At Last, My Alabama Breach Notice Has Come Along

Published On March 29, 2018 | By Jason Wool and Michelle Anderson | Data Security

Alabama became the 50th and final state to enact data breach notification legislation when Governor Kay Ivey signed into law the Alabama Data Breach Notification Act of 2018. Alabama’s law comes on the heels of South Dakota’s enactment of its first breach notification law on March 21st. The two states had been the remaining holdouts from requiring notice to individuals (and, in some cases, regulators and credit reporting agencies) following a qualifying data breach.

The Alabama law is similar to many other states’ notification statutes and continues the trend in recent years to expand the types of information subject to breach notification to include health insurance and medical information. It defines a breach as the unauthorized acquisition of electronic data containing “sensitive personally identifying information,” which it defines as an Alabama resident’s name in combination with data elements such as a Social Security number or tax identification number, driver’s license number, passport number, financial account number, medical history, health insurance number, and more.

Notably, the Alabama statute includes in the definition of “sensitive personally identifying information” a user name or email address in combination with a password or security question and answer that would permit access to an online account “affiliated with the covered entity” and that is reasonably likely to contain or is used to obtain sensitive personally identifying information. The inclusion of login credentials in breach notification laws is also part of a growing trend. South Dakota’s law also includes user credentials in its definition of “protected information,” and Maryland and Delaware recently updated their notification laws to cover login data as well.

Covered entities must notify affected Alabama residents within 45 days of determining that a qualifying breach occurred or notification of the breach from a third party, as well as the Attorney General if the covered entity must notify more than 1,000 residents. Alabama’s law includes a harm trigger, requiring notification only when the breach is reasonably likely to cause substantial harm to the individuals whose information was involved in the breach, and excludes from the definition of “sensitive personally identifying information” information that has been “truncated, encrypted, secured, or modified” such that the personally identifiable elements are removed or the information is unusable.

Although Alabama was the last state to enact data breach notification legislation, its law goes further than many other states and also includes fairly robust data security provisions. These provisions require covered entities to implement “reasonable security measures,” including consideration of practices such as security risk assessments, risk-appropriate safeguards, vendor risk management, and updates to management and the board of directors. Covered entities must determine the reasonableness of their security measures by conducting an assessment taking into consideration certain prescribed factors.

The Alabama statute goes into effect on June 1, 2018, one month before South Dakota’s effective date of July 1, 2018. Notwithstanding that all 50 states now have enacted breach notification laws, these efforts may soon be for naught: Congress is in the process of considering a federal breach notification statute, which could conceivably preempt all state breach notification statutes. In the meantime, companies will need to adjust their incident response plans and other security documents to account for the new legal environment.

 

About The Authors

Jason Wool’s practice focuses on cybersecurity, including cyber risk management, incident response, and compliance with global data protection laws, regulations, and standards, including the PCI-DSS. He has advised organizations ranging from small businesses to Fortune 500 companies during complex, privileged computer crime investigations; provided ongoing advice on the development of cybersecurity programs and cybersecurity governance structures; conducted tabletop exercises and other data breach simulations; and assisted clients with large scale audits to determine compliance with complex cybersecurity standards.

Michelle Anderson counsels clients on a range of privacy, security, and consumer protection matters. She works closely with clients to understand their goals and risk profiles to help develop strategies for compliance with domestic and international privacy and security laws and regulations.

Comments