What entities are covered?
“Any person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information.” SB 318 § 2(2).
Is there a requirement for service providers?
Yes. “In the event a third-party agent (i.e., “[a]n entity that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally identifying information in connection with” its provision of services) has experienced a breached of security in the system maintained by the agent, the agent shall notify the [entity] of the breach of security as expeditiously as a possible and without unreasonable delay, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred.” SB 318 § 8.
What data are covered?
Sensitive personally identifying information is covered. “Sensitive personally identifying information” means “an Alabama resident’s first name or first initial and last name in combination with one or more of the following:”
(1) A non-truncated social security number or tax identification number.
(2) A non-truncated driver’s license number, state identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual.
(3) A financial account number, including a bank account number or credit or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account.
(4) Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
(5) An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
(6) A user name or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the breached entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information. SB 318 § 2(6)(a).
To be the subject of a breach, such data must be “stored electronically or digitally on any computer system or other database, including, but not limited to, recordable tapes and other mass storage devices.” SB 318 § 2(3).
There are, however, two exceptions. First, “sensitive personally identifying information” does not include “information about an individual which has been lawfully made public by a federal, state, or local government record or a widely distributed media.” SB 318 § 2(6)(b)(1). It similarly does not include “information that is truncated, encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable, including encryption of the data, document, or device containing the sensitive personally identifying information, unless the [breached entity] knows or has reason to know that the encryption key or security credential could render the personally identifying information readable or usable has been breached together with the information.” SB 318 § 2(6)(b)(2).
Has there been a breach?
“Breach of the security of the system” means “[t]he unauthorized acquisition of data in electronic form containing sensitive personally identifying information.” SB 318 § 2(1).
There are, however, exceptions, including (1) “[g]ood faith acquisition of sensitive personally identifying information by an employee or agent of a covered entity, unless the information is used for a purposed unrelated to the business or subject to further unauthorized use;” (2) “[t]he release of a public record not otherwise subject to confidentiality or nondisclosure requirements;” and (3) “[a]ny lawful investigative, protective, or intelligence activity of a law enforcement or intelligence agency of the state, or a political subdivision of the state.” SB 318 § 2(1)(a).
Is there a risk of harm analysis?
Yes. Upon discovering a breach, the entity must conduct a “good faith and prompt investigation” that includes, among other things, a determination of whether the sensitive personally identifying information has been acquired by an unauthorized person, and is reasonably likely to cause substantial harm to the individuals to whom the information relates.” SB 318 § 4(a)(3).
Who receives notice?
Residents: Any affected individuals (i.e., “[a]ny Alabama resident whose sensitive personally identifying information was, or the [breached] entity believes to have been, accessed as a result of the breach”) to whom the information relates. SB 318 §§ 2(5), 4(b).
Credit Reporting Agencies: Yes. “If a person discovers requiring notice under this section of more than 1,000 individuals at a single time, the [breached] entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis . . . of the timing, distribution, and content of the notices.” SB 318 § 7.
Government Entities: Yes. “If the number of individuals a covered entity is required to notify exceeds 1,000 residents, the entity shall provide written notice of the breach to the Attorney General as expeditiously as possible and without unreasonable delay [but, at the latest, within 45 days].” SB 318 § 6(a).
When must notice be given?
Notice to individuals and the Attorney General “shall be made as expeditiously as possible and without unreasonable delay” but shall be given within 45 days of the entity’s determination that a breach has occurred and is reasonably likely to cause substantial harm to the individuals to whom the information relates. SB 318 §§ 5(b), 6(a). If necessary, notice to all consumer reporting agencies must be made “without unreasonable delay.” SB 318 § 7.
May notice be delayed?
Notice may be delayed “[i]f a federal or state law enforcement agency determines that notice to individuals required under this section would interfere with a criminal investigation or national security” in which case the notice may be delayed upon the written request of the law enforcement agency “for a period that the law enforcement agency determines is necessary.” SB 318 § 5(c). It warrants noting, however, that “[a] law enforcement agency, by a subsequent written request, may revoke the delay as of a specified date or extend the period set forth in the original request . . . if further delay is necessary.” SB 318 § 5(c).
