Data Security

Act No. 2018-396
by Sen. Arthur Orr, R-Decatur, and Rep. Phil Williams, R-Huntsville
(Recorded explanation of the law by one of the primary negotiators)

Alabama has become the 50th state to require data breach notification.

img alt from entityThere is no national data breach notification law.

Protecting customer relationships through strong data security is a primary concern of all retailers. According to the most recent Verizon Data Breach Investigations Report, 4.8 percent of the data breaches originated at a retail establishment, while 10.4 percent were breaches of data stored by hotels and restaurants (See infographic). At 24.3 percent, the financial services industry accounts for almost five times as many breaches as the retail industry. Retailers care about cybersecurity because we are committed to combating this criminal threat to our customers and our industry.

The National Council of State Legislatures has compiled information on the varying state data security legislation.

Gov. Kay Ivey signed the Alabama Data Breach Notification Act of 2018 on Wednesday, March 28, 2018. The day before, the Alabama Senate gave final approval to the legislation, which was championed by the Alabama attorney general.  The law takes effect June 1, 2018.

The law requires breached entities to notify Alabama’s attorney general, Alabama residents whose information has been compromised and consumer credit-reporting agencies of breaches if:

1) Sensitive information is reasonably believed to have been acquired by an unauthorized person; AND
2) Is reasonably likely to cause substantial harm to the individuals.

The notifications to the attorney general and consumer credit-reporting agencies are required for breaches affecting more than 1,000 people.

If the data owners determine a breach is not a reportable event, the law requires them to maintain those records for at least five years.

Notifications by mail and/or email are to occur “expeditiously as possible” in no more than 45 days of the determination of a breach. Third parties must notify a breached entity no later than 10 days after the third-party agent determines a breach occurred. Law enforcement agencies can delay a notification.

The burden of notification lies with the covered entity, even when a third party has experienced a breach, unless there is a contractual agreement with the breached third-party to satisfy the notification requirement. The third-party agent must provide a covered entity with all information that the covered entity needs to comply with its notice requirements.

Information that qualifies as a notifiable breach is the individual’s first name or initial and last name in combination with any one of these data elements:

  • A non-truncated Social Security or tax identification number.
  • Non-truncated driver’s license, state-issued identification card number, passport number, military identification number or any unique, government-issued number used to verify identity.
  • A financial account, credit or debit card number along with a required security code, expiration date, PIN, access code or password necessary to access a financial account or conduct a transaction.
  • Individual medical or mental history or treatment information.
  • A health insurance policy or identification number.
  • A user name or email address along with a password or security question and answer that gives access to an online account that is likely to contain sensitive personal information.

A breached entity is subject to penalties only if it fails to notify affected individuals and the attorney general of a breach.

A violation constitutes a deceptive trade practice. The law spells out the violation would NOT be a criminal offense, nor prompt a private right of action. It does allow the attorney general to seek deceptive trade practice penalties when a covered entity or third-party agent knowingly violate the notification law.

The Deceptive Trade Practice Act penalties apply for willful or reckless disregard of the notification requirements. That disregard could subject the violator to a $2,000-per-person penalty, capped at $500,000. Any breached entity that made notification after the 45-day deadline, can also be fined up to $5,000 per day.

The law also requires data owners to establish reasonable security measures and provides guidance on how to do so.