Alabama Data Breach Notification Act Passed by State Senate
The Alabama Data Breach Notification Act (Senate Bill 318) has advanced for consideration by the House of Representatives after being unanimously passed by the Alabama Senate last week.
Alabama is one of two states that has yet to introduce legislation that requires companies to issue notifications to individuals whose personal information is exposed in data breaches. The other state – South Dakota – is also considering introducing similar legislation to protect state residents.
The Alabama Data Breach Notification Act, proposed by Sen. Arthur Orr (R-Decatur), requires companies doing business in the state of Alabama to issue notifications to state residents when their sensitive personal information has been exposed and it is reasonably likely to result in breach victims coming to substantial harm.
Entities that would be required to comply with the Alabama Data Breach Notification Act are persons,
sole proprietorships, partnerships, government entities, corporations, non-profits, trusts, estates, cooperative associations, and other business entities that acquire or use sensitive personally identifying information.
Sensitive personally identifying information is defined as a first name/first initial and last name combined with any of the following data elements, provided they are not truncated, encrypted, or hashed:
- Social Security number
- Tax ID number
- Driver’s license number
- State identification card number
- Military identification number
- Passport number
- Other unique government identification number
- Medical information such as health history, treatment or diagnosis or mental/physical condition
- Health insurance number or unique identifiers used by health insurers for identification of an individual
- Financial account number (bank account, credit card, or debit card) combined with an expiry date, security code, PIN, password, or other information that would allow a financial transaction to be conducted
- Username or email address along with a password or security question answer that would allow an account to be accessed
The Alabama Data Breach Notification Act also calls for entities holding the above information to implement and maintain reasonable security measures to protect sensitive personally identifiable information. A risk analysis must be conducted to identity potential security risks and safeguards would need to be adopted reduce those risks to a reasonable level. Measures to protect data should be appropriate for the sensitivity of the data, the amount of data held, the size of the organization, and the cost of safeguards relative to the company’s resources.
If the Alabama Data Breach Notification Act is passed, state residents would have to be notified of data breaches within 45 days of discovery of a breach. Companies that fail to issue the notifications could potentially be fined up to $5,000 per day for any delay in issuing notifications up to a maximum of $500,000 per breach. Lawsuits could be filed by the attorney general’s office on behalf of breach victims, although private actions would not be possible.
Breach notices would be required to include the date or estimated date of the breach, a description of the information exposed, details of the steps that can be taken by breach victims to protect themselves against harm, details of the steps taken by the breached entity to restore security and confidentiality of data, and contact information for further information about the breach. A breach notice would also need to be submitted to the state attorney general’s office if the breach impacts more than 1,000 individuals.
In contrast to data breach notification laws in some US states that exempt HIPAA covered entities that are in compliance with HIPAA laws, the Alabama Data Breach Notification Act would apply to HIPAA covered entities.
The current maximum time frame for HIPAA covered entities is 60 days from the date of discovery of a breach. For Alabama residents at least, that time frame would be reduced by 15 days.