On Wednesday, March 28, 2018, the Alabama Data Breach Notification Act of 2018 (SB318) was signed into law by the Governor, making Alabama round out the roster of 50 states with data breach notification laws. (South Dakota’s data breach notification was signed by its governor on March 21, 2018, making it the 49th state.) The new law will be effective on June 1, 2018. Below is a more detailed summary of the Alabama law:
The Alabama law defines a security breach as the “unauthorized acquisition of data in electronic form containing Sensitive Personally Identifying Information (“Sensitive PII”). As is typical, a breach does not include either: (a) good faith acquisitions by employees or agents unless used for unrelated purposes; (b) the release of public records not otherwise subject to confidentiality or nondisclosure requirements; or (c) any lawful investigative, protection or intelligence activities by a state law enforcement or intelligence agency.
“Sensitive PII” is defined to include: (a) an Alabama resident’s first name or first initial and last name in combination with one or more of the following regarding the same resident:
- A non-truncated SSN number or tax identification number;
- A non-truncated driver’s license number, state ID number, passport, military ID, or other unique identification number issued on a government document;
- A Financial account number, including bank account number, credit card or debit card, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account.
- Any information regarding an individual’s medical history, mental or physical conditions, or medical treatment or diagnosis by a health care professional.
- An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individuals.
- A user name or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain Sensitive PII.
- Notification to Individuals. If a covered entity determines that an unauthorized acquisition of Sensitive PII has or is reasonably believed to have occurred, and is reasonably likely to cause substantial harm, it shall notify affected individuals as expeditiously as possible and without unreasonable delay but no later than 45 days after the determination of both a breach and a likelihood of substantial harm. A federal or state law enforcement agency may request delayed notification if it may interfere with an investigation. If an entity determines that notice is not required, it shall document the determination and maintain the documentation for at least 5 years.
- Format and Content. Written notice can be by mail or email, and must include: (1) the estimated date or date range of the breach; (2) a description of the Sensitive PII acquired; (3) a general description of actions taken to restore the security and confidentiality of the personal information; (4) steps an affected individual can take to protect himself or herself from identity theft; and (5) contact information for the covered entity in case of inquiries.
- Substitute Notice. Substitute notice can be provided if direct notice would cause excessive cost relative to the covered entity’s resources, if the affected individuals exceed 100,000 persons, or if there is a lack of sufficient contact information for the required individual to be notified. Costs are deemed excessive automatically if they exceed $500,000. Substitute notice may include both posting on the website for 30 days and using print or broadcast media in the major urban and rural areas where the individuals reside. An alternative form of substitute notice may be approved by the Attorney General.
- Notification to Attorney General. If the affected individuals exceed 1,000, the entity must notify the Attorney General as expeditiously as possible and without unreasonable delay, but no more than 45 days from receiving notice of a breach by a third party agent or upon determining a breach and substantial likelihood of harm has occurred. Notice must include: (1) an event synopsis; (2) the approximate number of affected individuals in Alabama; (3) any free services being offered by the covered entity to individuals and instructions on how to use them; and (4) contact information for additional inquiries. The covered entities may provide supplemental or updated information at any time, and information marked as confidential is not subject to any open records or freedom of information laws.
- Notification to Consumer Reporting Agencies. If the covered entity discovers notice is required to more than 1,000 individuals at a single time, it shall also notify, without unreasonable delay, all consumer reporting agencies.
- Third Party Notification. Third party agents experiencing a breach of a system maintained on behalf of a covered entity shall notify the covered entity as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination (or reason to believe) a breach has occurred.
- Enforcement Authority. Violating the notification provisions is an unlawful trade practice under the Alabama Deceptive Trade Practices Act (ADTPA), and the Attorney General has exclusive authority to bring an action for penalties. There is no private cause of action. The Attorney General also has exclusive authority to bring a class action for damages, but recovery is limited to actual damages plus reasonable attorney’s fees and costs. The Attorney General must submit an annual report.
- Penalties. Any entity knowingly violating the notification provisions is subject to ADTPA penalties, which can be up to $2,000/day, up to a cap of $500,000 per breach. (“Knowing” means willfully or with reckless disregard.) In addition to these penalties, a covered entity violating the notification provisions shall be liable for a penalty of up to $5,000/day for each day it fails to take reasonable action to comply with the notice provisions. Government entities are subject to the notice requirements, but exempt from penalties, although the Attorney General may bring an action to compel performance or enjoin certain acts.
- While enforcement authority is limited to notification violations, the statute also instructs entities to take “reasonable security measures”, provides guidance on conducting a “good faith and prompt investigation” of a breach, and requires covered entities to take reasonable measures to dispose of Sensitive PII. It is unclear how these provisions might be enforced, except potentially to determine if a notification violation was willful or with reckless disregard.
- “Reasonable Security Measures”. Covered entities and third party agents must implement and maintain reasonable security measures to protect Sensitive PII, and the law provides guidance on what elements to include. It also provides guidance on what an assessment of a covered entity’s security measures might consider and emphasize.
- Breach Investigation. A covered entity shall conduct a “good faith and prompt investigation”, and the law lists considerations to include in the investigation.
- Records Disposal. A covered entity or third-party agent must take reasonable measures to dispose of or arrange for the disposal of records containing Sensitive PII when they are no longer to be retained, and the law includes examples of such disposal methods.