- Alabama may soon join 48 other states in having its own state data breach notification legislation, as the Alabama Senate passed a bill earlier this month that would require companies to provide notice should they experience a breach.
The Alabama Data Breach Notification Act of 2018 (SB 318) unanimously passed on March 1, 2018, and will move on to the House of Representatives.
Introduced by Senator Arthur Orr, the bill requires companies to provide affected individuals notice within 45 days of determining that a breach occurred. The Attorney General’s Office can assess fines of $5,000 per day and file a lawsuit on behalf of the affected individuals if an organization does not notify consumers.
"I want to thank the Alabama Senate, and Senator Orr in particular, for moving this bill forward and taking us one step closer to giving Alabama consumers the same protections as the citizens of 48 other states who already receive notifications when their sensitive personal information has been hacked,” Attorney General Steve Marshall said in a statement. “This is a big win for Alabama consumers and I look forward to working with the House to cross the finish line.”
The bill defines the following as personally identifying information, when one or more is combined with an individual’s first name or first initial and last name:
- A complete Social Security number or tax identification number
- A complete driver's license number, state-issued identification card number, passport number, military identification number, or other government-issued unique identification number
- A financial account number in combination with any security code, access code, password, expiration date, or PIN
- Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
- An health insurance policy number, subscriber identification number, any unique identifier used by a health insurer
- User name or email address combined with a password or security question
Any information that has been lawfully made a public record is not included, the bill explains. Should encrypted data or de-identified data be involved in a breach, that will also not require notification.
“Information that is truncated, encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable, including encryption of the data, document, or device containing the sensitive personally identifying information, unless the covered entity knows or has reason to know that the encryption key or security credential that could render the personally identifying information readable or useable has been breached together with the information,” the legislation reads.
Companies or agencies will need to notify the Attorney General’s office if more than 1,000 individuals are impacted by a breach. If 500,000 individuals are potentially impacted, then notices must be posted online, in newspapers, TV, and radio stations where affected individuals live.
Organizations and their third-party business associates will need to implement and maintain reasonable security measures, which includes conducting an internal and external risk assessment.
Entities also need to designate an employee or employees to “coordinate the covered entity's security measures to protect against a breach of security.”
Nebraska also made moves earlier this year to improve its data breach notification process. The Nebraska legislature unanimously passed a bill that amended sections of the Credit Report Protection Act and the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006.
One of the key changes was that credit reporting agencies will no longer be allowed to charge consumers who place, temporarily lift, or remove security freezes following a data breach.
“A consumer reporting agency shall reissue the same or a new personal identification number or password required under section 8-2605 one time without charge and may charge a fee of no more than five dollars for subsequent reissuance of the personal identification number or password,” the bill said.
Nebraska Senator Adam Morfeld initially introduced the bill in response to the 2017 Equifax data breach.
“Equifax’s response was irresponsible and insufficient,” Morfeld said during LB 757 legislative debate, according to Nebraska Radio Network. “Nebraskans found themselves having to pay out of pocket to freeze their accounts as a result of Equifax’s inability to keep their information safe and secure.”