Alabama's New Data Breach Law and What Businesses Need to Know
Starting May 1, 2018, Alabama joins the ranks of states with data breach notification laws, adding specific requirements for businesses handling sensitive personal information. This new law outlines what companies need to do in the event of a data breach, including who is required to notify affected individuals, when to notify them, and the penalties for noncompliance.
The law applies to any individual or business that acquires, stores, processes, or has access to sensitive personal identifying information. Sensitive personal information is now broadly defined in Alabama to include personal details such as Social Security numbers, driver's licenses, financial account numbers, medical histories, and even online account credentials when combined with passwords or answers to security questions.
The law triggers a notification requirement when a business becomes aware of a breach involving sensitive personal information. This includes notifying affected individuals as quickly as possible, and no later than 45 days after discovering the breach. The notification must contain essential details, such as the date of the breach, the nature of the information affected, steps taken to resolve the issue, and advice for consumers on how to protect themselves. If more than 1,000 residents are affected, businesses must also inform the Alabama Attorney General and major credit reporting agencies.
In terms of penalties, failing to notify individuals in a timely manner can lead to fines of up to $5,000 per day, with a cap of $500,000 per breach. The Alabama Attorney General has the authority to bring a civil action for these penalties, as well as for damages incurred by individuals whose information was compromised.
Another key aspect of the law is the requirement for businesses to implement reasonable security measures to protect personal information. Companies are expected to designate someone to manage data security, identify risks, and establish safeguards. What qualifies as "reasonable" will depend on the size of the business, the amount of sensitive data it holds, and the cost of implementing these measures.
This new law emphasizes the need for businesses to act quickly if a breach occurs. You’ll need to have a data breach response plan in place, which should include steps for securing the system, notifying customers, and mitigating any potential harm.
If your business operates in Alabama or deals with Alabama residents’ data, it’s crucial to prepare for these new requirements. Make sure you have a solid breach notification procedure in place, and review your security measures to ensure they are reasonable and in compliance with the law. Being proactive can help you avoid penalties and better protect your customers' data.
© 2018 Cliclaw.com
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.