United States

Alabama issues data breach notification act: What you should know


Earlier this year, Alabama became the final state to enact a data breach notification law.  On June 1, 2018, the Alabama Data Breach Notification Act of 2018 law (Alabama SB318)1 went into effect.  This law requires covered entities to notify Alabama residents within 45 days when their personally identifiable information (PII) was reasonably believed to have been accessed as a result of a data breach.

How did we get here?

Over the past 20 years, data breaches have increased exponentially impacting virtually everyone in the United States in one way or another.  As a result, states began passing data breach notification laws to help protect individuals.  The first state sponsored data protection law was enacted by California in 2002. Since then every other state, with the exception of Alabama, enacted their own version of the California law.  All of these various state notification laws have the same basic tenants:

  • Organizations or entities first must determine whether or not sensitive data was exposed or acquired by an unauthorized person.
  • If a breach of protected information potentially occurred, the entity then is required to notify the impacted individual(s) as expeditiously as possible and without unreasonable delay.

How does this impact you?

A covered entity, as defined by the law, is essentially any person, business, association or other body which has possession of or access to PII for any individual in the state of Alabama.

This law applies only to electronic data, so there is no requirement pertaining to paper or hardcopy documents. Sensitive data, as defined by this law, generally includes, but is not limited to, first name or first initial and last name in combination with one or more of the following with respect to the same Alabama resident:

  • Social security number or tax identification number
  • Non-truncated driver’s license number, passport number or other unique identification number
  • A financial account number
  • Any information regarding an individual’s medical history
  • Health insurance policy number
  • A user name or email address in combination with a password or security question that would permit access to an online account

Covered entities must implement and maintain reasonable security measures to protect PII against a breach. While these measures are broad in nature, at a minimum the covered entity must establish someone(s) within the organization who is responsible for information security and conduct periodic risk assessments to ensure appropriate safeguards are in place to protect sensitive data.

When a potential breach has occurred, a prompt investigation of the incident must be conducted. If a breach is confirmed, the covered entity must notify the individual within 45 days, either in writing or through email, providing details as to the nature of the breach. In certain situations, there may also be a requirement to notify the Alabama attorney general and consumer reporting agencies.

Finally, any covered entity that is found to violate this act will be subject to a $5,000 per day fine for each consecutive day that the entity fails to take reasonable action to comply with the notice, not to exceed $500,000 per breach.

How can RSM help?

RSM’s security, privacy and risk practice can evaluate your organizational information security safeguards by conducting risk assessments, penetration testing and a number of other technical and governance-focused analyses to ensure that your organization is in compliance with the law.  Should a potential breach occur, our digital forensic and incident response team can help conduct the incident investigation.


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Receive Risk Bulletin by Email


Cybersecurity Rapid Assessment®

Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.