On March 1, 2018, the Alabama Senate voted for passage of Senate Bill 318, the Alabama Data Breach Notification Act, by a vote of 24-0. The bill is now being considered by the Alabama House, and with the broad Senate support and vocal praise from Alabama Attorney General Steve Marshall, its passage into law seems likely. The sponsor of the bill, Senator Arthur Orr, specifically identified the protection of the privacy of Alabama citizen's medical information as one goal of the bill.
Alabama is one of two states that does not have a data breach notification law. The other state, South Dakota, is also in the process of considering such a law. The Data Breach Notification Act requires that companies doing business in Alabama notify their consumers when their consumers' personal data has been affected by a data breach. This notification must occur within forty-five days of determination that the breach has occurred. Additionally, if a breach affects more than 1,000 consumers, the company is required to notify the Alabama Attorney General’s Office. If a breach involves more than half a million individuals, the company must post notices online, in newspapers, on TV, and through radio stations.
Although there are no criminal penalties nor private actions available against companies that fail to notify their affected consumers, fines of up to $5,000 per day may be issued by the Alabama Attorney General’s office. The Alabama Attorney General may also file a lawsuit on behalf of affected consumers. Follow the bill's status here.