Alabama State Senate Approves Data Breach Notification Act

March 21, 2018


The Alabama Data Breach Notification Act (Senate Bill 318) has advanced to be deliberated by the House of Representatives after being one hundred percent agreed upon by the Alabama Senate lately.

Alabama is among the last two states that still have to bring in rules which require companies to announce warnings to people whose personal information is disclosed in data breaches. The other remaining state – South Dakota – is also thinking to introduce a similar law to safeguard state inhabitants.

The Alabama Data Breach Notification Act brought to the floor by Senator Arthur Orr (R-Decatur), needs businesses doing business in the state of Alabama to convey notifications to state inhabitants when their confidential private data has been unlawfully retrieved or made available openly it is sensibly likely to result in victims experiencing harm.

Companies that would be needed to comply with the Alabama Data Breach Notification Act are people, trusts, estates, non-profits, corporations, government groups, partnerships, sole proprietorships, cooperative associations, and other business organizations that acquire or store personally identifying information.

If the Alabama Data Breach Notification Act makes it approved the final phase, state inhabitants would have to be communicated in relation to data breaches within 45 days of detection of a breach. Businesses that don’t send the notifications might possibly be penalized up to $5,000 per day for any delay in delivering notifications up to a maximum of $500,000 per breach. Legal actions might be filed by the attorney general’s office for breach sufferers, even though private actions would not be permitted.

Breach notices would be needed to list the date or probable date of the breach, an explanation of the information disclosed, details of the measures that can be taken by breach sufferers to protect themselves against damage, details of the steps taken by the breached unit to restore safety and privacy of information, and contact information for additional information regarding the breach. A breach notice would also have to be sent to the state attorney general’s office if the breach affects over 1,000 people.

As opposed to data breach notification rules in some US states that immune HIPAA protected companies that are in compliance with HIPAA rules, the Alabama Data Breach Notification Law would apply to HIPAA protected businesses.

The present largest permissible time frame for HIPAA protected units is 60 days from the date of detection of a breach to get in touch with those affected. For Alabama inhabitants at least, that time would be shorter by 15 days.