Alabama Enacts Provisions Regarding Data Breach Notification Act
Alabama has enacted SB318, an act known as the Alabama Data Breach Notification Act of 2018. The act requires that a covered entity provide notice to an individual where that individual’s personally identifying information may have been compromised as a result of a data breach.
The act applies to all “covered entities” which may include a person, government entity, corporation, trust, estate, or any other business entity that acquires or uses personally identifying information. The act also applies to third party agents of covered entities that have access to an individual’s personally identifying information. Sensitive personally identifying information may consist of the combination of a first name, last name, and: a Social Security number or tax ID, driver’s license number, financial account number, medical information, health insurance policy number, or a user name or email address in combination with a password or security question answer.
The act requires that the covered entity or third-party agent implement reasonable security measures to protect sensitive personally identifying information. Reasonable security measures may include the designation of an employee to coordinate the security measures, identification of risks of a breach of security, and the adoption of safeguards to address the internal and external risks that have been identified.
In the event a breach of security may have occurred, the act requires a covered entity to conduct an investigation to ascertain the scope of the breach, identify any information that may have been compromised in the breach, and identify the individuals whose information may have been accessed in the breach.
If a covered entity has determined that a breach has occurred, or if a third-party agent notifies the covered entity that a breach has occurred, the covered entity is required to provide notice of the breach to each individual as expeditiously as possible. In the event the breach is of a third-party agent of a covered entity, then the covered entity has 45 days from its receipt of the notice of the breach from the third-party agent to notify the individual. The notice is required to be in writing to the individual at his or her address unless direct notice is not feasible due to excessive cost, lack of sufficient contact information to notify the individual, or if more than 100,000 individuals are affected.
If more than 1,000 individuals are affected by the breach, the covered entity is required to provide written notice of the breach to the Attorney General and all consumer reporting agencies as defined in the Fair Credit Reporting Act, 15 U.S.C. 1681a.
Violation of the notification provisions of the act shall be considered an unlawful trade practice under the Alabama Deceptive Trade Practices Act.
The full text of Alabama SB318 can be found here: https://legiscan.com/AL/text/SB318/id/1748038/Alabama-2018-SB318-Engrossed.pdf
Adam Faria, JD, is a regulatory compliance consultant with CLA. He is a graduate of Northeastern University and earned his juris doctor at Suffolk University Law School. He is admitted to the bar in Massachusetts and New Hampshire.
Comments are closed.