On March 28, 2018, Alabama became the final state in the U.S. to enact a data breach notification law. The Alabama Data Breach Notification Act of 2018 (S.B. 318) (“the Law”) goes into effect on May 1, 2018.
Key Provisions of the Alabama Data Breach Notification Act of 2018:
- The law applies to “covered entities” and their “third-party agents.” “Covered entity” is defined as “a person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association or other business entity that acquires or uses sensitive personally identifying information.” “Third-party agent” is defined as “an entity that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity.”
- The definition of “sensitive personally identifying information” includes health information (i.e., an individual’s medical condition and history, and health insurance identification numbers), as well as username or email address in combination with a password or security question and answer that would permit access to an online account likely to contain sensitive personally identifying information.
- The law applies to unencrypted computerized data or encrypted computerized data when the encryption key or code is also compromised.
- Notification is not required if, after a prompt investigation in good faith, it is determined that the breach of security is not reasonably likely to cause substantial harm to the individuals to whom the information relates.
- Written notice must be made to affected individuals (and to the Alabama Office of the Attorney General if over 1,000 Alabama residents are notified) within 45 calendar days of a determination that the breach of security is reasonably likely to cause substantial harm to affected individuals. Notice to all consumer reporting agencies is also required “without unreasonable delay” if over 1,000 Alabama residents are notified.
- Third-party agents are required to notify the covered entity within 10 days of discovery of a breach of security.
- Covered entities that are subject to federal or state laws, rules, regulations, procedures or guidance on data breach notification established or enforced by the federal or state government are exempt from the statute as long as the covered entity (1) maintains procedures pursuant to those laws; (2) provides notice to affected individuals pursuant to those laws; and (3) provides in a timely manner a copy of the notice to the Alabama Office of the Attorney General when the number of individuals the covered entity notifies exceeds 1,000.Covered entities and their third-party agents must implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security, which include:
- Designation of an employee(s) to coordinate the covered entity’s security measures to protect against a breach of security;
- Identification of internal and external risks of a breach of security;
- Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards;
- Retention of service providers that are contractually required to maintain appropriate safeguards for sensitive personally identifying information;
- Evaluation and adjustment of security measures to account for changes in circumstances affecting the security of sensitive personally identifying information; and
- Keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.
- The law also contains a data disposal provision that requires covered entities and third-party agents to shred, erase or otherwise modify sensitive personally identifying information contained in records when the records are no longer to be retained pursuant to applicable law, regulations or business needs.