The Alabama Senate unanimously passed the Alabama Data Breach Notification Act (Senate Bill 318) last February 2017, so now the bill is in the hands of the House of Representatives. Alabama and South Dakota are the only states today that still do not have a law that requires the notification of victims of personal data breaches, although South Dakota has a similar pending bill already.
Senator Arthur Orr (R-Decatur) proposed the Alabama Breach Notification Act. The bill requires all companies and businesses in the state of Alabama to send notification letters to state residents in case their sensitive personal information has been compromised and the breach could result to substantial harm to the victims.
The Alabama Data Breach Notification Act will cover all business entities including individuals, sole proprietorships, partnerships, corporations, trusts, non-profits, estates, government entities and cooperative associations that access or use sensitive personally identifying information.
The bill defines sensitive personally identifying information as information that is not encrypted, truncated or hashed and includes the first name/first, initial and last name in combination with any of the listed data elements below:
- Social Security number
- Tax ID number
- State identification card number
- Military identification number
- Driver’s license number
- Passport number
- Other unique government issued ID number
- Medical information, which may include medical history, treatment procedures or diagnosis or mental/physical exam results
- Health insurance number or unique identifiers utilized by health insurers for identifying a person
- Financial account number (it could be a bank account, debit card or credit card) including an expiry date, PIN, security code, password, or any information used for conducting a financial transaction
- Username or email address together with a password or answer to a security question that would permit account access
As per the Alabama Data Breach Notification Act, entities that have any of the above information must
- Implement security measures that ensure the protection of sensitive personally identifiable information.
- Do a risk analysis to identify potential security risks
- Adopt safeguards to reduce the risks to a reasonable level
- Allocate a budget enough to implement safeguards appropriate for the sensitivity of the data, the volume of data and the size of the organization
The proposed Alabama Data Breach Notification Act requires the notification of data breach victims to be issued within 45 days of the breach discovery. The attorney general’s office should also receive a breach notice if there are over 1,000 persons impacted by the breach. Failure to submit to this requirement could easily attract a fine of $5,000 per day up to $500,000 per breach. The attorney general’s office can file the lawsuits in behalf of breach victims. Private entities may also file lawsuits.
Breach notification letters should include the following information:
- Date or estimated date of the breach incident
- Details of exposed information
- Recommended steps that breach victims can do to protect themselves against harm
- Information on the steps taken by the breached entity to restore data security and confidentiality contact information for further information about the breach
Data breach notification laws in other US states consider HIPAA-compliant covered entities as exempted from the state data breach notification law. This is not so in Alabama. HIPAA covered entities have up to 60 days from discovering a breach to notify victims. Alabama business and companies will only have 45 days to send breach notifications.