Alabama became the 50th and final state to enact data breach notification legislation when Governor Kay Ivey signed into law the Alabama Data Breach Notification Act of 2018. Alabama’s law comes on the heels of South Dakota’s enactment of its first breach notification law on March 21st. The two states had been the remaining holdouts from requiring notice to individuals (and, in some cases, regulators and credit reporting agencies) following a qualifying data breach.
The Alabama law is similar to many other states’ notification statutes and continues the trend in recent years to expand the types of information subject to breach notification to include health insurance and medical information. It defines a breach as the unauthorized acquisition of electronic data containing “sensitive personally identifying information,” which it defines as an Alabama resident’s name in combination with data elements such as a Social Security number or tax identification number, driver’s license number, passport number, financial account number, medical history, health insurance number, and more.
Notably, the Alabama statute includes in the definition of “sensitive personally identifying information” a user name or email address in combination with a password or security question and answer that would permit access to an online account “affiliated with the covered entity” and that is reasonably likely to contain or is used to obtain sensitive personally identifying information. The inclusion of login credentials in breach notification laws is also part of a growing trend. South Dakota’s law also includes user credentials in its definition of “protected information,” and Maryland and Delaware recently updated their notification laws to cover login data as well.
Covered entities must notify affected Alabama residents within 45 days of determining that a qualifying breach occurred or notification of the breach from a third party, as well as the Attorney General if the covered entity must notify more than 1,000 residents. Alabama’s law includes a harm trigger, requiring notification only when the breach is reasonably likely to cause substantial harm to the individuals whose information was involved in the breach, and excludes from the definition of “sensitive personally identifying information” information that has been “truncated, encrypted, secured, or modified” such that the personally identifiable elements are removed or the information is unusable.
Although Alabama was the last state to enact data breach notification legislation, its law goes further than many other states and also includes fairly robust data security provisions. These provisions require covered entities to implement “reasonable security measures,” including consideration of practices such as security risk assessments, risk-appropriate safeguards, vendor risk management, and updates to management and the board of directors. Covered entities must determine the reasonableness of their security measures by conducting an assessment taking into consideration certain prescribed factors.
The Alabama statute goes into effect on June 1, 2018, one month before South Dakota’s effective date of July 1, 2018. Notwithstanding that all 50 states now have enacted breach notification laws, these efforts may soon be for naught: Congress is in the process of considering a federal breach notification statute, which could conceivably preempt all state breach notification statutes. In the meantime, companies will need to adjust their incident response plans and other security documents to account for the new legal environment.