Top
Top

Global Data Privacy Guide

USA, Alabama

(United States) Firm Maynard Nexsen Updated 17 Jun 2022
What is the key legislation?

The key privacy/data security legislation in Alabama is the Alabama Data Breach Notification Act of 2018 (the “Act”), which governs the obligations of entities that acquire or use sensitive personally-identifying information of Alabama residents. 

What data is protected?

The Act protects sensitive personally-identifying information, which is defined as an Alabama resident’s first name or first initial and last name in combination with one or more of the following data points:

  • a non-truncated Social Security number or tax identification number;
  • a non-truncated driver’s license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify an individual;
  • a financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN that is necessary to access the financial account or to conduct a transaction that will credit or debit the account;
  • any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
  • an individuals health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual; or 
  • a user name or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or, is used to obtain sensitive personally-identifying information

Sensitive personally-identifying information does not include information that has been made publicly available by federal, state, or local government records or widely distributed media, or information that has been truncated, encrypted, secured, or modified by any other method of technology that renders the information unusable, including encryption of the data, document, or device containing the sensitive personally identifying information, unless the covered entity knows or has reason to know that the encryption key or security credential that could render the personally-identifying information readable or useable has been breached together with the information. 

Who is subject to privacy obligations?

Covered entities and third-party agents who acquire or use sensitive personally-identifying information are subject to the Act.

  • “Covered Entity” means a person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally-identifying information.
  • “Third-Party Agent” is an entity that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally-identifying information in connection with providing services to a covered entity.
     
What are the principles applicable to personal data processing?

N/A

How is the processing of personal data regulated?

N/A

How are storage, security and retention of personal data regulated?

The Act requires covered entities and third-party agents to implement and maintain reasonable security measures to protect sensitive personally-identifying information against a breach of security. The following security measures should be considered: i) designation of an employee(s) to coordinate the covered entity’s security program; ii) identification of internal and external risks of a breach of security; iii) adoption of appropriate information safeguards to address identified risks of a breach of security and assessment of the effectiveness of such safeguards; iv) retention of service providers, if any, that are contractually required to maintain appropriate safeguards for sensitive personally-identifying information; v) evaluation and adjustment of security measures to account for changes in circumstances affecting the security of sensitive personally identifying information; and vi) keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures. 

The Act also requires covered entities and third-party agents to take reasonable measures to dispose, or arrange for the disposal, of records containing sensitive personally-identifying information within their custody or control when the records are no longer to be retained pursuant to applicable law, regulations, or business needs. Disposal shall include shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any reasonable means consistent with industry standards. 
 

What are the data subjects' rights?

N/A
 

Are there restrictions on cross-border data transfers?

N/A

Are there any notification requirements for data breaches?

If a covered entity determines that, as a result of a breach of security, sensitive personally-identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person, and is reasonably likely to cause substantial harm to the individual to whom the information relates, the covered entity shall give notice of the breach to each individual. Notice shall be provided as expeditiously as possible and without unreasonable delay, taking into account the time necessary to allow the covered entity to conduct an investigation in accordance with Section 4 of the Act, but in no event later than 45 days from either receipt of notice of the breach from a third-party agent or from the covered entity’s determination that a breach has occurred and is reasonably likely to cause substantial harm to impacted individuals. 

If the number of Alabama residents a covered entity is required to notify exceeds 1,000, the entity shall provide written notice of the breach to the Alabama Attorney General within 45 days. Written notice can be made from an online portal available on the Attorney General’s website, https://ago.alabama.gov/Myago/. The covered entity shall also notify the major consumer reporting agencies without unreasonable delay. 

A third-party agent who determines that it has experienced a breach of security in a system maintained by the agent shall notify the covered entity as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred. 
 

Who is the privacy regulator?

Pursuant to the Act, the Alabama Attorney General has the exclusive authority to bring an action for civil penalties under the Act.

What are the consequences of a privacy breach?

The Attorney General has the exclusive authority to bring an action for violations of the Act and may bring an action for damages in a representative capacity on behalf of any named individual or individuals. 

A covered entity or third-party agent who is knowingly engaged in or has knowingly engaged in a violation of the notification provisions of the Act is subject to penalties assessed under Section 8-19-11, Code of Alabama 1975. Civil penalties assessed shall not exceed five hundred thousand dollars per breach. 

The Act also imposes a fine of no more than five thousand dollars per day for each consecutive day that the covered entity fails to take reasonable action to comply with the notice provisions of the Act.
 

How is electronic marketing regulated?

N/A

Are there any recent developments or expected reforms?

No – the Act went into effect on June 1, 2018. 

Global Data Privacy Guide

USA, Alabama

(United States) Firm Maynard Nexsen Updated 17 Jun 2022