How must notice be given?
Individuals. “[N]otice to an affected individual . . . shall be given in writing, sent to the mailing address of the individual in the [entity’s] records, or by email notice . . . .” The notice must include, at minimum, all of the following:
(1) The date, estimated date, or estimated date range of breach;
(2) A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach;
(3) A general description of the actions taken by [the breached] entity to restore the security and confidentiality of the personal information involved in the breach;
(4) A general description of steps a consumer can take to protect his or herself from identity theft; and
(5) Information that the individual can use to contact the [breached] entity to inquire about the breach. SB 318 § 5(d).
Attorney General. Notice to the Attorney General must be in writing and must include all of the following:
(1) A synopsis of the events surrounding the breach at the time that notice is provided.
(2) The approximate number of individuals in the state who were affected by the breach.
(3) Any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, and instructions on how to use the services.
(4) The name, address, telephone number, and email address of the employee or agent of the covered entity from whom additional information may be obtained about the breach. SB 318 § 6(b).
Moreover, a breached entity can provide the Attorney General with supplemental or updated information regarding a breach at any time. SB 318 § 6(c).
Is substitute notice available?
Substitute notice is available in lieu of direct notice, if direct notice is not feasible due to any of the following:
(1) Excessive cost (i.e., over $500,000) to the entity required to provide such notification relative to the resources of the breached entity.
(2) Lack of sufficient contact information for the individual required to be notified.
(3) The affected individuals exceed 100,000 persons. SB 318 § 5(e)(1).
Substitute notice under this provision shall consist of both of the following:
(1) Conspicuous notice on the Internet web site of the breached entity, if the entity maintains a website, for a period of 30 days; and
(2) Notice in print and in broadcast media, including major media in urban and rural areas where the affected individuals reside. SB 318 § 5(e)(2).
An alternative form of substitute notice may be used with the approval of the Attorney General. SB 318 § 5(e)(2)(c).
Is there an exemption or safe harbor?
For Establishment of Notification Methods: No.
For Following Interagency Guidelines: Yes. “An entity subject to or regulated by federal laws, rules, regulations, procedures, or guidance on data breach notification established or enforced by the federal government is exempt from this act as long as the entity does all of the following:
(1) Maintains procedures pursuant to those laws, rules, regulations, procedures, or guidance[;]
(2) Provides notice to consumers pursuant to those laws, rules, regulations, procedures, or guidance[;] and
(3) Timely provides a copy of the notice to the Attorney General when the number of individuals the entity notified exceeds 1,000.” SB 318 § 11.
Similarly, “[a]n entity subject to or regulated by state laws, rules, regulations, procedures, or guidance on data breach notification that are established or enforced by state government, and are at least as thorough as the notice requirements provided by this act, is exempt from this act so long as the entity does all of the following:
(1) Maintains procedures pursuant to those laws, rules, regulations, procedures, or guidance[;]
(2) Provides notice to consumers pursuant to those laws, rules, regulations, procedures, or guidance[;] and
(3) Timely provides a copy of the notice to the Attorney General when the number of individuals the entity notified exceeds 1,000.” SB 318 § 12.
What is the enforcement/penalty mechanism?
“A violation of the notification provisions . . . is an unlawful trade practice under the Alabama Deceptive Trade Practices Act . . . but does not constitute a criminal offense . . . . The Attorney General shall have the exclusive authority to bring an action for civil penalties . . . .” SB 318 § 9(a).
“Any . . . entity or third party agent who is knowingly engaging in or has knowingly engaged in a violation of the notification provisions . . . will be subject to [a civil penalty not to exceed $500,000 per breach].” Notwithstanding the aforementioned remedy, an entity that “violates the notification provisions . . . shall be liable for a civil penalty of not more than $5,000 per day for each consecutive day that the covered entity fails to take reasonable action to comply with the notice provisions . . . .”
Is there a private right of action?
No. SB 318 § 9(a)(1), (b)(2).