Law
TBD (effective date June 1, 2018)
Timing of Consumer Notification
“As expeditiously and possible and without unreasonable delay” and no later than 45 days.
Method of Notice
Mail or email.
Breach Definition
Unauthorized acquisition of data in electronic form containing sensitive personally identifying information.
PII Definition
The Alabama law defines sensitive personal information as individual’s first name or first initial, plus last name in combination with any of these:
  1. Non-truncated Social Security number or tax identification number;
  2. Non-truncated driver’s license, passport or government-issued identification number;
  3. Financial account number combined with security/access code, password, PIN, or expiration date;
  4. Individual’s medical history, mental/physical condition, medical treatment/diagnosis by health care professional, health insurance policy/subscriber number, or other insurance identifier; or
  5. User name or email address combined with password or security question/answer permitting access to online account affiliated with covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.
Third Party Notice
If data maintainer maintains covered data for someone else, it must notify data owner if it becomes aware of breach of security that has or may have occurred in relation to sensitive personal identifying information.
How to Notify
Must include, at a minimum:
  1. Estimated date of breach;
  2. Description of sensitive personal identifying information acquired;
  3. Remedial measures taken;
  4. General description of protective measures individual may take; and
  5. Contact information for notifying person or entity.
Substitute Notice
Both: (a) conspicuous posting of notice on covered entity’s website; and (b) notice in print and in broadcast media, including major media in urban and rural areas where affected individuals reside.
Credit Monitoring
Not required.
When to Notify Credit Agencies
If more than 1,000 Alabama residents must be notified.
This State's Law
Data owners and their service providers must implement and maintain reasonable cybersecurity measures. Consideration is given to covered entity’s size, amount of sensitive personally identifying information it has, and cost of such measures.
State Government Agency Notification Required
If more than 1,000 Alabama residents must be notified, must notify Alabama Attorney General.