/*

We value your privacy

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions. Cookie Policy

Customise Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorised as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

Performance cookies are used to understand and analyse the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.

/*]]>*/
TEKRiSQ | Technology Risk Assessment Platform  

Alabama Data Breach Law

December 30, 2024

Alabama Data Security & Cyber Regulations are in place, and must be observed and practiced by businesses operating there. This is a summary of those regulations, and who must be complaint.

Insurance Agency Regulations:

Alabama Dept. Of Insurance Data Security Program Requirements

Business Regulations:

Alabama S.B. 318 (signed into law March 28, 2018)

Effective June 1, 2018

2018 S.B. 318, Act No. 396

  • Enacted in 2018, Alabama’s data breach notification legislation requires entities that acquire or use “sensitive personally identifying information” of Alabama residents to notify affected individuals of any unauthorized acquisition of data.
  • Notification in writing must be made as expeditiously as possible and without unreasonable delay, and no later than 45 days of receipt of notice of the breach. Notification is not required if it is determined the breach is not reasonably likely to cause substantial harm to affected individuals.
  • Breached third parties must notify the relevant data owners or licensees within 10 days.
  • If more than 1,000 individuals must be notified of a breach, breached entities must also notify the Attorney General, and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1681a.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities in compliance with relevant federal and state regulations, HIPAA or the GLBA are deemed to comply with this law. They must still provide written notice to the Alabama Attorney General when the number of individuals the entity notified exceeds 1,000.
  • Civil penalties as high as $500,000 per breach are stipulated. Failure to properly notify can result in additional penalties of up to $5,000 per day for each consecutive day there is a failure to comply with notification provisions

 

ADDITIONAL DETAILS: Alabama S.B. 318

Application. A person or commercial entity (collectively, Entity) that acquires or uses sensitive personally identifying information.

Security Breach Definition. The unauthorized acquisition of data in electronic form containing sensitive personally identifying information.

  • Good-faith acquisition of sensitive personally identifying information by an employee or agent of an Entity is not a security breach, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.
  • A security breach also does not include the release of a public record not otherwise subject to confidentiality or nondisclosure requirements, nor does it include any lawful, investigative, protective, or intelligence activity of a law enforcement or intelligence agency of the state, or a political subdivision of the state.

Notification Obligation. Any Entity that determines that, as a result of a breach of security, sensitive personally identifying information has been acquired by an unauthorized person, and is reasonably likely to cause substantial harm to an AL resident to whom the information relates, shall give notice of the breach to each AL resident to whom the information relates.

Notification to Consumer Reporting Agencies. If the number of affected individuals exceeds 1,000, the Entity must notify all consumer reporting agencies without unreasonable delay once it is determined that a breach has occurred and is reasonably likely to cause substantial harm to affected individuals.

Attorney General/Agency Notification. If the number of affected individuals exceeds 1,000, the Entity must notify the Attorney General as expeditiously as possible and without unreasonable delay, and within 45 days once it is determined that a breach has occurred and is reasonably likely to cause substantial harm to affected individuals.

Timing of Notification. Notice shall be made as expeditiously as possible and without unreasonable delay, taking into account the time necessary to conduct an investigation, and within 45 days of discovering that a breach has occurred and is reasonably likely to cause substantial harm to affected individuals.

Personal Information Definition. An AL resident’s first name or first initial and last name, in combination with one or more of the following data elements that relate to the resident, when either the name or the data elements are not truncated, encrypted, secured or modified in a way that removes elements that personally identify an individual or render the data unusable:

  • Social Security number;
  • Driver’s license number or state identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual;
  • Account number, credit card number or debit card number in combination with any required security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account;
  • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual; or
  • A user name or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the Entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.

Sensitive personally identifying information does not include information about an individual that is lawfully made public by a federal, state, or local government record or widely distributed media.

Notice Required. Notice may be provided by one of the following methods:

  • Written notice; or
  • Email notice.

Substitute Notice Available. If the Entity demonstrates that the cost of providing notice is excessive relative to the Entity’s resources, (provided that the cost of notification is considered excessive if it exceeds $500,000), or that the affected AL residents to be notified exceeds 100,000 persons, or the Entity does not have sufficient contact information to provide notice. Substitute notice shall consist of the following:

  • Conspicuous posting of the notice on the website of the Entity if the Entity maintains one, for a period of 30 days; and
  • Notice to major print and broadcast media, including major media in urban and rural areas where the affected individuals reside.

Exception: Compliance with Other Laws.

  • An Entity subject to or regulated by federal laws, rules, regulations, procedures, or guidance is exempt as long as the Entity: maintains procedures pursuant to those requirements; provides notice to consumers pursuant to those requirements; and timely provides notice to the Attorney General when the number of affected individuals exceeds 1,000.
  • An Entity subject to or regulated by state laws, rules, regulations, procedures, or guidance—that are at least as thorough as the notice requirements in this law—is exempt as long as the Entity: maintains procedures pursuant to those requirements; provides notice to consumers pursuant to those requirements; and timely provides notice to the Attorney General when the number of affected individuals exceeds 1,000.

Other Key Provisions:

  • Delay for Law Enforcement. Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation or national security, and the law enforcement agency has submitted a written request for the delay. The law enforcement agency may revoke the delay as of a specified date or extend the delay, if necessary.
  • Government entities are subject to the Act as well and must provide notice in line with the provisions of the law.
  • AG Enforcement. The Attorney General has exclusive authority to bring an action for civil penalties under the Act.

 

Categories: Breach Laws, States

Tags: , , , , , , , , , , , , ,

 
Why Are Cybersecurity Companies Getting Hacked?

© Copyright 2025 TEKRiSQ, INC. All rights reserved.
Website by: Colophon

TEKRiSQ BBB Business Review