All U.S states now have laws about data security and what to do when there’s a data breach. Alabama recently was the 50th state to add such a law, and it takes effect on June 1, 2018. Here are its highlights.
Who The Law Applies To. The law applies to anyone who acquires or uses sensitive personally identifying information. It also applies to anyone who maintains, stores, processes or is permitted access to sensitive personal identifying information for someone else.
The Alabama law defines sensitive personal information as an individual’s first name or first initial, plus last name in combination with any of the following:
- Non-truncated Social Security number or tax identification number; or
- Non-truncated driver’s license, passport or government-issued identification number; or
- Financial account number combined with security/access code, password, PIN, or expiration date
- Individual’s medical history, mental/physical condition, medical treatment/diagnosis by a health care professional, health insurance policy/subscriber number, or other insurance identifier; or
- User name or email address combined with a password or security question/answer permitting access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.
What The Law Requires. The trigger is when the data owner becomes aware of a breach of security that has or may have occurred in relation to sensitive personal identifying information. A data maintainer must notify the data owner if it becomes aware of the same. The data owner must conduct a good faith and prompt investigation to determine if there has been a breach. Investigation must include assessing the nature and scope of the breach, identifying any sensitive personally identifying information (and the individuals to whom it relates) that may have been involved, determining whether sensitive personally identifying information has been or is reasonably believed to have been acquired by an unauthorized person and is reasonably likely to cause substantial harm to affected individuals, and identifying and implementing measures to restore the security and confidentiality of the systems compromised.
If there has been a breach, notification of affected residents is required. If more than 1,000 Alabama residents must be notified, the person providing notification must also notify the Alabama Attorney General and major consumer credit reporting agencies. Specific information must be provided to the Alabama Attorney General.
What is a Breach. The term “breach” under this law means unauthorized acquisition of data in electronic form containing sensitive personally identifying information.
When and How To Notify. If a breach is confirmed, the data owner must notify the individual “as expeditiously and possible and without unreasonable delay” and no later than 45 days. Notice by regular mail or email is permitted. The notification must include, at a minimum, the following:
- The estimated date of the breach;
- Description of the sensitive personal identifying information acquired;
- Remedial measures taken;
- General description of protective measures the individual may take; and
- Contact information for the notifying person or entity.
Substitute notice may be permitted if there is excessive cost to the covered entity relative to its resources or if notice would cost more than $500,000; if more than 100,000 residents need to be notified; or if there is not sufficient contact information for the residents that need to be notified. Substitute notice includes both of the following: (a) conspicuous posting of notice on the covered entity’s website; and (b) notice in print and in broadcast media, including major media in urban and rural areas where the affected individuals reside.
What if Law Enforcement is Involved. The law provides that notification “shall be delayed” if a law enforcement agency determines that notification would interfere with a criminal investigation or national security, and upon receipt of law enforcement’s written request for a delay for a period that the agency determines is necessary. Close cooperation to protect the interests of the business is well advised.
What are the Law’s Penalties. Penalties for failing to comply are $5,000 per day for failure to notify, capped at $500,000 per breach. Only the Alabama Attorney General has the power bring a civil action for penalties. The Alabama Attorney General may also bring a civil action in a representative capacity for damages incurred by named individuals. Damages are limited to actual damages plus reasonable attorneys’ fees and costs. A violation of the notification provisions constitutes an “unlawful trade practice” under the Alabama Deceptive Trade Practices Act, also allowing Attorney General enforcement. There is no private right of action under any of these avenues.
Requirement of Reasonable Security Measures. The law requires that data owners and their service providers implement and maintain reasonable cybersecurity measures. “Reasonableness” has several defining elements, including designation of an employee to coordinate data security measures, identification of cyber risks, adoption of appropriate safeguards, ongoing evaluation of such measures, and disposal of records that are no longer to be retained. Consideration is given to the covered entity’s size, amount of sensitive personally identifying information it has, and the cost of such measures.
In the event of a breach, a business may want to consider acting immediately to secure its system, send notifications, and protect itself and its customers. It also may be appropriate to have a data breach response plan in place to prepare, and to test such a plan before a breach arises.