On March 28, 2018, over sixteen years after California passed the nation’s first data breach notification law, Alabama became the fiftieth, and final, state to join the club. As a result, any person or entity conducting business in the United States must be prepared to safeguard personal identifying information belonging to customers, clients, and employees, while also being ready to comply with all applicable state and federal laws and regulations.
What Data?
The Alabama Data Breach Notification Act of 2018 (S.B. 318), goes into effect on June 1, 2018, and largely mirrors the requirements of many notification laws. Specifically, Alabama’s law pertains to “sensitive personally identifying information.” Sensitive personally identifying information includes an Alabama resident’s first name or first initial and last name in combination with any of the following:
- Non-truncated Social Security or tax-identification number;
- Non-truncated driver’s license, passport, or other government identification number,
- Financial account number combined with security/access code, password, PIN, or expiration date necessary to access or enter into a transaction that will “credit or debit” the account;”
- Username or email addresses in combination with a password or security question and answer that would permit access to an online account likely to contain sensitive personally identifying information; and
- Health information, such as an individual’s medical condition, patient history, and health insurance identification numbers.
The Alabama Law also has some important exclusions from the definition of sensitive personally identifying information.” First, sensitive personally identifying information excludes information that is publicly available. Second, any information that is “truncated, encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or otherwise renders the information unusable,” does not constitute sensitive personally identifying information.
Who Must Comply?
The Alabama Law applies to “Covered Entities” and their “Third-Party Agents.” A “Covered Entity” is defined as a “person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association or other business entity that acquires or uses sensitive personally identifying information.” A “Third-Party Agent” is defined as “an entity that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally identifying information in connection with providing services to a Covered Entity.”
What Does the Law Require?
With respect to notifications, a Covered Entity must notify affected Alabama residents of a breach of security if two conditions are met: (1) sensitive personally identifying information has been or is reasonably believed to have been acquired by an unauthorized individual, and (2) substantial harm to affected individuals is “reasonably likely” to result. Therefore, a Covered Entity must conduct an investigation following a data incident to determine whether the data event actually constitutes a breach under Alabama Law. If the event meets the definition, then the Covered Entities must provide notice no later than 45 days after determining that a breach has or is reasonably believed to have occurred. If the breach involves more than 1,000 individuals, then the Covered Entity must also notify the Alabama Attorney General.
Third-party agents have a tighter timeframe for notification. Under the Alabama Law, a Third-Party Agent must notify the Covered Entity of a breach “no later than 10 days following the determination of the breach of security or reason to believe the breach occurred.” The Third-Party Agent must cooperate with the Covered Entity by providing information in its possession relating to the breach to the Covered Entity. Further, a Covered Entity may contractually delegate notification obligations to the Third-Party Agent. Finally, Covered Entities, Third-Party Agents, and their service providers must maintain reasonable cybersecurity measures. Alabama distinguishes itself by identifying factors to be considered in assessing the reasonableness of such measures. Considerations include
- Designation of an employee to coordinate the data security measures;
- Identification and documentation of internal and external vulnerabilities;
- Regular briefing to management of the “overall status of its security measures;” and
- Contractual requirements for service providers to maintain appropriate safeguards.
These factors are also scalable. An assessment of a Covered Entity’s security focuses on the totality of circumstances, including the Covered Entity’s size, the amount of sensitive personally identifying information and the type of activities involving such data, and the cost to implement and maintain the security measures.
What are the Penalties?
A violation of the notification provisions of the Alabama Law constitutes an unlawful trade practice under the Alabama Deceptive Trade Practices Act. Unlike some unlawful trade practices, failure to comply with the Alabama Law does not constitute a criminal offense, nor does it create a private right of action.
The Alabama Attorney General has the sole authority to bring a civil action for violation of the Alabama Law. The maximum civil penalty is $5,000 per day for failure to notify. This penalty is capped at $500,000 per breach, and damages are limited to actual damages, plus attorney’s fees and costs.
Takeaways
Although the United States does not have an omnibus federal breach notification statute, entities conducting business in any of the fifty states or District of Columbia must be prepared to deliver appropriate notice WHEN (not if) the entity suffers a breach. Although many breach notification laws contain similar language, the definition of a breach and the proactive and reactive duties related to breach response vary depending upon the affected individual’s state of residence. Alabama is similar to its breach notification brethren in many ways, but includes specific reasonable security measurement requirements, possible notification to the Attorney General, and a short ten day period for Third-Party Agents to notify a Covered Entity of a breach. Any entity conducting business in the United States should understand the type of data it collects and also understand the jurisdictions from which that data belongs in order to survey the universe of laws and regulations demanding compliance.