Late to the Party? Alabama Becomes the Last State to Enact a Data Breach Notification Law
by Partners Jonathan W. Macklem and J. Paul Zimmerman
Governor Kay Ivey’s March 28, 2018, signature made Alabama the 50th state to adopt statutory requirements for maintaining data and providing notification of a data breach, just days after South Dakota passed a data breach notification statute. The debate will continue as to who was “last” given that Alabama’s statute will go into effect on June 1 of this year, before South Dakota’s becomes effective on July 1. In summary, the Alabama Data Breach Notification Act of 2018 (the “Act”) requires “covered entities” (more on that in a moment) doing business in Alabama to do the following: (1) take reasonable steps to protect sensitive customer data; (2) to provide notice if the entity discovers it is the subject of a data breach; and (3) dispose of data in a secure manner.
“Covered entity” is broadly defined in the Act to include essentially any person or entity, including government entities, that acquire or use sensitive data of other people. Data subject to the Act is defined as a first name or initial, plus a last name, plus any one of a number of specific types of information that correspond to the name, such as a credit card or account number, online login credentials, medical or health insurance information, etc. Sensitive information specifically excluded from the scope of the Act includes information lawfully made public in specific ways and anonymous or encrypted data.
Covered entities must take reasonable steps to protect data, taking into account certain factors related to an entity’s risks, the type of data it holds, appropriate safeguards already in place, the use of third-party providers, and so on. Examples might include meeting accepted standards for information security, establishing effective policies and procedures, periodically reviewing information security precautions, educating employees about threats to information security, and so on.
In the event of a breach, as defined by the Act, a covered entity must investigate the breach and notify individuals whose information “has been acquired … or reasonably believed to have been acquired” if that breach “is reasonably likely to cause substantial harm” to the individuals. Depending on the size of the breach, notification may be direct or by publication. Regardless of the method of notification, notice of the breach must contain certain specified information, such as the type of information involved, the steps being taken to remedy the breach, and how to obtain additional information. For breaches affecting at least 1,000 individuals residing in Alabama, the Attorney General must also be provided with certain information about the breach. Notice to individuals and, if required, the Attorney General, must be within 45 days of the discovery of the breach and the determination of reasonably likely harm. Notification can be delayed upon a written request from law enforcement.
If a breach occurs and the covered entity determines that notification is not required, the covered entity must document the reasons for that decision and must maintain that documentation for at least five years beyond any other legal or business requirement for the information.
Visit Jon’s earlier video blog post
about the Alabama Data Breach
Notification Act of 2018.
The Act establishes civil and criminal penalties for covered entities that fail to comply with the statutory requirements. A knowing violation of the Act constitutes a deceptive trade practice under Alabama’s Deceptive Trade Practices Act (Ala. Code § 8-19-1, et seq.). The law allows for civil penalties up to $500,000 for knowing violations and includes a penalty of $5,000 per day for a covered entity’s failure to provide timely notification of a data breach. However, the enforcement of the Act is reserved for the Attorney General; the Act specifically states that it does not create a cause of action. Notwithstanding this exclusion, we anticipate attorneys for individuals affected by a breach will argue that the Act serves as a basis of liability under a negligence per se theory, which allows the standard of care can be set by statute when certain circumstances exist.
While the Act specifically excludes companies already regulated by federal laws that require data breach notification, such as banks and health care entities, the Act will have a profound impact on Alabama businesses throughout most industries. Companies should evaluate whether their data protection measures and policies are in compliance with the Act. In addition, the Act further intensifies the need for businesses to have a data breach response plan in place. This plan should include engaging necessary stakeholders, such as IT personnel, data breach counsel, human resources, public relations, outside forensic investigators, and various operational and business unit personnel. Businesses should strongly consider the procurement of cyber-liability insurance before a breach occurs. The need for insurance is particularly compelling as most policies cover the costs of both a forensic analysis and for notification – which taken together can be expensive. Very few expenses arising from a data breach are covered by general liability or other policies.
Christian & Small’s Cyber Liability and Data Breach Practice Group will closely monitor activities from the Attorney General’s office and any other litigation that results from this Act. If you have any questions about this Act or would like to set up a consult to discuss the Act’s compliance requirements, please contact either Paul Zimmerman or Jon Macklem.
No representation is made that the quality of the legal services to be performed is greater than the quality of legal services performed by other lawyers.