December 12, 2018

December 12, 2018

Subscribe to Latest Legal News and Analysis

December 11, 2018

Subscribe to Latest Legal News and Analysis

December 10, 2018

Subscribe to Latest Legal News and Analysis

Alabama Becomes 50th State to Enact Data Breach Notification Law

Alabama has joined the “crazy quilt” of state data breach notification laws with the governor’s signature of the Alabama Data Breach Notification Act of 2018.

Things to take note of under the Alabama law:

  • The law requires entities to “implement and maintain reasonable security measures” and includes a granular list of what such security measures should include.   An interesting component of reasonable security measures is “keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.”

  • Notification to residents within 45 days after a breach has been discovered if it is reasonably likely to cause substantial harm.

  • The definition of “personal information” is expanded to include health information and user name or email address in combination with a password.

  • Notice to the Alabama Attorney General if notice is provided to more than 1,000 individuals at a single time.

  • No private right of action, but the AG may enforce violations of the Act as a deceptive trade practice.

  • The Act provides for civil penalties of not more than $5,000 per day for each consecutive day that a covered entity fails to take action to comply with notice provisions.  “Knowing” violations of the Act (including a “reckless disregard in failing to comply with notice requirements”) could subject a covered entity to civil penalties of up to $500,000 per breach.

©1994-2018 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member

Cynthia is Chair of the firm’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP).  She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.

Cynthia has extensive...

617-348-1732