On March 28, 2018, Alabama joined the other forty-nine states by enacting a ground-breaking new data breach notification law – one of the most comprehensive in the nation. The Alabama Data Breach Notification Act of 2018, which will go into effect on June 1, 2018, contains three (3) basic requirements:
Covered entities and their third-party service providers shall implement and maintain reasonable information security measures;
Upon discovering a security breach, covered entities shall conduct a prompt investigation;
Under certain conditions, covered entities shall notify the following of a security breach: a) impacted Alabama residents; b) the Alabama Attorney General’s office; and c) consumer reporting agencies.
What is a “Security Breach”?
The Act defines “security breach” as the “unauthorized acquisition of data in electronic form containing sensitive personally identifying information.” Two key things to note here are that: 1) the Act does not extend to incidents involving paper records; and 2) only sensitive personal information is in scope.
“Sensitive personally identifying information” is defined here as an Alabama resident’s first name or first initial and last name in combination with a social security number or tax identification number, driver’s license or other government-issued identification number, financial account number with access information, medical information, health insurance policy number or unique subscriber identification number and unique identifier, or user name or email address in combination with a password or security question and answer.
Notice obligations are triggered when the foregoing types of information have been acquired by an unauthorized person, but only if the covered entity believes the security breach is reasonably likely to cause substantial harm. Encryption of the data acts as a safe harbor so long as the covered entity has reason to believe that the encryption key was not exposed.
What must a business do to comply?
Determine if the Act applies to your company.
The Act extends to any entity that maintains sensitive information on Alabama residents, not just to Alabama companies.
Entities that are already subject to federal or state rules, regulations, procedures, or guidance (e.g., financial institutions, health care entities) and maintain procedures regarding notification pursuant to those requirements are exempt from the Act. Note, however, that such entities are still required to notify the Alabama Attorney General if the number of individuals notified under other applicable laws or regulations exceeds 1,000.
Perform a cybersecurity risk assessment and revise your company’s information security program accordingly.
There are a number of requirements under the Act to identify both internal and external risks to the sensitive data your company maintains, and to establish an information security program that is designed to mitigate those risks. A risk assessment could be performed with in-house personnel or else through an independent third party, which should be engaged by outside counsel in order to maximize the application of the attorney-client privilege.
Evaluate your company’s cybersecurity corporate governance structure.
Covered entities will also be required to designate one or more employees to coordinate their respective information security program (like a Chief Information Security Officer), as well as keeping management, including a board of directors, if any, adequately informed of the company’s cybersecurity program and the risks it faces.
Review your company’s relevant vendor contracts.
The Act places significant emphasis on third party service providers, and specifically requires that a covered entity retain service providers who are contractually required to maintain appropriate safeguards to protect sensitive personally identifying information.
Review your company’s incident response plan.
Alabama is one of several other states that now have a concrete notification deadline (45 days). Companies that do not have an adequate plan in place to address data security incidents will be hard-pressed to meet the notification deadline, as well as the Act’s requirement to perform a sufficient investigation of the incident, if they wait until after an incident happens to begin the conversation about response strategy.
What are the penalties for noncompliance?
Violations of the notification provisions of the Act are considered unlawful trade practices under the Alabama Deceptive Trade Practices Act. Covered entities may be liable for a civil penalty of up to $5,000 per day for each consecutive day that an entity does not comply with the notice requirements of the law. The Attorney General may also seek civil penalties of up to $500,000 against covered entities or third party agents who knowingly violate the notification provisions of the Act. The Act does not provide for a private cause of action.