Alabama has officially joined the data breach notification party. Alabama Governor Kay Ivey signed Act No. 2018-396 into law on March 28, 2018. The law will take effect on June 1, 2018. Although it was last in the country to enact such a data security law, Alabama’s new law will immediately take its place among the most stringent in the nation.

The Alabama law generally can be categorized into four obligations:

  • All entities subject to the law (covered entities and third-party agents) must “implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security.”
  • A “covered entity shall conduct a good faith and prompt investigation” into “a breach of security that has or may have occurred in relation to sensitive personally identifying information.”
  • A covered entity must notify each affected Alabama resident, and a third-party agent must notify the covered entity, of a “breach of security involving sensitive personally identifying information;”
  • A covered entity must notify the Alabama Attorney General and credit reporting agencies of a breach involving more than 1,000 Alabama residents.

Implementing and Maintaining Reasonable Security Measures

Alabama joins approximately 14 other states that have created stand-alone statutory obligations to maintain reasonable cybersecurity measures. Alabama’s new obligation breaks new ground, however, by elaborating in the statutory text on factors to be considered in assessing ‘reasonableness.’ Alabama’s obligation also expressly applies to both covered entities and their service providers.

In addition to being “practicable . . . to implement and maintain,” reasonableness requires:

  • designation of “an employee or employees to coordinate” the data security measures
  • identification of internal and external cyber risks
  • adoption of “appropriate information safeguards to address identified risks . . . and assess the effectiveness of such safeguards”
  • service providers to be “contractually required to maintain appropriate safeguards”
  • evaluation and adjustment of measures as circumstances change
  • informing the management and board of directors of the “overall status of its security measures.”

The same statutory section also provides that “[a]n assessment of the covered entity’s security” shall focus on the security measures “as a whole” and shall emphasize “data security failures that are multiple or systemic.” Consideration must be given to the covered entity’s: (1) size; (2) amount of sensitive personally identifying information and the type of activities involving such; and (3) cost to implement and maintain the security measures.

Section 10 of the Act requires covered entities and third-party service providers to “take reasonable measures” to dispose of records containing sensitive personally identifying information when those records “are no longer to be retained pursuant to applicable law, regulations, or business needs.”

These prescriptions are similar to some of those imposed by other states by regulation (see Massachusetts and New York Department of Financial Services). Alabama has raised the stakes, though, by including such prescriptions in its data security statute.

Data Breach Investigation and Notification

Aside from the obligation to maintain reasonable security measures noted above, the other requirements of the Alabama law are triggered by a covered entity’s determination that “a breach of security has or may have occurred in relation to sensitive personally identifying information that is accessed, acquired, maintained, stored, utilized, or communicated by, or on behalf of, the covered entity.”

Key Definitions

A “breach of security” is the “unauthorized acquisition of data in electronic form containing sensitive personally identifying information.”

“Sensitive personally identifying information” (SPII) includes an Alabama resident’s first name/first initial and last name in combination with one or more of the following:

  • non-truncated Social Security or tax-identification number
  • non-truncated driver’s license, passport, or other government identification number
  • financial account number combined with security/access code, password, PIN or expiration date necessary to access or enter into a transaction that will “credit or debit the account”
  • individual’s medical history, mental/physical condition, medical treatment/diagnosis by a health care professional, health insurance policy/subscriber number, or other insurance identifier
  • user name or email address combined with a password or security question/answer permitting access to “an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain [SPII].”

The statute expressly excludes from SPII’s definition information that is publicly available or “is truncated, encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or otherwise renders the information unusable.”

A “covered entity” includes any person or any type of business entity “that acquires or uses sensitive personally identifying information.” A “third-party agent” is an entity “contracted [by a covered entity] to maintain, store, process or is otherwise permitted to access sensitive personally identifying information.”

Required Investigations

A covered entity must “conduct a good faith and prompt investigation” upon determining that a breach of security “has or may have occurred in relation to SPII.” The statute further requires that the investigation include:

  • assessing the nature and scope of the breach
  • identifying any SPII (and the individuals to whom it relates) that may have been involved
  • determining whether SPII has been or is reasonably believed to have been acquired by an unauthorized person and is reasonably likely to cause substantial harm to affected individuals
  • identifying and implementing “measures to restore the security and confidentiality of the systems compromised in the breach.”

The statute lists factors to be considered in determining whether SPII has been or is reasonably believed to have been acquired without authorization, including “indications”:

  • of physical possession or control of SPII by an unauthorized person, such as laptop or device loss/theft
  • of downloading or copying of the SPII
  • of unauthorized use of the SPII, such as opening fraudulent accounts or ID theft reports
  • of publication of the SPII.

Required Notifications

The Act contains notification requirements that apply to covered entities and their third-party service providers.

A covered entity generally must notify affected Alabama residents of a breach of security if two conditions are met: (1) SPII has been or is reasonably believed to have been acquired by an unauthorized person; and (2) substantial harm to affected individuals is “reasonably likely” to result.

Covered entities must notify Alabama residents, by mail or email, “as expeditiously as possible and without unreasonable delay,” but not later than 45 days after being notified of a breach by a third party agent or determining that a breach has or is reasonably believed to have occurred. There are exceptions/exemptions for law enforcement investigations and compliance with other similar laws. Notice to residents must at least include: (1) the estimated date of the breach; (2) a description of the SPII acquired without authorization; (3) a general description of remedial measures; (4) a general description of protective measures the individual may take; and (5) contact information for the covered entity.

Covered entities must notify the Alabama Attorney General (and national credit reporting agencies) under the same time constraints noted above if a breach involves more than 1,000 “individuals”—a term defined to mean Alabama residents. The notice must include: (1) “a synopsis of the events surrounding the breach;” (2) the approximate number of affected individuals; (3) any services being offered without charge to the individuals, and related instructions; and (4) contact information for the covered entity. Importantly, any information marked “as confidential” will not be subject to open records, freedom of information or other public record disclosure laws.

A third-party agent must notify the covered entity of a breach impacting relevant SPII “as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred.” The third-party agent must cooperate with—and provide information in its possession to—the covered entity, which then has the notification obligations noted above. The covered entity may contractually delegate its notification obligations to a third-party agent.

Remedies and Penalties

The Alabama law contains a number of important provisions relating to remedies for violation “of the notification provisions” of the Act.

A violation of the notification provisions constitutes an “unlawful trade practice” under the Alabama Deceptive Trade Practices Act, but with very important limitations. First, a violation of the Data Breach Notification Act does not constitute a criminal offense under the Deceptive Trade Practices Act, Ala. Code 18-19-12. See our recent blog post explaining how South Dakota’s new data breach law does include criminal penalties.  Second, the Data Breach Notification Act does not create a private right of action under Section 18-19-10.

The Alabama Attorney General has exclusive authority to bring a civil action for penalties, as well as a civil action in a representative capacity for damages incurred by named individuals. The maximum civil penalty is $5,000 per day for failure to notify under the Act, capped at $500,000 “per breach.” Damages are limited to “actual damages,” plus reasonable attorney’s fees and costs.

To stay up to date on the latest developments in privacy and data security, subscribe to Ballard Spahr’s Privacy and Data Security blog, CyberAdviser.