Alabama and South Dakota are the only two states that have not passed a data breach notification and reporting law. On March 1, 2018, Alabama got one step closer to not finishing dead last when the Alabama senate passed SB318—Alabama’s version of a data breach notification and reporting requirement. You can read the bill here. SB318 will now go to the Alabama House of Representatives for a vote.

SB318 requires breached entities (persons or business entities that acquire or use personally identifiable information) to notify Alabama’s attorney general, Alabama residents whose information has been compromised and consumer credit-reporting agencies of breaches if:

  • Sensitive information is reasonably believed to have been acquired by an unauthorized person; AND
  • Is reasonably likely to cause substantial harm to the individuals.

Even if a breach is not a reportable event, the data owner must maintain relevant records for at least five years.

Method of Notification and Timing:

Notifications can be made by mail and/or email. The notifications must occur “expeditiously as possible” and in no more than 45 days of the determination of a breach.

The bill requires third parties to notify a breached entity no later than 10 days after the third-party agent determines a breach occurred. Law enforcement agencies can delay a notification.

The Type of Information That Triggers Notification:

Information that qualifies as a notifiable breach consists of the individual’s first name or initial and last name in combination with any one of these data elements:

  • A non-truncated Social Security or tax identification number;
  • Non-truncated driver’s license, state-issued identification card number, passport number, military identification number or any unique, government-issued number used to verify identity; 
  • A financial account, credit or debit card number along with a required security code, expiration date, PIN, access code or password necessary to access a financial account or conduct a transaction;
  • Individual medical or mental history or treatment information;
  • A health insurance policy or identification number; and
  • A user name or email address along with a password or security question and answer that gives access to an online account that is likely to contain sensitive personal information.

What Constitutes “Reasonably Believed To Be Acquired”?

1) Indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information; 

2) Indications that the information has been downloaded or copied; 

3) Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; and

4) Whether the information has been made public.

What Must Be Included In the Notification? 

1) The date, estimated date, or estimated date range of the breach;

2) A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach;

3) A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach;

4) A general description of steps a consumer can take to protect himself or herself from identity theft; and

5) Information that the individual can use to contact the covered entity to inquire about the breach.

Penalties:

A violation of this proposed law constitutes a deceptive trade practice. A violation of SB318 does not constitute a criminal offense, it will not prompt a private right of action. It does allow the attorney general to seek deceptive trade practice penalties when a covered entity or third-party agent knowingly violate the notification law.

The Deceptive Trade Practice Act penalties would apply for willful or reckless disregard of the notification requirements. That disregard could subject the violator to a $2,000-per-person penalty, capped at $500,000. Any breached entity that made notification after the 45-day deadline, could also be fined up to $5,000 per day.

Notable Exceptions:

1) A notification cost of more than $500,000 qualifies as excessive and allows a breached entity to notify those who have been breached via its website or by advertising in the markets where the affected individuals live; 

2) Alternate notification methods are allowed if more than 100,000 people are affected; 

3) The notifications to the attorney general and consumer credit-reporting agencies are required for breaches affecting more than 1,000 people; and

4) Encrypted information is exempted.