The Alabama Data Breach Notification Act of 2018
| Jurisdiction | Alabama,United States |
| Citation | Vol. 79 No. 5 Pg. 0333 |
| Pages | 0333 |
| Publication year | 2018 |
By Edward A. Hosp, Starr T. Drum and Sarah S. Glover
The Alabama State Bar, in conjunction with the Alabama Supreme Court and the Administrative Office of Courts, created the Alacourt.com and Personal Identifying Information Task Force that is reviewing how lawyers and Alacourt address personal identification information, which also includes review of the new data breach law and its effect on the profession. Mike Ermert (mike@hwnn.com) and Tom Heflin (tom@tomheflinlaw.com) are the Alabama State Bar points of contact. The task force will make recommendations in the near future that will be applicable to our members.
Senate Bill 318, which became the Alabama Data Breach Notification Act ("the Act") was introduced in the Alabama Senate by Senator Arthur Orr on Tuesday, February 13, 2018. It was revised significantly at every stage of the legislative process before receiving final passage on March 27. The bill was signed by Governor Kay Ivey on March 28 and became Act 2018-396. The new law went into effect on June 1.
The primary intent-and one could argue the only effect-of the legislation is to require timely notice to affected individuals when their personal information has been compromised, and to provide an enforcement mechanism for the Alabama Attorney General when a covered entity fails to provide that notice. Thus, only the failure to notify affected individuals and, when the breach affects more than 1,000 individuals, the attorney general, of a breach subjects an entity to penalties under the Act.1 That said, there are actions that businesses are "required" to take, and, therefore, should be aware of, under various additional provisions of the new law.
I. What Entities Are Covered?
It is difficult to imagine any business operating in today's world that would not be covered by the new Alabama law. According to the definitions, a "covered entity" is a person or a business of any kind that acquires what the law calls "Sensitively Personally Identifying Information" ("SPII"). The Act covers SPII of any individual-customer, employee, contractor or any other person.
II. What Is a "Breach Of Security"?
A "breach of security" or "breach" is defined as the "unauthorized acquisition of data in electronic form containing [SPII]." Multiple instances of unauthorized acquisition by the same source constitute a single breach.
III. What Data Is Considered "Sensitive"?
The new law requires notice when SPII in electronic form is acquired by an unauthorized entity. SPII is defined to include non-truncated data points that could facilitate identity theft, financial fraud or other harm when combined with the person's first name or initial and their last name. These include:
• Social Security number or tax ID number;
• Driver's license number, state-issued identification card number, passport number or military identification number;
• Bank account number, credit card number or debit card number (in combination with any security code, access code, password, expiration date or PIN);
• Information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis;
• An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;
• A user name or email address (in combination with a password or security question and answer that would permit access to an online account).
IV. What Is Required Before a Breach?
Act 2018-396 includes a few "requirements" for businesses that are preventative in nature. Specifically, the Act requires a covered entity to conduct an assessment of its data security, and then establish reasonable security measures to protect SPII from being breached. The Act also requires businesses to take reasonable steps when disposing of SPII to mitigate the risk of it falling into the wrong hands.
With respect to the evaluation and implementation of reasonable security measures, the Act provides guidance on how this should be done, but, as noted above, the only provisions of the Act that include an enforcement mechanism relate to the failure of an entity to provide notice to individuals or the Attorney General after a breach. Thus, while a business should evaluate its security program, take steps to prevent data breaches in order to comply with other applicable laws and prevent financial and reputational damage, failure to do so would not result in the imposition of a penalty under the new Alabama law.
Under the Act, what is required of a business for both the evaluation of its security needs and the implementation of reasonable security measures is expressly tied to the relative size of the entity, as well as the amount and type of SPII the business has in its possession. Also relevant to what is reasonable for a business to implement is the cost that would be incurred to put in place and to maintain certain security measures. In implementing a system of security, the Act instructs an entity to consider all of the following:
• Designation of an employee or employees to coordinate the covered entity's security measures to protect against a breach of security. An owner or manager may designate himself or herself;
• Identification of internal and external risks of a breach of security;
• Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards;
• Retention of service providers, if any, who are contractually required to maintain appropriate safeguards for SPII;
• Evaluation and adjustment of security measures to account for changes in circumstances affecting the security of SPII; and
• Keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.
V. What Is Required After a Breach?
A. Good Faith Investigation And Evaluation
Section 4(a) requires an entity that has suffered a breach to conduct a "good faith and prompt investigation" to determine:
• The scope of the breach;
• Whose information was compromised, and the nature of that information;
• Whether the breached information is "reasonably likely to cause substantial harm" to the person(s) whose information was lost; and
• Measures to be taken to restore security of the information and system breached.
Section 4(b) provides factors to consider in determining whether the breach is "reasonably likely to cause substantial harm." These factors include that the information is in the physical possession of an unauthorized person; that the information has been copied or downloaded; that the information has been used by an unauthorized person; and/or if the breached information has been made public.
It is imperative that a business maintain careful records of its activities following a breach, particularly relating to a determination of whether the breach was one that was "reasonably likely to cause substantial harm." Section 5 of the Act, which relates to the provision of notice, explicitly requires that records relating to this determination be maintained by the affected entity for five years.
B. Notice to Affected Individuals
Section 5 of the Act requires an entity that has determined it has suffered a breach of information that is "reasonably likely to cause substantial harm" to give notice of the breach to the affected Alabama residents. Notice must be given "as expeditiously as possible and without unreasonable delay," but in no event more than 45 days from the determination of the breach. Notice can (and should) be delayed when requested by federal or state law enforcement based on a criminal investigation or national security issues.
The time to inform individuals (and the attorney...
To continue reading
Request your trial