Alabama's Governor, Kay Ivey, signed the Alabama Data Breach Notification Act (SB318) into law on March 28, 2018. The Act, which you can read here, goes into effect on June 1, 2018. Alabama was the last State to pass a data breach notification and reporting law, as South Dakota's governor signed S.B. 62 on March 21, 2018.
SB318 is one of the most comprehensive data breach laws in the country due to four main requirements. Covered Entities must: (1) implement reasonable security efforts to protect sensitive data; (2) conduct a good faith investigation after a data breach; (3) provide written notification to victims post-breach; and (4) dispose of records containing sensitive personally identifying information ("SPII") pursuant to law, regulation or business need.
Who Is Covered by the Law?
Essentially everyone that acquires or uses SPII of Alabama residents, regardless of their location. "Covered Entities" include any private actor (e.g., person, sole proprietorship, partnership, corporation, nonprofit, trust, estate, association, or other business entity) that "acquires or uses" SPII in electronic form; third party service providers who store, process, or transmit SPII for Covered Entities; and government entities (e.g., agencies, commissions).
There is one main exception. Covered Entities that are subject to privacy requirements under federal law (e.g., HIPAA) or another state's law (that is at least as strict) may be exempt from complying with SB318. These Covered Entities should exercise caution if the federal requirements are less strict until further guidance. If applicable, exempt entities must still report to the Attorney General.
Reasonable Security Efforts:
SB318 requires its subjects to implement and maintain reasonable security efforts, including:
- Designate a person responsible for data security issues;
- Identify internal and external risks to your SPII ;
- Establish a data protection program to mitigate identified risks;
- Contractually obligate third party vendors to maintain safeguards to protect SPII (comply with the Act);
- Evaluate and adjust data protection mechanisms when changes occur; and
- Keep management informed of state of security
Covered Entities should start by mapping their data and conducting a risk assessment to determine where the data is flowing and how the SPII may be lost. From there, the proper cybersecurity controls and best practices can be quantified and implemented to protect SPII from unauthorized access. Covered Entities should also have a tested Incident Response Plan and designated response team in place to respond to an incident.
Good Faith Investigation:
When a breach has or may have occurred, SB318 requires Covered Entities to conduct an investigation promptly and in good faith, including:
- Assess the nature and scope of the breach;
- Identify any SPII involved and identity of the individuals involved;
- Determine whether SPII has been or is reasonably believed to have been acquired by an unauthorized person and is reasonably likely to cause substantial harm; and
- Identify and implement measures to restore the security
Covered Entities should consider engaging privacy counsel immediately after a breach to assist with the response, evidence collection, and notification process. Keep in mind that privacy counsel can help ensure that communications and documents exchanged post-breach are subject to attorney-client privilege and the attorney work-product doctrine.
The Notification Requirement:
Covered Entities must notify Alabama residents of security incidents if:
- Electronically stored SPII is reasonably believed to have been acquired (or has been acquired by an unauthorized person); AND
- Is reasonably likely to cause substantial harm to the individuals.
If a Third Party Vendor is breached, it must notify the Covered Entity within 10 days and participate in efforts to notify. If a Covered Entity determines notification is not required, records of that determination must be maintained for no less than 5 years.
"Reasonably Believed To Be Acquired" Is a Judgment Call:
SB318 requires notification beyond instances where there is actual unauthorized acquisition of SPII and actual harm to the victim. The purpose of the law is so victims are notified before injury occurs and are able to mitigate the harm. Below are four categories of events that often trigger notification:
- Indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information;
- Indications that the information has been downloaded or copied;
- Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; and
- Whether the information has been made public
Sensitive Personally Identifiable Information:
"Sensitive Personally Identifying Information" consists of the individual's first name or initial and last name in combination with any one of these data elements:
- A non-truncated Social Security or tax identification number;
- Non-truncated driver's license, state-issued identification card number, passport number, military identification number or any unique, government-issued number used to verify identity;
- A financial account, credit or debit card number along with a required security code, expiration date, PIN, access code or password necessary to access a financial account or conduct a transaction;
- Individual medical or mental history or treatment information;
- A health insurance policy or identification number; and
- A user name or email address along with a password or security question and answer that gives access to an online account that is likely to contain sensitive personal information.
Encrypted SPII is exempt unless there is reason to believe the key has been compromised.
What Information Should the Notification Include?
- The date, estimated date, or estimated date range of the breach;
- A description of the SPII that was acquired by an unauthorized person as part of the breach;
- A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach;
- A general description of steps a consumer can take to protect himself or herself from identity theft; and
- Information that the individual can use to contact the covered entity to inquire about the breach.
Method and Timing of Notification:
Notifications can be made by mail and/or email. The notifications must occur "expeditiously as possible" and in no more than 45 days of the determination of a breach.
Third Party Vendors must notify a Covered Entity no later than 10 days after the determination or reasonable belief of a breach.
Law enforcement agencies can delay a notification with written request.
Covered Entities may substitute notice with media advertising or by website in certain situations:
- Cost of more than $500,000;
- Notice to more than 100,000 people; and
- Lack of sufficient contact information
Notification must be made to the attorney general and consumer credit-reporting agencies when more than 1000 people are involved.
Disposing of Data
Covered Entities and Third Party Vendors must:
- Dispose of records containing SPII pursuant to law, regulation or business need; and
- Dispose of SPII by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any reasonable means consistent with industry standards
A violation will not result in a criminal offense. There is no private right of action. SB318 does allow the attorney general to seek deceptive trade practice penalties when a Covered Entity or Third-Party Vendor knowingly violates the law.
A violator could be subject to a $2,000-per-person penalty, capped at $500,000. Covered Entities that notify after the 45-day deadline could also be fined up to $5,000 per day.