Several weeks ago, South Dakota and Alabama became the final two states to enact data breach notification laws. The Alabama Data Breach Notification Act of 2018 takes effect on May 1, 2018, and imposes information security, breach notification and data disposal requirements on organizations handling Alabama residents’ personal information.

Alabama requires organizations to implement and maintain reasonable security measures

Alabama joins a minority of states that mandate security controls; its new law requires organizations that acquire or use personal information (“covered entities”) to protect the information with “reasonable security measures.” To guide organizations and regulators, the statute lists several considerations to help identify reasonable security measures, including whether the organization has designated an individual to coordinate its security measures, tailored security measures to an appropriate assessment of the organization’s risk scenarios and kept its management informed of the security measures. A reasonableness assessment must also consider the organization’s size, the amount of sensitive data it uses and how it uses it, and the cost to implement certain measures, and should focus on failures that are “multiple or systemic.” The statute also requires organizations to properly dispose of sensitive data that is no longer required to be retained pursuant to applicable law, regulations or business needs. Notably, however, the statute’s civil penalty provisions apply only to violations of the notice requirements discussed below.

“Sensitive personally identifying information” is broadly defined

Alabama’s new law is consistent with other state laws that define covered sensitive data broadly. In addition to Social Security numbers, state-issued identification numbers, and financial account numbers, the definition of sensitive personally identifying information includes “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional” and an individual’s health insurance policy number, when combined with a person’s name. This may create notification obligations for entities that maintain medical and health insurance information, but are not regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In the case of online account usernames and passwords, however, Alabama’s approach is narrower than that of other states that address these data elements. While some states consider any username and password to be sensitive data, Alabama’s law limits its definition to those usernames and passwords that would permit access to an online account affiliated with the covered entity where the online account is “reasonably likely to contain or is used to obtain” sensitive information. These caveats limit the circumstances in which organizations must notify Alabama residents of breaches involving a compromise of usernames and passwords.

Alabama’s law applies only to sensitive data in electronic form.

Alabama creates a safe harbor for truncated or encrypted information

The definition of sensitive personally identifying information does not include “information that is truncated, encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable, including encryption of the data, document, or device containing the sensitive personally identifying information,” provided that the encryption key or security credential has not been compromised.

Risk-of-harm provision limits notification requirement to breaches likely to cause “substantial harm”

Like some other state breach notification laws, Alabama’s includes a risk-of-harm provision, meaning that to trigger a notification obligation, a breach must be reasonably likely to cause substantial harm to the individual whose information was compromised. If an entity’s investigation determines notification is not required, it must document its decision in writing and maintain that documentation for at least five years.

Third-party agents subject to data security and notification requirements

Alabama’s law imposes two requirements on third-party agents who “maintain, store, process, or … otherwise access” sensitive data when providing services to a covered entity. First, third-party agents are subject to the same security requirements imposed on covered entities. Second, third-party agents must notify a covered entity of a breach in the third-party agent’s systems “as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred.” Third parties should consider that the reason-to-believe language may start the 10-day clock early in an investigation.

Individual notice is required within 45 days, and attorney general notification is required when over 1,000 residents are notified

If an entity determines that notice is required based on its breach investigation, such notice must be made “as expeditiously as possible and without unreasonable delay, taking into account the time necessary to allow the [entity] to conduct an investigation.” In any case, a covered entity must notify individuals within 45 days of (1) its determination that the breach is likely to cause substantial harm to individuals or (2) notification by a third-party agent of a breach at the third party. Entities may delay individual notice if law enforcement determines that such notification will impede a criminal investigation. Notice to the Alabama Office of the Attorney General and consumer reporting agencies is also required if over 1,000 Alabama residents are notified.

Alabama’s law requires notice provisions consistent with other state laws

Under Alabama’s new law, individual notice must contain the following information: the date or estimated date of the breach, a description of the sensitive personally identifying information involved, the steps that the entity has taken to “restore the security and confidentiality” of the information involved, ways the individual can protect him- or herself from identity theft, and contact information for questions. Individual notice can be provided through U.S. mail or through email.

No private cause of action for violations, but the attorney general may bring actions for civil penalties or damages

Although the new law does not establish a private cause of action, a violation of the act’s notification provisions is deemed an unlawful trade practice under the Alabama Deceptive Trade Practices Act, which the attorney general may enforce in an action for civil penalties of up to $500,000 per breach. The attorney general may also bring an action for actual damages on behalf of any affected individuals, plus attorneys’ fees and costs.