Alabama businesses need to take note. A recently enacted law, the Alabama Data Breach Notification Act (No. 2018-396), creates new requirements for “covered entities” who have “sensitive personally identifying information” that is the subject of a “data breach.” A signed version of the act can be found here: Act No. 2018-396. The Act mandates certain security measures for businesses and requires notification if a breach occurs. Failure to comply can result in significant fines, and a violation of the Act is also considered a violation of the Alabama Deceptive Trade Practices Act (Alabama Code Sections 8-19-1, et seq.).
Data breaches can be significant and can have far reaching effects. In 2015, the U.S. Department of Defense notified more than 20 million former and current government employees that their information was stolen in one of the largest cybercrimes ever carried out against the U.S. Government. As a result, the Office of Personnel Management provided each of the affected individuals with identify theft protection and awarded a $133 million contract for identity theft protection services to pay for that protection. (https://www.opm.gov/news/releases/2015/09/opm-dod-announce-identity-theft-protection-and-credit-monitoring-contract/.) Nearly everyone can recall the 2015 Experian loss of personal data for around 15 million individuals, a loss that included social security numbers. And, the Target data breach involved as many as 70 million Target customers. (https://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-breach-spilled-info-on-as-many-as-70-million-customers/#24fbec7ce795). Recently, Saks Fifth Avenue joined the ranks of businesses that have been hacked and whose customers’ information was stolen. (https://www.usatoday.com/story/money/2018/04/01/data-breach-hits-lord-taylors-saks/476838002/). These types of events led Alabama Senator Arthur Orr (R – Decatur) and Alabama Representative Phil Williams (R – Huntsville) to sponsor legislation to help protect the sensitive personally identifying information of Alabama citizens. Senator Orr previously tried to get legislation related to data breach notification through the legislature. (http://www.decaturdaily.com/news/other_news/state_capital/data-breach-bill-goes-to-governor/article_4b4419fe-fa08-5f91-ba42-dda53deac673.html). This year, the Alabama Legislature passed the Alabama Data Breach Notification Act. Governor Ivey signed the bill into law on March 28, 2018. “Beginning June 1, 2018, private and public entities must establish reasonable data security measures and notify those affected when personal data has been compromised. Any breached entity that determines the compromised information is ‘reasonably likely to cause substantial harm’ must notify those affected as ‘expeditiously as possible’ but no later than 45 days after discovery.” (https://alabamaretail.org/news/alabama-data-breach-notification/).
The requirements of the Alabama Data Breach Notification Act apply to covered entities and to third-party agents. These terms are defined:
(2) COVERED ENTITY. A person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information.
(7) THIRD-PARTY AGENT. An entity that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity.
Alabama Data Breach Notification Act, Act No. 2018-396.
The Act protects “sensitive personally identifying information,” which is an Alabama resident’s first name or first initial and last name, combined with one or more numbers or other data – such as a social security number, bank account number, medical information, or username and email address information.
The Alabama Data Breach Notification Act requires: (1) reasonable security, (2) investigations, and (3) notification under certain circumstances.
Reasonable Security Measures. Covered entities and third parties are required to consider, implement, and maintain certain security measures. The Act contains a list of certain measures that should be considered. But, the statute explains that “[r]easonable security measures [are] security measures practicable for the covered entity to implement and maintain.” Factors like the size of the entity, amount of sensitive information, and cost of implementation of measures are considered when determining what security measures should be undertaken. What constitutes “reasonable security measures” is likely to be the subject of debate in the future.
Good Faith and Prompt Investigation. If a covered entity or third party determines there has been a breach of security in relation to “sensitive personally identifying information,” they have a duty under the Act to conduct a good faith and prompt investigation.
Notification. When there is a data breach, covered entities and third parties must notify affected Alabama residents. Unless an exception in the act applies, they must do so “as expeditiously as possible and without unreasonable delay.” In any event, notification must occur no later than 45 days after the covered entity or third party determines a breach has occurred and is likely to cause substantial harm. The Act sets forth the information required to be provided. Furthermore, if more than 1,000 Alabama residents are affected, the Alabama Attorney General and consumer reporting agencies must be alerted.
Businesses should review the Act and seek guidance from experts to determine appropriate data security measures. While there will be questions when data breaches occur, such as what are “reasonable security measures” and when is a loss “likely to cause substantial harm,” the Alabama Data Breach Notification Act attempts to provides answers – including recommendations concerning appropriate security measures – in addition to setting forth requirements.
Richard Raleigh, a Past President of the Alabama State Bar (2014-2015) and a U.S. Army veteran, is an experienced trial and appellate attorney at Wilmer & Lee, P.A. in Huntsville, Alabama, with a practice concentrated on government contracts law, complex litigation, cybersecurity law, and employment law. He recently served on the Alabama Law Institute’s Restrictive Covenants and Contracts Study Committee, and he serves on the American Law Institute’s Members Consultative Group for Restatement Third, Torts: Liability for Economic Harm. Richard also serves on the Alabama Supreme Court Standing Committee on Alabama Rules of Civil Procedure and the Alabama Judicial Compensation Commission, and he represents Alabama in the American Bar Association House of Delegates. He has a diverse litigation practice, has tried numerous trials in various state and federal courts, and has argued cases before the Fifth and Eleventh U.S. Courts of Appeal, the U.S. Court of Appeals for the Federal Circuit, the Florida 1st District Court of Appeals, and the United States Court of Federal Claims. Richard is admitted to practice in Alabama and Tennessee as well as various federal courts, including the United States Court of Federal Claims, the United States Tax Court, and the United States Supreme Court.