State Regulatory Developments

Alabama Passes Data Security and Data Breach Notification Statute

Alabama recently became the 50th state to pass a data breach notification statute, joining South Dakota as the last two states to enact such legislation.  The Alabama Data Breach Notification Act of 2018 (the Act) requires that a covered entity—any person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses Sensitive Personally Identifying Information—suffering a data breach must notify customers whose personally identifiable information was affected as a result.  The Act will go into effect June 1, 2018.

The Act protects the Sensitive Personally Identifying Information (SPII) of consumers, defined under the statute as 1) a non-truncated Social Security number or tax ID number; 2) a non-truncated driver’s license number, state-issued ID card number, passport number, military ID number, or other unique identification number issued on a government document to verify one’s identity; 3) financial account numbers, including a bank account number, credit card number, or debit card number, in combination with any security or access code, or other password-type key that is necessary to access the financial account; 4) any information regarding an individual’s medical history, treatment, or diagnosis by a medical professional; 5) any health insurance policy number or unique identifier; and 6) a username or email address combined with the password or security question/answer that would allow an unauthorized user access to a private online account.

The Alabama statute specifically excludes certain types of information from its definition of SPII, including information about an individual that has been made public by lawful means either through publication by a government entity or widely distributed by the media, and information that is truncated or encrypted such that elements that personally identify an individual are removed or the information is rendered unusable.

The Act also requires reasonable measures to protect SPII against a security breach, including the designation of an employee(s) to be the entity’s dedicated coordinator of security measures, identification of external and internal security risks, and the evaluation and adjustment of security measures to combat emerging threats, among others.

Upon a determination that the SPII of consumers has been acquired by an unauthorized person and it is reasonably likely to cause substantial harm to that consumer, the entity shall notify all affected parties “as expeditiously as possible.”  The Notice shall be given in writing, sent to the mailing address of the individual on record with the entity.  The Alabama Attorney General may bring an action to enforce the Act, but the Act does not create a private cause of action.

With the passage of the Alabama and South Dakota laws, all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands now have data breach notification statutes.