Finally, Alabama has a law requiring companies to issue notifications to residents whose personal information has been exposed or compromised because of a data breach. On March 28, 2018, Governor Kay Ivey signed the data breach notification law, which will take effect on May 1, 2018. It took a long time for Alabama residents to have this kind of law to protect them. Now, they have one of the strictest data breach notification law among 50 U.S. states.
All states now have a data breach notification law but only 28% of the states, including Alabama, require covered entities, service providers included, to implement reasonable security measures to protect the residents’ personally identifying information or PII. Sensitive personally identifying information refers to the state resident’s first name or first initial and last name in combination with one of the following data:
- non-truncated Social Security or tax-identification number
- non-truncated passport, driver’s license, or other government identification number
- A financial account number with security/access code, password, PIN or expiration date required to access or enter into a transaction that will “credit or debit the account”
- health insurance policy/subscriber number, or other insurance identifier
- medical history, mental/physical condition, medical treatment/diagnosis
- user name or email address with a password or security question/answer allowing access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to get Sensitive PII
As per the Data Breach Notification Act, at least one employee should be appointed to manage data security measures. Covered entities need to conduct a risk assessment to determine ‘reasonable security measures.’ Then, appropriate safeguards are necessary to resolve risks and reduce them to a reasonable level. In case circumstances change, the safeguards will be reevaluated and adjusted.
Personal information that is not required anymore must be permanently destroyed by covered entities. When a data breach occurs, the covered entity should conduct a “good faith and prompt investigation. The investigators need to find out the nature and scope of the data breach, the types of information compromised, the probability that an unauthorized person acquired the information and the probability that the breach will result to substantial harm. The covered entity needs to introduce measures to restore system security.
Covered entities are required to issue breach notifications to affected individuals “without unreasonable delay.” Also, the notification must be issued within 45 days from the time the breach was discovered. The notification letter must contain the following information:
- the date – or estimated date – of the breach
- the type of information exposed or stolen
- a general description of remedial measures that the covered entity did in response to the breach
- a list of actions that residents can do to keep identity theft and fraud at bay
- Contact information must also be provided to allow others to find out more about the breach if they wish to do so
Aside from notifying affected persons, covered entities need to let the Alabama state attorney general know about the breach within 45 days if there are over 1,000 individuals affected. Being covered by the HIPAA rules doesn’t mean that the covered entity is already in compliance with the Alabama Data Breach Notification Act.
Violation of the Alabama Data Breach Notification Act has corresponding penalties under the Alabama Deceptive Trade Practices Act. Violations are not classed as criminal offense. $5,000 per day is the maximum penalty for failure to issue breach notifications after the 45-day requirement has passed. $500,000 is the maximum civil monetary penalty for violating the Data Breach Notification Act.