The Alabama Data Breach Notification Act (Senate Bill 318) has progressed to be considered by the House of Representatives after being unanimously agreed upon by the Alabama Senate recently.
Alabama is one of the final two states that still has to bring in laws which require firms to broadcast alerts to persons whose personal information is exposed in data breaches. The other remaining state – South Dakota – is also considering introducing similar legislation to protect state residents.
The Alabama Data Breach Notification Act, brought to the floor by Senator Arthur Orr (R-Decatur), requires companies doing business in the state of Alabama to transmit notifications to state residents when their sensitive personal data has been illegally accessed or made available publicly it is reasonably likely to lead to victims experiencing harm.
Firms that would be required to comply with the Alabama Data Breach Notification Act are people, sole proprietorships, partnerships, government groups, corporations, non-profits, trusts, estates, cooperative associations, and other business bodies that acquire or storee personally identifying information.
Sensitive personally identifying information is what we refer to as a first name/first initial and last name along with with any of the following data elements, provided they are not truncated, encrypted, or hashed: Social Security specific details, Tax Identification number, Driver’s license number, State identification credentials, military ID number, Passport identifiers. Additionally medical details including health history, treatment or diagnosis or mental/physical ailment.
The Alabama Data Breach Notification Act also requires entities holding the above types of data to implement and maintain reasonable safe guards to protect sensitive personally identifiable information. A risk analysis must be implemented to identity potential security risks and security measures would need to be adopted to minimize those risks to a reasonable level. Measures to protect data should be appropriate for the sensitivity of the data, the amount of data save, the scope of the organization, and the cost of measures in relation to the company’s revenue.
If the Alabama Data Breach Notification Act makes it passed the final stage, state residents would have to be contacted in relation to data breaches within 45 days of discovery of a breach. Companies that do not send the notifications could potentially be fined up to $5,000 per day for any delay in issuing notifications up to a maximum of $500,000 per breach. Legal actions could be filed by the attorney general’s office for breach victims, although private actions would not be allowed.
Breach notices would be required to list the date or estimated date of the breach, a description of the information exposed, details of the steps that can be taken by breach victims to safeguard themselves against harm, details of the measures taken by the breached entity to restore security and confidentiality of information, and contact information for further information regarding the breach. A breach notice would also need to be sent to the state attorney general’s office if the breach hits more than 1,000 persons.
As opposed to data breach notification laws in some US states that exempt HIPAA covered firms that are in compliance with HIPAA laws, the Alabama Data Breach Notification Act would apply to HIPAA covered organizations.
The current largest allowable time frame for HIPAA covered entities is 60 days from the date of discovery of a breach to contact those affected. For Alabama residents at least, that time would be shorter by 15 days.