Alabama becomes 50th state to enact data breach notification law
- By Susan Miller
All 50 states will have data breach notification laws, now that Alabama has passed legislation to protect disclosure of sensitive personally identifying information, such as Social Security numbers, financial and email account information combined with passwords as well as health information.
The Alabama Data Breach Notification Act of 2018 goes into effect on June 1. It requires covered entities that acquire or use sensitive personally identifying information to notify affected Alabama residents of a breach if sensitive personally identifying information has been or is believed to have been acquired by an unauthorized individual and substantial harm to affected individuals is “reasonably likely” to result, attorney Zachary Heck wrote on a Lexology blog post.
Those entities covered by the law – both the organization collecting the data and the contractor that stores and processes it -- must maintain reasonable cybersecurity measures. The state defines those measures as having:
- A designated employee who coordinates data security measures.
- Documentation of internal and external security risks and adoption of safeguards to protect identified risks.
- Regular briefings to management on security status.
- Requirements that contractors maintain appropriate safeguards.
Assessments of a covered entity's security measures will consider whether data security failures are multiple or systemic and take into account factors like the size of the entity, the amount of data lost and what it would have cost to protect against a breach.
These specific requirements for reasonable cybersecurity measures sets the Alabama statute apart from that of other states, Heck wrote.