Alabama recently became the 50th state to pass a data breach notification law. Alabama’s newly passed law1 (effective May 1, 2018): requires businesses and government agencies to 1) protect “sensitive personally identifying information”; and 2) notify Alabama residents (and other entities as applicable) in the event of a “breach of security” of that information. While a number of states impose an obligation to “maintain reasonable security measures,” Alabama’s law is unique in that it identifies specific actions that may be considered in evaluating “reasonableness”:
- Designation of an employee or employees to coordinate the covered entity’s security measures to protect against a breach of security. An owner or manager may designate himself or herself.
- Identification of internal and external risks of a breach of security.
- Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards.
- Retention of service providers, if any, that are contractually required to maintain appropriate safeguards for sensitive personally identifying information.
- Evaluation and adjustment of security measures to account for changes in circumstances affecting the security of sensitive personally identifying information.
- Keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures; provided, however, that the management of a government entity subject to this subdivision may be appropriately informed of the status of its security measures through a properly convened execution session under the Open Meetings Act pursuant to Section 36—25A—7, Code of Alabama 1975.
By expressly defining what may constitute “reasonable” security measures, Alabama has provided a “roadmap” for entities subject to the law. At the same time, Alabama has arguably set a higher standard and burden for those entities. Those businesses that collect and store the information of Alabama residents must evaluate their security programs in order to protect “sensitive personally identifiable information” and ensure compliance with the law and endeavor to prevent the breach of that information.