data breach notification law

Taft summer associate Jordan Jennings-Moore contributed to this article.

In today’s world, very few people remain completely unscathed by a data breach somewhere. From Target, to Anthem, Wendy’s or Equifax, individuals across the country have grown accustomed to getting breach notification letters. Most recently, Alabama and South Dakota became the last two jurisdictions in the United States to adopt data breach notification laws. This means that any person or entity conducting business in the U.S. must be prepared to protect personal identifying information (PII) belonging to customers, clients, and employees.

Encryption is an easy way to protect PII. It wasn’t always that way, but technologies have made it easier and cheaper to do. And this has legal benefits. A common trend seen amongst all U.S. jurisdictions is an encryption exception to providing notice of a data breach. Why? Well, because encrypted data is not “personal data.” Therefore, loss of encrypted data is often not a “breach” under the law. Encryption saves you time, your reputation and thousands, if not millions, of dollars. That’s huge.

During her time at Taft, our Dayton summer associate Jordan Jennings followed the trends of data breach notification laws and worked with me on updating our materials to reflect the ever changing world of state privacy and security law (i.e. California). I asked her to pitch in on this update and report on some of her findings below. (Spoiler alert: encryption is a pretty big deal.)


Continue Reading

On March 28, 2018, over sixteen years after California passed the nation’s first data breach notification law, Alabama became the fiftieth, and final, state to join the club. As a result, any person or entity conducting business in the United States must be prepared to safeguard personal identifying information belonging to customers, clients, and employees, while also being ready to comply with all applicable state and federal laws and regulations.

What Data?
The Alabama Data Breach Notification Act of 2018 (S.B. 318), goes into effect on June 1, 2018, and largely mirrors the requirements of many notification laws. Specifically, Alabama’s law pertains to “sensitive personally identifying information.” Sensitive personally identifying information includes an Alabama resident’s first name or first initial and last name in combination with any of the following:

  • Non-truncated Social Security or tax-identification number;
  • Non-truncated driver’s license, passport, or other government identification number,
  • Financial account number combined with security/access code, password, PIN, or expiration date necessary to access or enter into a transaction that will “credit or debit” the account;”
  • Username or email addresses in combination with a password or security question and answer that would permit access to an online account likely to contain sensitive personally identifying information; and
  • Health information, such as an individual’s medical condition, patient history, and health insurance identification numbers.


Continue Reading