Alabama State Data Breach Notification Laws Overview

The document provided is an overview of the State Data Breach Law. It is not a substitute for advice from an attorney,but meant to be used as a business tool to help educate and start conversations between business, IT and council. I hope you find it helpful.. Please let me know if you have any questions or comments.

Who must comply?

Practically everyone…

Persons, sole proprietorships, partnerships, government entities, corporations, nonprofits, trusts, estates, cooperative associations, or other business entities that acquires or uses sensitive personally identifying information.

What Data is Covered?

Sensitive Personally Identifying Information (SPII)

First initial or name with last name combined with any one of the following:

• Social Security number or tax number

• Driver's license number, state-issued identification card number, passport number, military identification number;

• A bank account number, credit card number, or debit card number (in combination with any security code, access code, password, expiration date, or PIN)

• Any information regarding an individual's medical history, or medical treatment or diagnosis by a health care professional.

• An individual's health insurance policy number or subscriber ID number and any unique identifier used by a health insurer to identify the individual.

• A username or email address, (in combination with a password or security question and answer that would permit access to an online account that is reasonably likely to contain or provide access to sensitive personally identifying information.

Exclusions

Public, Encrypted, Truncated & De-Identified SPII

• Information about an individual which has been lawfully made public by a federal, state, or local government record or a widely distributed media.

• Information that is truncated, encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable, including encryption of the data, document, or device containing the sensitive personally identifying information, (unless the covered entity knows the encryption key or security credential that could render the personally identifying information readable or usable has been breached.)

What is a breach?

Reasonable belief of an unauthorized acquisition of SPII

A covered entity* determines following a prompt investigation that, SPII of an Alabama resident in electronic form is known to or is reasonably believed to have been acquired by an unauthorized entity and is reasonably likely to cause substantial harm to the individuals to whom the information relates. The acquisition can be a single instance or occurring over a period of time committed by the same entity.

*third party information in Notice section.

How to Comply

Preparation Compliance

• Entities and third—party agents shall implement and maintain reasonable security measures.

• Designate an individual to coordinate the covered entity's security measures to protect against a breach of security.

• Identification of internal and external risks of a breach of security.

• Contractually require third party to maintain appropriate safeguards for sensitive personally identifying information.

• Keep management, including its board of directors, if any, appropriately informed of the overall status of its security measures;

• Evaluate and adjust security measures to account for changes in circumstances affecting the security of sensitive personally identifying information.

Post Breach Compliance

• Perform an investigation

• Determine scope of breach

• Identify compromised SPII

• Identify and Implement necessary measures to restore security & confidentiality to systems.

• Send Notice if breach is confirmed

• Entities (not third parties) who experience a data breach. Notice shall be made expeditiously without delay but no more than 45 days from the determination of the breach (subject to the needs of law enforcement).     

• Third parties are to notify the covered entity no more than 10 days after a breach. At which point, the covered entity, or third party should follow notification requirements depending on contractual agreements in place.

Notice Requirements

Post Breach Compliance

• Requirements for notice

o   Date of Breach

o   What SPII was compromised

o   Actions taken to restore security & confidentiality of data

o   Actions an individual can take to protect themselves from the impact of the breach.

o   Information on how to contact entity with questions about the breach.

• Substitute provisions can be considered for insufficient information on individuals, excessive cost relative to business size, breaches of more than 100,000 people, costs exceeding $500,000.

• If a breach impacts more than 1,000 individuals, the attorney general must be notified in writing. Additionally, the entity must notify all nationwide consumer reporting agencies

Sanctions and Remedies

• Willful violations under Section 8-19-11, Code of Alabama 1975, may range up to $500,000 per breach.

• Additionally, entities may face a $5,000 per day for Notice violations.

• Finally, the Attorney General has exclusive authority to bring an action for damages on behalf of any named individual or individuals.