Data breach notification effective June 1 in Alabama

The Alabama Data Breach Notification Act of 2018 by Sen. Arthur Orr, R-Decatur, and Rep. Phil Williams, R-Huntsville, makes Alabama the 50th state in the nation to require data breach notification.

Attorney General Steve Marshall, Sen. Arthur Orr, Gov. Kay Ivey and Rep. Phil Williams pose for a photo during the March 28, 2018, bill signing.

The Alabama Retail Association worked for years to protect retailers in negotiations and discussions concerning data security legislation, including this latest effort by Alabama Attorney General Steve Marshall. The Alabama Legislature gave final approval to the legislation March 27 and the governor signed it into law March 28.

Beginning June 1, 2018, private and public entities must establish reasonable data security measures and notify those affected when personal data has been compromised. Any breached entity that determines the compromised information is “reasonably likely to cause substantial harm” must notify those affected as “expeditiously as possible” but no later than 45 days after discovery.

Alabama’s retailers as well as the financial services and health care industries and governmental entities are included in the notification requirement. The Alabama Retail Association has long contended that any notification law should apply to all industries. Protecting customer relationships through strong data security is a primary concern of all retailers, where only 4.8 percent of data breaches originate.

>> MORE: Including what information qualifies as notifiable

If more than 1,000 individuals are affected by a breach, the breached entity is also required to notify the attorney general and consumer credit-reporting agencies.

Willful or reckless disregard of the notification requirements could result in penalties of up to $500,000.

On March 21, South Dakota’s governor signed similar legislation into law. Before then, South Dakota and Alabama had been the only two states without a data breach notification requirement.

There is draft federal legislation to set a national standard for data breach notification, but it excludes financial institutions, which account for almost five times as many breaches as the retail industry.

This article is part of the Alabama Retail Report, a communication for Alabama Retail Association members. Not a member? Join us!

Reprints or republishing are welcomed but require permission. Contact us for permission.