October 16, 2019

October 15, 2019

Subscribe to Latest Legal News and Analysis

October 14, 2019

Subscribe to Latest Legal News and Analysis

Alabama Becomes 50th State to Enact Data Breach Notification Law

Alabama has joined the “crazy quilt” of state data breach notification laws with the governor’s signature of the Alabama Data Breach Notification Act of 2018.

Things to take note of under the Alabama law:

  • The law requires entities to “implement and maintain reasonable security measures” and includes a granular list of what such security measures should include.   An interesting component of reasonable security measures is “keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.”

  • Notification to residents within 45 days after a breach has been discovered if it is reasonably likely to cause substantial harm.

  • The definition of “personal information” is expanded to include health information and user name or email address in combination with a password.

  • Notice to the Alabama Attorney General if notice is provided to more than 1,000 individuals at a single time.

  • No private right of action, but the AG may enforce violations of the Act as a deceptive trade practice.

  • The Act provides for civil penalties of not more than $5,000 per day for each consecutive day that a covered entity fails to take action to comply with notice provisions.  “Knowing” violations of the Act (including a “reckless disregard in failing to comply with notice requirements”) could subject a covered entity to civil penalties of up to $500,000 per breach.

©1994-2019 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

617-348-1732