The Alabama Data Breach Notification Act (Senate Bill 318) has been sent for consideration to the House of Representatives after the Alabama Senate last week unanimously passed it.
Alabama is one of the two remaining states still yet to introduce legislation that requires companies to send notifications to people whose personal information is accessed in data breaches. South Dakota, the other state yet to introduce legislation, is also considering passing similar legislation to protect state residents.
Proposed by Sen. Arthur Orr (R-Decatur), the Alabama Data Breach Notification Act obligates companies operating business in the state of Alabama to issue alerts to state residents when their sensitive personal data has been accessed and it is reasonably likely to lead to breach victims experiencing substantial harm.
Bodies that would be required to adhere with the Alabama Data Breach Notification Act are individuals, sole proprietorships, partnerships, government bodies, corporations, non-profits, trusts, estates, cooperative associations, and other business bodies that acquire or use sensitive personally identifying data.
Sensitive personally identifying data is classified as a first name/first initial and last name along with any of the following data elements, provided they are not truncated, encrypted, or hashed:
- Social Security details
- Tax ID credentials
- Driver’s license number
- Number from State identification card
- Military identification number
- Passport details
- Other specific government identification numbers
- Medical data such as health history, treatment or diagnosis or mental/physical state
- Health insurance number or specific identifiers used by health insurers for identification of a person
- Account number financial (bank account, credit card, or debit card) along with an expiry date, security code, PIN, password, or other data that would permit a financial transaction to be carried out
- Username or email address combined with a password or security question answer that would permit an account to be viewed
The Alabama Data Breach Notification Act also requires entities holding the above information to put in place, and maintain, reasonable security measures to protect sensitive personally identifiable information. A risk analysis must be completed to identity potential security risks and security measures would need to be adopted reduce those risks to an acceptable level. Measures to safeguard data should be appropriate for the sensitivity of the data, the amount of data stored, the size of the group, and the cost of safeguards with regard to the company’s resources.
If the Alabama Data Breach Notification Act make it through the final stage of voting state residents would have to be alerted of data breaches within 45 days of discovery of a breach. Firms that do not to issue the notifications could potentially be fined up to $5,000 daily for any delay in issuing alerts up to a maximum of $500,000 per breach. Lawsuits could be taken by the attorney general’s office on behalf of breach victims, although private actions would not be allowed.
Breach notices would have to include the date or estimated date of the breach occurring, a description of the information accessed/exposed, details of the measures that can be taken by breach victims to safeguard themselves against possible harm, details of the steps taken by the breached body to restore security and confidentiality of data, and contact information for further advice regarding the breach. A breach notice would also need to be sent to the state attorney general’s office if the breach affects more than 1,000 people.
As opposed to data breach notification laws in some US states that exempt HIPAA covered bodies that adhere with HIPAA laws, the Alabama Data Breach Notification Act would apply to HIPAA covered bodies.
The current maximum time frame for HIPAA covered entities to issue a breach notification is 60 days from the date of discovery of a HIPAA violation. For Alabama state citizens at least, that time frame would be cut by 15 days.