Alabama State Senate Passes Data Breach Notification Act

by | Mar 19, 2018

The Alabama Data Breach Notification Act (Senate Bill 318) has progressed to be  considered by the House of Representatives after being unanimously agreed upon by the Alabama Senate recently.

Alabama is one of the final two states that still has to bring in laws which require firms to broadcast alerts to persons whose personal information is exposed in data breaches. The other remaining state – South Dakota – is also considering introducing similar legislation to protect state residents.

The Alabama Data Breach Notification Act, brought to the floor by Senator Arthur Orr (R-Decatur), requires companies doing business in the state of Alabama to transmit notifications to state residents when their sensitive personal data has been illegally accessed or made available publicly it is reasonably likely to lead to victims experiencing harm.

Firms that would be required to comply with the Alabama Data Breach Notification Act are people, sole proprietorships, partnerships, government groups, corporations, non-profits, trusts, estates, cooperative associations, and other business bodies that acquire or storee personally identifying information.

Sensitive personally identifying information is what we refer to as a first name/first initial and last name along with with any of the following data elements, provided they are not truncated, encrypted, or hashed: Social Security specific details, Tax Identification number, Driver’s license number, State identification credentials, military ID number, Passport identifiers. Additionally medical details including health history, treatment or diagnosis or mental/physical ailment.

The Alabama Data Breach Notification Act also requires entities holding the above types of data to implement and maintain reasonable safe guards to protect sensitive personally identifiable information. A risk analysis must be implemented to identity potential security risks and security measures would need to be adopted to minimize those risks to a reasonable level. Measures to protect data should be appropriate for the sensitivity of the data, the amount of data save, the scope of the organization, and the cost of measures in relation to the company’s revenue.

If the Alabama Data Breach Notification Act makes it passed the final stage, state residents would have to be contacted in relation to data breaches within 45 days of discovery of a breach. Companies that do not send the notifications could potentially be fined up to $5,000 per day for any delay in issuing notifications up to a maximum of $500,000 per breach. Legal actions could be filed by the attorney general’s office for breach victims, although private actions would not be allowed.

Breach notices would be required to list the date or estimated date of the breach, a description of the information exposed, details of the steps that can be taken by breach victims to safeguard themselves against harm, details of the measures taken by the breached entity to restore security and confidentiality of information, and contact information for further information regarding the breach. A breach notice would also need to be sent to the state attorney general’s office if the breach hits more than 1,000 persons.

As opposed to data breach notification laws in some US states that exempt HIPAA covered firms that are in compliance with HIPAA laws, the Alabama Data Breach Notification Act would apply to HIPAA covered organizations.

The current largest allowable time frame for HIPAA covered entities is 60 days from the date of discovery of a breach to contact those affected. For Alabama residents at least, that time would be shorter by 15 days.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy