On March 1, 2018, the Alabama Senate unanimously passed the Alabama Data Breach Notification Act of 2018 (SB 318). The bill is now in the House of Representatives, where it has since been amended by the Technology and Research Committee and awaits a vote. Spearheaded by the Attorney General’s Office, SB 318 would make Alabama the 50th state to enact data breach notification legislation.
SB 318 defines a qualifying data breach as any “unauthorized acquisition of data in electronic form containing sensitive personally identifying information (PII).” The proposed bill takes care to include ongoing and repeated data breaches in the definition, as long as the breach is perpetrated by the same offender. The release of publicly available records and law enforcement investigations, though, are not within the scope of SB 318.
Covered Entities and Information
The act has a wide breadth of covered entities ranging from individuals to commercial entities and, notably, nonprofit organizations. Under the act, an affected individual is any Alabama resident whose personal information (PI) is compromised, or “reasonably believed” to be, as a result of a data breach. SB 318 defines the following types of information as PII, when one or more is combined with an individual’s first name or first initial and last name:
- A non-truncated Social Security number or tax identification number
- A non-truncated driver’s license number, state-issued identification card number, passport number, military identification number, or other government-issued unique identification number
- A financial account number in combination with any security code, access code, password, expiration date, or PIN
- Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
- A health insurance policy number, subscriber identification number, or any unique identifier used by a health insurer
- User name or email address combined with a password or security question
Reasonably, the act does not include public records as a category of PII. Likewise, where the data involved in the breach is encrypted or de-identified, SB 318 does not recognize it as PII and will not require consumer notification.
“Reasonable Security” for Covered Entities and Third Parties
SB 318 also imposes a requirement that each covered entity, as well as any third-party vendor of the covered entity, implement and maintain reasonable security measures to protect PII against a breach of security. The proposed statue would require that covered entities and third parties develop security measures that:
- designate an employee or employees to coordinate the covered entity’s security measures;
- identify internal and external risks;
- adopt appropriate information safeguards and assess the effectiveness of such safeguards;
- retain service providers, if any, that are contractually required to maintain appropriate safeguards for PII;
- evaluate and adjust security measures to account for changes in circumstances affecting the security of PII; and
- keep management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.
Companies should bear in mind that SB 318, will not only require an incident response plan for Alabama residents, but will also require the creation of a reasonable security plan that complies with the requirements set forth above.
The highlight of SB 318 for Alabama consumers is the Section 5 notice requirements. Pursuant to Section 5, a covered entity is required to notify individuals in the event of a breach when PII has been or is “reasonably believed” to have been acquired by an unauthorized person. Under SB 318, companies would be required to notify affected individuals within 45 days of the discovery that a data breach has occurred. The notice may be sent through the mail or by email, but must include the following: (1) the date, or an approximation thereof, of the breach, (2) a description of the sensitive PII that was acquired, (3) a general description of the actions taken to restore the security and confidentiality of the PI involved in the breach, (4) a general description of steps a consumer can take to protect himself or herself from identity theft, and (5) contact information that the individual can use to inquire about the breach. However, where the entity will face excessive cost in notifying affected individuals, where there is incomplete contact information, or where over 500,000 individuals are affected, SB 318 allows for substitute notice in the form of TV, newsprint, radio, and online advertisements.
In addition to notifying affected individuals, SB 318 requires entities to notify the Attorney General’s Office, within 45 days of discovery of a breach, when more than 1,000 people are affected. When notifying the Attorney General, the entity must include a summary of the breach, an estimate of the number of affected individuals, anticipated services that will be offered to individuals because of the breach, i.e. credit monitoring, and a contact to which questions may be directed. Alabama SB 318 also includes a consumer reporting agency notification requirement where more than 1,000 individuals are affected at once.
A violation of SB 318 will also stand as a violation of the Alabama Deceptive Trade Practices Act. There is, however, no private cause of action established by the statute and so any suits brought under it must be initiated by the Office of the Attorney General. Noncompliance with SB 318 could result in fines of up to $5,000 per day for each day that the entity fails to take reasonable action to comply with the notice provisions.
Although SB 318 has yet to pass, it appears to have an overwhelming amount of support from the state legislature. SB 318 could go into effect as early as June 2018 if the House approves it in the immediate future. For those in Alabama, and elsewhere, this is one to keep an eye on in the next few months.