The Alabama Data Breach Notification Act (Senate Bill 318) has moved forward for deliberation by the House of Representatives after being unanimously passed by the Alabama Senate last week.
Alabama is among two states that has yet to start lawmaking that needs businesses to issue notices to people whose personal information is disclosed in data breaches. The other state – South Dakota – is also considering introducing similar lawmaking to defend state inhabitants.
The Alabama Data Breach Notice Law, suggested by Sen. Arthur Orr (R-Decatur), needs companies doing business in the state of Alabama to issue notices to state inhabitants when their confidential personal information has been disclosed and it is reasonably likely to cause breach sufferers considerable harm.
Units that would be needed to comply with the Alabama Data Breach Notification Act are people, cooperative associations, estates, trusts, non-profits, corporations, partnerships, sole proprietorships, government units, and other business units that get or use confidential individually identifying information.
The Alabama Data Breach Notification Act also calls for units holding the above information to apply and maintain rational safety measures to safeguard confidential personally identifiable information. A danger analysis should be carried out to identify possible safety dangers and safeguards would have to be adopted to decrease those dangers to a realistic level. Measures to safeguard data must be suitable for the sensitivity of the data, the amount of data held, the size of the business, and the cost of protections relative to the business’s resources.
If the Alabama Data Breach Notification Act is approved, state inhabitants would have to be informed of data breaches within 45 days of detection of a breach. Businesses that fail to release the notices might possibly be penalized up to $5,000 per day for any delay in distributing notices up to a maximum of $500,000 per breach. Lawsuits might be filed by the attorney general’s office on behalf of breach sufferers, although private actions would not be possible.
Breach notices would be needed to include the date or probable date of the breach, a report of the information disclosed, particulars of the steps that can be taken by breach sufferers to defend themselves against harm, particulars of the measures taken by the breached unit to restore safety and confidentiality of data, and contact information for additional information about the breach. A breach notification would also need to be presented to the state attorney general’s office if the breach affects more than 1,000 people.
Contrary to data breach notification rules in some US states that exempt HIPAA protected units that are in compliance with HIPAA rules, the Alabama Data Breach Notification Act would apply to HIPAA protected units.
The existing maximum time frame for HIPAA protected units is 60 days from the date of detection of a breach. For Alabama inhabitants at least, that time frame would be decreased by 15 days.