Alabama Senate Bill 318

The Alabama legislature recently enacted the Data Breach Notification Act (“Act”), effective June 1, 2018.

A “Breach of Security” or “Breach” is the unauthorized acquisition of data in electronic form containing sensitive personally identifying information.  Acquisition occurring over a period of time committed by the same entity constitutes one breach. The term does not include any of the following:

• Good faith acquisition of sensitive personally identifying information by an employee or agent of a covered entity, unless the information is used for a purpose unrelated to the business or subject to further unauthorized use;
• The release of a public record not otherwise subject to confidentiality or nondisclosure requirements; or
• Any lawful investigative, protective, or intelligence activity of a law enforcement or intelligence agency of the state, or a political subdivision of the state.

A “Covered Entity” is a person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information.

“Data in Electronic Form” is any data stored electronically or digitally on any computer system or other database, including, but not limited to, recordable tapes and other mass storage devices.

A “Government Entity” is the state of Alabama, a county, or a municipality or any instrumentality of the state of Alabama, a county, or a municipality.

An “Individual” is any Alabama resident whose sensitive personally identifying information was, or the covered entity reasonably believes to have been, accessed as a result of the breach.

“Sensitive Personally Identifying Information” means an Alabama resident’s first name or first initial and last name in combination with one or more of the following with respect to the same Alabama resident:

• A non-truncated Social Security number or tax identification number;
• A non-truncated driver’s license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual;
• A financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account;
• Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
• An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual; and/or
• A user name or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.

Sensitive personally identifying information does not include either of the following:

• Information about an individual which has been lawfully made public by a federal, state, or local government record or a widely distributed media; or
• Information that is truncated, encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable, including encryption of the data, document, or device containing the sensitive personally identifying information, unless the covered entity knows or has reason to know that the encryption key or security credential that could render the personally identifying information readable or useable has been breached together with the information.

A “Third Party Agent” is an entity that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity.

The Act requires each covered entity and third-party agent to implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security.  The Act specifies what are considered reasonable security measures and provides that the size of the covered entity, the amount and type of sensitive personally identifying information the covered entity handles and the cost to implement and maintain reasonable security measures are factors to consider when assessing a covered entity’s security.

If a covered entity determines that a breach of security has or may have occurred in relation to sensitive personally identifying information that is accessed, acquired, maintained, stored, utilized, or communicated by, or on behalf of, the covered entity, the covered entity must conduct a good faith and prompt investigation that meets specified requirements.

A covered entity (that is not a third-party agent) must give notice of a breach to each individual if it determines that, as a result of a breach of security:

• Sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person; and
• It is reasonably likely to cause substantial harm to the individuals to whom the information relates.

Notice must be made as expeditiously as possible and without unreasonable delay, taking into account the time necessary to allow the covered entity to conduct an investigation.  Unless otherwise provided below, the covered entity must provide notice within 45 days of discovering that a breach has occurred and is reasonably likely to cause substantial harm to the individuals to whom the information relates.

If a federal or state law enforcement agency determines that notice to individuals would interfere with a criminal investigation or national security, the notice must be delayed upon receipt of written request of the law enforcement agency for a period that the law enforcement agency determines is necessary.

Notice to an affected individual must be given in writing, sent to the mailing address of the individual or by email notice sent to the mailing address or email address of the individual in the records of the covered entity.  The notice must include at least the following:

• The date, estimated date, or estimated date range of the breach;
• A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach;
• A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach;
• A general description of steps an affected individual can take to protect himself or herself from identity theft; and
• Information that the individual can use to contact the covered entity to inquire about the breach.

A covered entity required to provide notice may provide substitute notice in lieu of direct notice if direct notice is not feasible due to excessive cost (as defined), lack of sufficient contact information or the more than 100,000 are affected.  The Act provides the forms for substitute notice that are permissible.

If more than 1,000 people are affected by the breach, the covered entity must notify the Alabama Attorney General and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

A third-party agent that has experienced a breach of security in the system maintained by the agent must notify the covered entity of the breach no later than 10 days following discovery of the breach.

A violation of the notification provisions of the Act constitute an unlawful trade practice under the Alabama Deceptive Trade Practices Act.  Any covered entity or third-party agent who knowingly engages in a violation of the notification provisions will be liable for civil penalties of not more than $5,000 per day for each consecutive day that the covered entity fails to take reasonable action to comply with the notice provisions.

A covered entity or third-party agent must take reasonable measures to dispose, or arrange for the disposal, of records containing sensitive personally identifying information within its custody or control when the records are no longer required to be retained.  Disposal means modifying the personal information in the records to make it unreadable or undecipherable through any reasonable means consistent with industry standards.

The following entities are exempt from the Act:

• An entity subject to or regulated by federal laws, rules, regulations, procedures, or guidance on data breach notification established or enforced by the federal government; and
• An entity subject to or regulated by state laws, rules, regulations, procedures, or guidance on data breach notification that are established or enforced by the state government and are at least as thorough as the notice requirements provided by the Act.

In order to be exempt, the above described entities must do the following:

• Maintain procedures pursuant to those laws, rules, regulations, procedures, or guidance;
• Provide notice to affected individuals pursuant to those laws, rules, regulations, procedures, or guidance; and
• Timely provide a copy of the notice to the Alabama Attorney General when the number of individuals the entity notified exceeds 1,000.