April 19, 2016

You’ve Been Notified: Alabama May Join Other States in Enacting Data Breach Notice Law

Butler Snow LLP

+ Follow Contact

Send

Embed

Forty-seven states and the District of Columbia have laws requiring notice of a data breach to potentially affected individuals.^[1] Alabama may soon join the crowd.

Bills creating the Alabama Information Protection Act of 2016 are progressing through the Alabama House and Senate. Currently, there is not a generally-applicable data breach notice law in Alabama. The proposed bill would require entities maintaining personal information to notify affected individuals, the Attorney General, and credit reporting agencies in the event of a security breach compromising personal information of more than 1,000 individuals. As a preemptive measure against data breaches, the law requires that companies maintain “reasonable security measures” to protect personal information in electronic form.

The subject of a data breach, the unauthorized acquisition” of “sensitive personally identifying information” is a low threshold. Disclosure of person’s name in connection with his or her driver’s license number, social security number, or a financial account number with an access code “in electronic form” is sufficient to trigger the law.

The Act explicitly would not create a private cause of action, and a violation would not be a criminal offense. A covered entity who fails to provide the required notice could be subject to a civil penalty of up to $50,000, however. And breaches by governmental entities and their third-party agents would be listed in an annual report to the Governor. Notably, the Act would not apply to entities covered by certain Alabama insurance laws, financial institutions covered by various federal laws, or entities otherwise covered by HIPAA.

With data breaches becoming an increasingly important aspect of law and business and with indications of a possible federal data breach law, the progression of this bill will be of interest. Of course, whether the standards it imposes are any more stringent than those already taken by covered entities on their own accord will remain to be seen.

[1] National Conference of State Legislatures, Security Breach Notification Laws, (Jan. 4 2016), http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Butler Snow LLP

Contact + Follow

less

Published In:

Corporate Counsel

+ Follow

Data Breach

+ Follow

Data Protection

+ Follow

Data Security

+ Follow

Government Entities

+ Follow

Penalties

+ Follow

Personally Identifiable Information

+ Follow

Popular

+ Follow

Proposed Legislation

+ Follow

State Data Breach Notification Statutes

+ Follow

Third-Party Agents

+ Follow

General Business

+ Follow

Consumer Protection

+ Follow

Elections & Politics

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

Butler Snow LLP on:

You’ve Been Notified: Alabama May Join Other States in Enacting Data Breach Notice Law

Related Posts

Written by:

Published In:

Butler Snow LLP on:

"My best business intelligence, in one easy email…"