the breach, assess affected information and harm to individuals, and restore security.
If a breach of security has occurred, the law mandates certain notification requirements by both covered entities and third-party agents.
- Affected Individuals. Alabama residents must be notified when sensitive personally identifying information was, or is reasonably believed to have been, accessed as a result of a breach. Notification to affected individuals must occur as expeditiously as possible, but no later than forty-five days after the breach was discovered or after receipt of notice of a breach from a third-party agent. The law specifies the method of delivery and content of notification.
However, notification is not required if the breach will not likely result in harm to the affected person(s). The law also allows for delay in notification at the request of law enforcement if such notice would interfere with a criminal investigation or national security.
- Attorney General. If the breach affects more than one thousand Alabama residents, notice to the Attorney General must be made as expeditiously as possible and without unreasonable delay but within forty-five days after the breach was discovered or after receipt of notice of a breach from a third-party agent. The law also specifies the content of notification to the Attorney General.
- Consumer Reporting Agencies. All consumer reporting agencies that compile and maintain files on consumers on a nationwide basis must also be notified without unreasonable delay when notice is provided to more than one thousand Alabama residents.
- Third-Party Agents. Third-party agents that experience breaches must notify the applicable covered entity as expeditiously as possible and without unreasonable delay, but no later than ten days following the determination that the breach occurred.
Additional Obligations: Security Compliance Program
Alabama’s law also requires covered entities and third-party agents to implement and maintain reasonable security measures to protect sensitive personally identifying information against security breaches, including a full list of required factors, including:
- Designation of an employee to coordinate the entity’s security measures;
- Identification of internal and external risks of a security breach;
- Adoption of information safeguards to address identified risks and assess effectiveness of safeguards;
- Contractually requiring service providers to maintain appropriate safeguards for sensitive personally identifying information; and
- Keeping management, including the Board of Directors (if any), appropriately informed of the overall status of security measures.
The law also outlines record disposal/destruction obligations for covered entities and third-party agents with regard to records containing sensitive personally identifying information.
Failure to comply with the notification provisions of the Alabama law is considered an unlawful trade practice under the state’s Deceptive Trade Practices Act, and the Attorney General may impose a civil penalty of up to $500,000 for knowing violations and a fine of up to $5,000 per day per violation of the breach notification law.
The law clearly states that it does not create an individual cause of action, and the Attorney General may bring actions for damages in a representative capacity. Recovery is limited to actual damages plus reasonable attorneys’ fees and costs.
Interestingly, the Alabama law does not specify penalties for failure to comply with the various compliance-related obligations outlined in the law.
And Then There Were None
Alabama is the last state to pass a data breach law. With data breach laws now on the books of all fifty states and Washington D.C., any person or entity conducting business in the nation must be prepared to safeguard customer, employee, and client sensitive data and be ready to comply with all applicable state and federal laws.
As technology and threats to data continue to evolve, states will continue to modify and tighten their data breach notification laws and consumer protections in the wake of an ever-expanding list of data breaches. Stay tuned to the blog for updates to state breach notification laws, among other data privacy and security developments.
For questions about Alabama’s data breach law or other data breach laws, please contact the authors or your Quarles & Brady data privacy & security attorney.