S.B. 318, A New Standard for Data Breach Notifications

The Alabama Data Breach Notification Act of 2018 or S.B. 318 for short is a data breach notification law that was passed in 2018. As every other state within the U.S. had passed some form of data breach notification legislation prior to 2018, Alabama effectively became the last state within the U.S. to pass a law pertaining to the regulation of data breach incidents. To this point, S.B. 318 establishes the steps and measures that businesses and organizations that operate within the state of Alabama must adhere to in the event that said entities experience a data breach or other related security incident. Moreover, the law also establishes the punishments that businesses and organizations within Alabama stand to face should they fail to comply with the provisions set forth in the law.

What is the scope and application of the Alabama Data Breach Notification?

In terms of the scope and application of the Alabama Data Breach Notification Act of 2018 (S.B. 318), the law is applicable to covered entities and their third-party agents. Under S.B. 318, a covered entity is defined as “a person, sole proprietorship, 9 partnership, government entity, corporation, nonprofit, trust, 10 estate, cooperative association, or other business entity that 11 acquires or uses sensitive personally-identifying information.” Alternatively, the law defines a third-party agent as “an entity that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally-identifying information in connection with providing services to a covered entity.”

What are the requirements of covered entities and their third-party agents?

Under the Alabama Data Breach Notification Act of 2018, covered entities and their third-party agents that collect personal data during the course of their operations are required to provide all affected parties with written notification in the event that a data breach occurs. These notifications must include information detailing the following:

• The estimated, actual date, or range of dates in which the data breach occurred.
• A detailed description of all personal data that was disclosed as a result of the breach.
• A description of all the actions and measures that were taken on behalf of the covered entity and their third-party agents to restore “the security and confidentiality of the personal information affected by the breach.”
• The steps that affected consumers can take to protect themselves from identity theft as a result of the personal data that was disclosed in the breach.
• Contact information that consumers can use to obtain further details and information from covered entities and their their-party agents concerning the data breach.

What’s more, S.B. 318 also mandates that covered entities and their third-party agents are also responsible for providing data breach notifications to the Alabama Office of the Attorney General in instances where more than 1,000 residents within the state are affected by a data breach. These notifications must include details relating to:

• A general description or synopsis of the events surrounding the data breach or other security incident.
• The approximate number of residents within the state that have been affected by the data breach.
• Any services that the covered entity or their third-party agents are offering to Alabama residents who have been affected by the data breach, free of charge, as well as specific instructions detailing the ways in which consumers can utilize such services.
• The name, address, telephone number, and email address of the employee or agent of the covered entity who can provide additional information about the breach.

What types of personal information are covered?

Under the Alabama Data Breach Notification Act of 2018, the following types of personal information are protected by the law:

• Social security and tax ID numbers.
• Financial account numbers, security codes, passwords, PIN numbers, expiration dates, and any other form of numerical information that may be used to indirectly identify an individual.
• Personal information relating to an individual’s mental or physical health history, diagnosis, condition, treatment, or other related issues.
• A health insurance policy number, as well as other forms of identification numbers and unique identifiers.
• A user name or email address in combination with a password or security question and answer that would provide account access.

In terms of the enforcement of the Alabama Data Breach Notification Act of 2018, the law is enforced by the Alabama Office of the Attorney General. Subsequently, covered entities and their third-party agents who fail to comply with the provisions set forth in the law are subject to a number of sanctions and penalties. Such punishments include monetary penalties of “up to $2,000 per violation, not to exceed $500,000 per breach.” Furthermore, the law also allows Alabama citizens to bring civil liability charges against covered parties that violate their rights under the law. Additionally, violations of S.B. 318 are also considered “unlawful trade practices under the Alabama Deceptive Trade Practices Act, Chapter 19, Title 8, Code of Alabama 1975.”

As data breaches have become increasingly more common due to enhanced internet usage around the world, Alabama became the last U.S. state to draft legislation mandating that businesses and organizations adhere to specific guidelines concerning said breaches. Through such legislation, residents within the state of Alabama have the means to seek both justice and compensation should their rights be violated under the law. More importantly, however, the passing of such legislation brings the nation closer to both state and ultimately federal comprehensive data protection policy, such as the steps that the EU has taken in enacting their landmark General Data Protection Regulation or GDPR.