And then there were none. Alabama has joined the ranks of the other 49 states with breach notification requirements by enacting the Alabama Data Breach Notification Act of 2018 (the “Act”). The Act, which was signed into law by Alabama Governor, Kay Ivey on March 28, 2018, requires companies to provide Alabama residents with notification of a breach within 45 days of discovery. Notification is triggered by a determination of a breach that poses a risk of harm to impacted individuals. Alabama exempts from the definition of breach the good faith acquisition of sensitive personally identifying information by an employee or agent of a covered entity, unless the information is used for a purpose unrelated to the business or subject to further unauthorized use. Companies must notify the state AG in the same period if the breach requires notification of more than 1,000 “individuals” (defined as Alabama residents whose “sensitive personally identifiable information” was, or is reasonably believed to have been, accessed as a result of the breach). In addition, if more than 1,000 individuals are notified at a single time, companies must provide notice to consumer reporting agencies “without unreasonable delay.” Third parties who are contracted to process sensitive personally identifiable information must provide notice of a breach to the owner of that information within ten days of discovering the breach. Notice from a third party then triggers the 45-day notification period for the covered entity.
The Act defines sensitive personally identifiable information consistent with the definition in many other state beach notification laws, to include first name (or initial) and last name, in combination with any of the following: full SSN or tax ID; full driver’s license number or other government issued ID number; financial or credit card account number in combination with security code or pin that would provide account access; medical information; health insurance policy number or identifier; or user name/email address in combination with password or security question and answer that would provide access. The Alabama law provides an exception for information that has been lawfully made public or encrypted information.
Companies that knowingly violate the notification requirements could be subject to a penalties from the state AG of up to $500,000 per breach under the Alabama Deceptive Trade Practices Act, plus additional penalties of up to $5,000 per day for each consecutive day that the company fails to comply with notification requirements. The Act does not provide for a private right of action, but does allow for the state Attorney General to bring representative actions for named individuals to recover actual damages plus attorney’s fees and costs. The Alabama Act also requires companies to take certain reasonable security measures to protect Sensitive Personally Identifiable Information. The Alabama law becomes effective on June 1, 2018, and with the exception of Georgia’s data breach notification law limiting application to data brokers, the Alabama law will complete the map for broad notification obligations throughout the United States.