Act No. 2018-396 was signed into law by Alabama Governor Kay Ivey over a year ago, on March 28th, taking effect on June 1st of 2018. The state of Alabama came late to the party, as the 50th and final state to enact data security laws. To make up for lost time, perhaps, Alabama’s data breach notification laws are now among the toughest across the nation, including the following obligations:
- All covered entities as well as third-party agents are required to “implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security.”
- If a security breach is believed to have occurred or has occurred, compromising sensitive personally identifying information, the covered entity or third-party agent must immediately conduct a “good faith” investigation.
- Third-party entities must notify a covered entity, and, in turn, the covered entity is obligated to inform every single Alabama resident who could be affected when a security breach occurs.
- The Alabama Attorney General must be notified by covered entities as must credit reporting agencies whenever a security breach involves more than a thousand residents of the state of Alabama.