On March 28, 2018, Alabama Gov. Kay Ivey signed a bill that made Alabama the 50th and final state to enact a consumer data breach notification law. Prior to the signing, Alabama had been the last remaining state without such a law after South Dakota passed its data breach law last month.
So what do you need to know about the new Alabama data breach notification law before it takes effect on May 1, 2018:
- The law applies to all “covered entities” which the law defines as “a person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association or other business entity that acquires or uses sensitive personally identifying information. ”The law also applies to any “third-party agents” of covered entities where such a third-party agent is defined as “an entity that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity.” Third-party agents are required to notify the covered entity within ten (10) days after discovering a breach of security.
- The Alabama law protects “sensitive personally identifying information” from unauthorized access. But, the law only covers unauthorized access to unencrypted computerized data (or encrypted computerized data where the encryption key is compromised) and so does not extend to unauthorized access to non-computerized data.
- Similar to other laws, the Alabama statute defines “sensitive personally identifying information” to include an Alabama resident’s first name or first initial and last name in combination with:
- A Social Security number, driver’s license number, state-issued ID number, passport number, military ID number or other unique, government issued identification number.
- A financial account number (including a bank account number, credit/debit card number) in combination with any access code, password, PIN or expiration date.
- Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional or a person’s health insurance policy number.
- An individual’s username or email address in combination with a password or security question and answer that would allow access to an online account containing sensitive personally identifying information.
- The law requires written notification be made to all affected individuals within forty-five (45) calendar days of determining that a breach of security is reasonably likely to cause substantial harm to affected individuals. If the breach affects over 1,000 Alabama residents, then both the Alabama Office of the Attorney General and all consumer reporting agencies must be notified. Notice to the Attorney General is due within the same forty-five (45) calendar days, while notice to the consumer reporting agencies is required “without unreasonable delay.”
In addition to notification requirements, the new Alabama law also includes provisions requiring covered entities and third-party agents to employ and maintain “reasonable security measures” and document destruction protocols.
Under the new law, some of the reasonable security measures covered entities and third-party agents must implement and maintain to protect Alabama residents’ personally identifying information against unauthorized access would include:
- Designating an employee(s) to coordinate the entity’s security measures;
- Identifying internal and external risks of a security breach;
- Adopting appropriate safeguards to address identified risks and assessing the effectiveness of such safeguards;
- Retaining service providers that are contractually required to maintain appropriate safeguards for sensitive personally identifying information; and
- Keeping management, including the board of directors, appropriately informed of the overall status of security measures.
The law also includes a disposal provision that requires covered entities and third-party agents to take reasonable measures to dispose of any records containing sensitive personally identifying information when the records are no longer needed pursuant to “applicable law, regulations, or business needs.” In general, Alabama’s new breach notification statute is similar to those of other states. But, as always, if you find yourself in a situation where you have to interpret these requirements, you should enlist the help of experienced and knowledgeable data breach and privacy attorneys like those in Thompson Coburn’s cybersecurity department.