August 7, 2020

Volume X, Number 220

August 07, 2020

Subscribe to Latest Legal News and Analysis

August 06, 2020

Subscribe to Latest Legal News and Analysis

August 05, 2020

Subscribe to Latest Legal News and Analysis

And Then There Was None: Alabama Becomes 50th State With Breach Notice Law

Alabama is the final US state to enact data breach notification legislation. The new law takes effect on June 1, 2018 and applies to electronic “sensitive” data. This includes full Social Security and government-issued identification numbers, account and payment card numbers (in combination with security or access codes or PIN numbers), health information, and a user name or email address (in combination with a password or security question). Exceptions exist for both encrypted and “truncated” information.

For a breach to occur, the information has to have been acquired. Companies are to conduct an investigation if they believe a breach may have occurred, and the law provides for several factors companies should consider when trying to determine if information has been subject to unauthorized acquisition. These include indications that the information is in the hands of an unauthorized person, that the information has become public, and evidence that the information has been downloaded or copied. Notice can be delayed if it interferes with law enforcement investigation.

The law provides for specific content to be included in notice to impacted individuals. This includes date or date range of the breach, type of information impacted, what the company has done to restore the security of the information, how the person can protect him or herself, and contact information for the company. Substitute notice is permitted if more than 100,000 people are impacted or the cost of notice is over $500,000. If more than 1,000 residents are impacted then the company also needs to notify Alabama’s Attorney General.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume VIII, Number 101


About this Author

Amber Thomson, Sheppard Mullin Law Firm, Litigation Attorney

Amber C. Thomson is an associate in the Business Trial Practice Group in the firm's Washington, D.C. office.

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and external practitioners alike.”

She is known as an industry leader in the privacy and data security space and is consistently recognized by Leading Lawyers Network, Chambers and The Legal 500, and leading publications and organizations for her work in this area of law. Liisa was recently recognized as the 2017 Data Protection Lawyer of the Year - USA by Global 100, the 2017 U.S. Data Protection Lawyer of the Year by Finance Monthly, and the “Best in Data Security Law Services” at Corporate LiveWire’s 2017 Global Awards.