Alabama has officially joined the data breach notification party. Alabama Governor Kay Ivey signed Act No. 2018-396 into law on March 28, 2018. The law will take effect on June 1, 2018. Although it was last in the country to enact such a data security law, Alabama’s new law will immediately take its place among the most stringent in the nation.
The Alabama law generally can be categorized into four obligations:
- All entities subject to the law (covered entities and third-party agents) must “implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security.”
- A “covered entity shall conduct a good faith and prompt investigation” into “a breach of security that has or may have occurred in relation to sensitive personally identifying information.”
- A covered entity must notify each affected Alabama resident, and a third-party agent must notify the covered entity, of a “breach of security involving sensitive personally identifying information;”
- A covered entity must notify the Alabama Attorney General and credit reporting agencies of a breach involving more than 1,000 Alabama residents.