- Alabama Governor Kay Ivey has inked a data breach notification law that requires organizations and agencies to notify data breach victims within 45 days, becoming the last US state to enact such a statute.
The law, which takes effect May 1, includes medical and health insurance information in the definition of “personally identifying information” subject to notification.
In addition to medical and health insurance data, the law includes the following as personally identifying information, when one or more is combined with an individual’s first name or first initial and last name:
- Social Security number or tax identification number
- Driver's license number, state-issued identification card number, passport number, military identification number, or other government-issued unique identification number
- Financial account number in combination with any security code, access code, password, expiration date, or PIN
- User name or email address combined with a password or security question.
The Alabama Data Breach Notification Act (SB 318) was unanimously approved by the state legislature last month.
Under the law, the Attorney General can fine violators up to $5,000 per day and file lawsuits on behalf of the breach victims.
“Alabama consumers finally join the rest of America in having the right to know if their personal information is stolen or compromised in a data breach,” said state Attorney General Steve Marshall.
“There is no national law requiring companies to notify affected consumers after a data breach, so it is up to each state to ensure that its citizens are protected. Until now, Alabama was the only state without a data breach notification law,” he added.
As noted by Ballard Spahr LLP, the Alabama law imposes four categories of obligations on organizations and agencies that hold personal data:
- Implement and maintain “reasonable” security measures to protect personally identifying information
- Conduct a “good faith and prompt investigation” into a breach of personally identifying information that has occurred or may have occurred
- Notify each breach victim who is an Alabama resident
- Notify the state Attorney General and credit reporting agencies of a breach involving more than 1,000 state residents.
Reasonable security measures are listed as: designating an employee or employees to coordinate data security, identifying internal and external cyber risks, adopting “appropriate” security safeguards based on the risk assessment, evaluating and adjusting measures as circumstances change, and informing management and board of directors on a regular basis about the status of security measures.
Alabama joins South Dakota as a straggler that has finally joined the fold of states that have enacted data breach notification laws.
On March 21 of this year, South Dakota Governor Dennis Daugaard signed that state’s first data breach notification law, which takes effect July 1. That law requires organizations and agencies to information data breach victims within 60 days of breach discovery or notification by a third party.
The state Attorney General can fine violators up to $10,000 per day, twice as much as the Alabama fine limit.
Some in Congress want a national data breach notification law to standardize requirements so that companies are not required to comply with many different state laws depending on where the breach victims are located.
However, many states are opposed to a national data breach law, arguing that it would preempt legitimate state authority to protect consumers.
Last month, a group of 32 attorneys general, led by Illinois Attorney General Lisa Madigan, focused their ire on a draft bill, the Data Acquisition and Technology Accountability and Security Act. The legislation was circulated on Capitol Hill by Rep. Blaine Luetkemeyer (R-Mo.) and Rep. Carolyn Maloney (D-NY) in February.
“States have proven themselves to be active, agile, and experienced enforcers of their consumers’ data security and privacy,” the attorneys general argued in a letter sent to Congress.
In particular, the attorneys general objected to the draft bill’s provision giving organizations that experience a data breach the discretion whether to notify consumers based on their judgement of risks. In addition, breaches affecting fewer than 5,000 consumers would be exempt from the notification requirement.
“We believe there is a place for both state and federal agencies to act to protect consumers’ important personal information,” the attorneys general wrote.
While states want to retain the power to regulate data breaches, many in the business community either want no regulation or, if regulation is unavoidable, a federal standard that has uniform reporting requirements.