On June 1, Alabama’s new data breach notification law goes into effect, which contains notification and other requirements regarding “sensitive personally identifying information” (Sensitive PII). What can Alabama businesses do to prepare and protect themselves?
What is the Alabama Data Breach Notification Act of 2018?
To lay the groundwork, Sensitive PII includes an Alabama resident’s first name or initial and last name combined with one or more of the following data regarding the same resident: a non-truncated SSN or tax ID number; a non-truncated driver’s license number, state ID, passport, military ID, or other unique government ID; a financial account number (e.g., bank or credit/debit card) in combination with any password or code necessary to access the account or to conduct a transaction; information regarding medical history, mental or physical condition, or medical treatment or diagnosis; a health insurance policy number or unique identifier; or a user name or email address, in combination with a password that would permit access to an online account affiliated with your business that is reasonably likely to contain or is used to obtain Sensitive PII.
If your business acquires or uses Sensitive PII and determines that a security breach has occurred or is reasonably believed to have occurred, and is likely to cause substantial harm, you must notify affected individuals as expeditiously as possible and without unreasonable delay, but no later than 45 days after the determination of a breach and likelihood of harm. A security breach is defined as an “unauthorized acquisition of data in electronic form containing” Sensitive PII. If you determine notice is not required, document and maintain your determination for at least five years. The statute also contains individual notification format and content requirements. Substitute notice (e.g., website or media) may be provided if affected individuals exceed 100, 000, if there is insufficient contact information, or if direct notice would cause excessive cost relative to your business’s resources. Costs exceeding $500, 000 are automatically deemed excessive.
In addition, Attorney General notification is required if the affected individuals exceed 1, 000, and must be “as expeditiously as possible and without unreasonable delay, ” but not more than 45 days from receiving notice of breach by a third-party agent or upon determination of a breach and substantial likelihood of harm. There are content requirements for such notice, although you may provide supplemental or updated information at any time. If notice is required for more than 1, 000 at any single time, you must also notify all consumer reporting agencies without unreasonable delay.
This new law also affects third-party agents maintaining a system on behalf of your business. They must notify you of a breach as expeditiously as possible and without unreasonable delay, but no later than 10 days following their determination (or having reason to believe) that a breach has occurred.
It’s important to note that notification violations are an unlawful trade practice under the Alabama Deceptive Trade Practices Act (ADTPA). There is no private cause of action — the Attorney General has exclusive authority to bring an action for penalties. Violations of the notification provisions are subject to penalties of up to $2, 000 per day, and a cap of $500, 000 per breach. In addition, any business violating the notification provisions will be liable for a penalty of up to $5, 000 per day for each day it fails to take reasonable action to comply with the notification provisions.
While enforcement authority is limited strictly to notification violations, the statute also includes other requirements:
- “Reasonable Security Measures” — Your business and its third-party agents must implement and maintain reasonable security measures to protect Sensitive PII. The law lists “reasonable security measures” as including: designated employees to coordinate protective measures; identifying internal/external risks; adopting safeguards to address identified risks and assessing their effectiveness; retaining service providers contractually required to maintain appropriate safeguards; evaluating and adjusting security measures to account for changes in circumstances affecting the security of Sensitive PII; and keeping management, including the board of directors, appropriately informed of the overall status of security measures. The law also provides guidance on what an assessment of your business’s security measures should consider.
- Breach Investigation — If you determine a breach may have occurred, you must conduct a “good faith and prompt investigation” and the statute lists what such an investigation should consider.
- Records Disposal — The law requires reasonable measures to dispose of or arrange for the disposal of records containing Sensitive PII when they are no longer to be retained, and includes examples of such disposal methods.
It is unclear how these provisions would be enforced, except potentially as consideration of whether a notification violation was willful or with reckless disregard.
What Can Businesses Do To Protect Themselves?
Once you determine a breach may have occurred, things move quickly. Alabama’s 45-day notification period can come and go in a flash. It pays to be as prepared as you can ahead of time.
- Inventory your Data — What do you have and where? In what states do your customers reside? Who has access to data, and with whom can they share it? For what purposes and for how long? Make a record to understand how data flows within your business, and what state or regulatory laws may apply.
- Form a data response team and plan — Form a small, diverse team whose responsibilities include legal, compliance, PR/communications, information governance, IT, HR and possibly more. The team should create a formal data response plan to address breaches of varying scopes and information types. It will need to be consistent but flexible. Train and test it regularly. Review and assess risks, and report them to management, including the board. Make sure policies and practices address the “reasonable security measures” mentioned above.
- Review policies, procedures, agreements and practices — This helps to ensure that the proper safeguards are in place to promote compliance. Are there gaps in your policies? What is covered and not covered by your insurance? Are employees educated on your policies? Most data breaches are caused by human error. As I often tell clients, it doesn’t matter how high you build your castle walls if you’re constantly opening the door. Training against phishing attacks is also highly encouraged.
- What if a breach has occurred? — First, immediately engage outside counsel to help establish attorney-client privilege and work product over the ensuing investigation. They can also help assess and meet legal obligations, mitigate potential liability, and work with communications to create compliant and nuanced messaging. Second, identify the source, type and scope of the compromised data. Preserve a record to retain evidence while restoring system integrity and operations. Identify all notification obligations and deadlines, whether statutory or contained in your vendor agreements or insurance policies. Finally, control the story. Communicate early and regularly, and in a clear, consistent but accurate manner. Try to strike the right balance between giving sufficient information to provide stakeholders with enough confidence that you are on top of it, but not so much that you must retract or correct yourself as the investigation evolves.
Brandon N. Robinson is a partner at Balch & Bingham focusing on energy regulation, cybersecurity and data privacy, and emerging technologies. One of the first Alabama attorneys to obtain the IAPP’s CIPP/US certification as a privacy professional, Robinson counsels multiple industries on data privacy and cybersecurity issues, has worked with a number of agencies in developing industry-wide standards and best practices, and serves as the editor of the firm’s Data Privacy & Security Observer blog, which covers legal developments in data privacy & cybersecurity, which can be accessed at dataprivacyandsecurityobserver.com