Alabama’s new breach law
Published 3:00 am Friday, April 13, 2018
On 28 March 2018, Governor Kay Ivey signed into law Alabama Senate Bill 318, effective 1 June 2018. The law will be known as the Alabama Data Breach Notification Act of 2018. Alabama became the fiftieth state to enact a breach notification law.
Alabama’s law only applies to electronic data.
The US does not have a single, centralized national law regulating the collection and use of all personal information. However, there are a collection of state and federal statutes and guidelines that often overlap, contradict and confuse one another. The array of federal privacy laws that regulate the collection and use of personal data are somewhat specific; apply to a discrete category of information. Those categories include financial, health, and some electronic communications.
Starting June 1, 2018, private and public entities must establish reasonable data security measures and notify those affected negatively when personal data has been compromised. Despite Alabama being last to the data breach notification parade, our law has been described among the most stringent in the nation. From my personal experiences, I agree, Alabama’s law takes into consideration third-party service providers which many states neglect. Alabama’s inclusion of “third-party agents,” that is to say, entities contracted to maintain, store, process, or otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity, is outstanding for Alabama’s citizens – there is no hiding, passing of the proverbial buck: if you collect electronic information from your customers, you are responsible for it.
Under Alabama law, any breached entity that determines the compromised information is “reasonably likely to cause substantial harm” must notify those affected as “expeditiously as possible” but no later than 45 days after discovery. But, Alabama doesn’t stop with notification. The law specifically states that the entities must conduct good faith and prompt investigation if a breach is suspected or confirmed. The nature and scope of the breach must be identified, determine if harm has been caused to individuals as result of the breach, and, restore security. Cleverly, Alabama doesn’t focus exclusively on telling citizens that they have been compromised, rather, the law considers the entire spectrum of attack: breach, remedy, and, restoring proper data security hygiene.
Alabama’s law also requires covered entities and third-party agents to implement and maintain reasonable security measures to protect personally identifying information against security breaches. Included among the specifications are designation of a security lead, identification of risks, adoption of formal safeguards, require third-parties to protect data, and, keeping management informed of overall status of security efforts.
However, Alabama’s law takes an interesting approach to enforcement. The Attorney General has exclusive authority to bring civil action for penalties to comply, as well as damages to individuals. Failure to comply with the notifications provisions of the Alabama law violates the unlawful trade practice under Alabama’s Deceptive Trade Practices Act, and the Attorney General can impose the maximum penalty of $5,000 per day for failure to notify of a breach, which are capped at $500,000 per breach.
The law is well-written and addresses major areas of concern. Alabama’s effort addresses the major areas: those to whom the law applies, responses to breaches, notification of affected Alabama residents, and, penalties, remediation. Further, the Alabama law requires reasonable cybersecurity measures and describes reasonableness – that is very uncommon among the other states’ breach notification laws.
The law essentially includes all aspects of the Alabama business landscape and government agencies. The Alabama law protects “sensitive personally identifying information” from unauthorized access. But, the law only covers unauthorized access to unencrypted computerized data (or encrypted computerized data where the encryption key is compromised) and so does not extend to unauthorized access to non-computerized data. Lastly, Alabama’s law includes a disposal provision that requires covered entities and third-party agents to take reasonable measures to dispose of any records containing sensitive personally identifying information when the records are no longer needed pursuant to “applicable law, regulations, or business needs.”
Perhaps being last to craft a law isn’t all that bad; Alabama’s law is very comprehensive.