Act No. 2018-396 was signed into law by Alabama Governor Kay Ivey over a year ago, on March 28th, taking effect on June 1st of 2018. The state of Alabama came late to the party, as the 50th and final state to enact data security laws. To make up for lost time, perhaps, Alabama’s data breach notification laws are now among the toughest across the nation, including the following obligations:
- All covered entities as well as third-party agents are required to “implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security.”
- If a security breach is believed to have occurred or has occurred, compromising sensitive personally identifying information, the covered entity or third-party agent must immediately conduct a “good faith” investigation.
- Third-party entities must notify a covered entity, and, in turn, the covered entity is obligated to inform every single Alabama resident who could be affected when a security breach occurs.
- The Alabama Attorney General must be notified by covered entities as must credit reporting agencies whenever a security breach involves more than a thousand residents of the state of Alabama.
What is Sensitive Personally Identifying Information?
When an Alabama resident’s first and last name is used in combination with one or more of the following, then it is considered sensitive personally identifying information:
- The medical history of an individuals, whether for a mental or physical condition, a treatment or diagnosis, or a health insurance policy number;
- An entire tax ID or Social Security Number;
- An email address or user name coupled with a security question or answer or a password;
- An entire Driver’s License Number;
- An entire Passport Number;
- Any other type of government identification number in its entirety, or
- A financial account number coupled with a password, PIN, expiration date or access code.
When Must Alabama Residents Be Notified?
If sensitive, personally identifying information is believed to have been acquired and it is likely that stolen information will harm those involved, covered entities must notify affected residents of the state of Alabama. Residents must be notified by mail or email in the most expeditious manner possible, no later than 45 days following the original breach. The Alabama Attorney General must also be notified when the breach involves more than 1,000 residents.
Alabama Adds Statutory Obligations for Cybersecurity
Alabama joins fourteen states who currently have stand-alone statutory obligations which require entities to maintain reasonable cybersecurity measures, however the state has broken new ground by elaborating on the factors which are used to determine “reasonableness.” In the state of Alabama, these obligations cover the service providers of covered entities as well as the covered entities themselves.
What is Reasonableness?
“Reasonableness” means the cybersecurity measures follow the following criteria:
- Appropriate safeguards must be maintained by service providers via contracts;
- External and internal cyber risks must be clearly identified;
- Data security measures must be coordinated by a designated employee or employees;
- Applicable safeguards of information must be adopted which identify any risks, determining whether the safeguards are effective;
- Cybersecurity measures must be practical to implement and maintain;
- As conditions shift over time, cybersecurity measures must be evaluated and adjusted, and
- The board of directors and management of a company must be informed and updated regarding the status of the security measures put into place.
Consideration Regarding Level of Data Breach
Consideration is afforded regarding the size of the data breach, the level of personally identifying information at issue, the expense required to put security measures into place and maintain those security measures, and a determination of whether the data breaches are “multiple or systemic.”
Under the new laws, third-party providers and covered entities are obligated to take all reasonable measures to dispose of any records which contain sensitive, personally identifying information, once the records are no longer required, whether as a result of regulations, business needs or applicable laws. Additional Alabama requirements of the data breach notification law are initiated when a covered entity determines a security breach has happened or may have happened in relation to the access of sensitive, personally identifying information.
What Does a “Good Faith and Prompt Investigation” Consist Of?
When a data breach is believed to have occurred—or has definitely occurred—an investigation must include the following:
- A thorough assessment of the scope and nature of the data breach;
- Any sensitive, personally identifying information involved;
- Whether the sensitive, personally identifying information is believed to have been acquired by an unauthorized person, and the level of harm the breach could potentially cause affected individuals;
- A full-on effort to implement measures to restore security;
- Any indications of a data breach;
- Whether there is physical control or possession of sensitive, personally identifying information as with the theft of a computer;
- Whether there have been fraudulent accounts opened after a data breach which includes possession of sensitive, personally identifying information;
- Whether sensitive, personally identifying information has been downloaded or copied, and
- Whether sensitive, personally identifying information has been publicized.
Penalties for Violations of the New Law
Violations of the Alabama Deceptive Trade Practices Act are not criminal offenses and do not create a private right of action, meaning only the Alabama Attorney General can bring civil actions against a company with a data breach. There is a maximum civil penalty of $5,000 per day for failure to notify (capped at $500,000 per breach). In addition to attorney fees and other reasonable costs, only actual damages may be recovered. It is important to note that virtually every type of business is covered by the new data breach law, whether a person, a sole proprietor, a partnership, a governmental entity, a corporation, a non-profit, a trust, an estate, a cooperative association or any other business entity.