Alabama
Click here to review text of state statute |
Information Covered / Important Definitions
Information covered:
Personal information of Alabama residents.
Definition includes usernames and passwords, personal identification numbers (“PINs”), or other access codes for financial accounts, medical information, and health insurance information.
Important definitions:
“Security Breach” means the unauthorized acquisition of data in electronic form containing sensitive personally identifying information. Acquisition occurring over a period of time committed by the same entity constitutes one breach.
Covered Entities* / Third Party Recipients
Subject to statute:
A person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information of Alabama residents.
Third party recipients:
Third parties maintaining personal information on behalf of a covered entity must notify covered entity about a breach and cooperate as necessary to allow covered entity to comply with statute. The covered entity must satisfy all further notification obligations under the statute.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach as expeditiously as possible and without unreasonable delay, but no later than forty-five (45) days following the discovery of the breach unless law enforcement agency determines that disclosure will interfere with a criminal investigation (in which case notification delayed until authorized by law enforcement).
- Substitute notice is available by means prescribed in the statute if costs to exceed $500,000, affected class exceeds 100,000 persons, or covered entity has insufficient contact information.
- Notice not required if, after an investigation and written notice to the attorney general, the entity determines that there is not a reasonable likelihood of harm to the consumers whose personal information was acquired. The determination must be documented in writing and maintained for five years.
Other obligations:
Any covered entity that must notify more than 1,000 residents at one time of a security breach is also required to notify the attorney general and consumer reporting agencies without unreasonable delay, but no later than forty-five (45) days following the discovery of the breach.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal information that was lost, stolen, or accessed by an unauthorized individual is encrypted or redacted.
Other exemptions:
Exemption for good faith acquisition by an employee or agent of covered entity so long as personal information is used for a legitimate purpose of employer and is not subject to further unauthorized disclosure.
Notification to Regulator / Waiver
A determination of no likelihood of harm:
Does not require notification to attorney general.
Penalties
Violations by non-governmental entities constitute unlawful trade practices under the Alabama Deceptive Trade Practice Act, Chapter 19, Title 8, Code of Alabama 1975. Such entities are liable for civil penalties up to $5,000 per day for each consecutive day the entity fails to take reasonable action to comply with notice provisions, with the total civil penalty not to exceed $500,000.
Damages awarded under AL Section 8-19-11 are limited to actual damages suffered by the person(s) plus attorney’s fees and costs.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute |