On June 1, 2018, the Alabama Data Breach Notification Act of 2018 will take effect. In addition to being the last state to enact a breach notification law, Alabama’s new law distinguishes itself in a variety of unique ways.
Consistent with other state breach notification laws, the new law defines “sensitive personally identifying information” maintained in electronic form (covered information) broadly. In addition to government issued forms of identification and financial account numbers, covered information includes an individual’s medical history, mental or physical condition, or medical treatment or diagnostic information when combined with the resident’s name. In addition, usernames or email addresses, in combination with a password or security question and answer, are also classified as covered information, but only if the account is affiliated with the entity that experienced the breach, and only if such credentials would permit access to an online account that is “reasonably likely to contain or is used to obtain” sensitive personally identifying information (i.e., if the username or email address and password grant access to covered information that triggers the notification requirement). These important caveats limit the circumstances in which entities that maintain covered information (covered entities) must notify Alabama residents of breaches involving usernames or email addresses and passwords.
Alabama also joins a minority of states that require covered entities to implement and maintain reasonable security measures to safeguard that information. The law outlines several factors that a covered entity should consider when determining whether it has implemented reasonable security, including, but not limited to: (i) designating an employee or employees to oversee its security program; (ii) adopting and testing safeguards to address identified risks; (iii) imposing security related terms on vendors that maintain covered information; and (iv) requiring updates to the security program to account for relevant changes. In addition, any assessment of the reasonableness of the security program must also take into account the organization’s size, the amount of data it maintains, how it processes that information, and the cost to implement and maintain the reasonable security measures to protect against a breach of security relative to its resources. This standard tracks closely with the data security requirements frequently imposed by the Federal Trade Commission in its data security consent orders.
In addition to establishing data security standards, Alabama’s law also requires covered entities to conduct a prompt investigation of any known or suspected breaches of covered information. The investigation is required to include: (i) an assessment of the nature and scope of the breach; (ii) identification of the covered information involved; (iii) a determination of whether the covered information has been or is reasonably believed to have been acquired by an unauthorized person; (iv) an assessment of the likelihood of harm; and (v) identification and implementation of measures to protect against future events.
If a covered entity determines that notice is required based on its breach investigation, such notice must be made “as expeditiously as possible and without unreasonable delay” but no more than 45 days after determining that the breach that has occurred is likely to cause substantial harm to individuals. Alabama also joins a minority of states that require certain information to be contained within the notice, including: (i) the date or estimated date of the breach; (ii) a description of the sensitive personally identifying information involved; (iii) the steps that the entity has taken to “restore the security and confidentiality” of the information involved; (iv) ways the individual can protect themselves from identity theft; (iv) and contact information for questions. Unlike most states, Alabama allows notice to affected individuals to be provided through email in addition to U.S. mail.
If the number of individuals a covered entity is required to notify exceeds 1,000, the entity must provide written notice of the breach to the Alabama Attorney General as expeditiously as possible and without unreasonable delay, but no later than 45 days after the determination that a breach has occurred. That notice must include, among other things, a synopsis of the events surrounding the breach at the time that notice is provided. Additionally, if more than 1,000 individuals must be notified, credit reporting agencies must also be notified.
To encourage compliance, the law includes express terms regarding enforcement penalties. Section 9 of the law states that a violation of the law’s notification provisions is deemed an unlawful trade practice under the Alabama Deceptive Trade Practices Act, which the attorney general may enforce in an action for civil penalties of up to $500,000 per violation and up to $5,000 each day notice to affected residents is not provided. Notably, however, the law’s data security obligations are carved out of this enforcement provision. In addition, the attorney general may also bring an action for actual damages on behalf of any affected individuals whereby recovery is limited to actual damages suffered, plus reasonable attorneys’ fees and costs.
With the enactment of Alabama’s data breach notification law, Alabama becomes the final state to enact such legislation. Each state’s statute is slightly different, requiring a state-by-state analysis in the event of a data breach. Federal legislation standardizing the requirements in the event of a breach has frequently been discussed, often during the immediate aftermath of a widely publicized incident, but has yet to advance.