On March 28, 2018, Gov. Ivey signed SB 318, the Alabama Data Breach Notification Act, into law. This law requires covered entities to implement reasonable, appropriate security measures to protect personal information on state residents from a security breach. Further, it requires employers to notify employees and applicants about any breach of personal information and if the breach is likely to cause substantial harm.
A covered entity is defined as "a person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information." Thus, any public or private employer that acquires or uses certain personal information on Alabama residents, including on employees and applicants, is subject to the security measure requirements and breach notification provisions.
Personal information is defined as a resident's first name or first initial and last name in combination with one or more of the following with respect to the same resident:
A non-truncated Social Security number or tax ID number
A non-truncated driver's license number, state-issued ID card number, passport number, military ID number or other unique ID number issued on a government document used to verify the identity of a specific individual
A financial account number, including a bank account number, credit card number or debit card number, in combination with any security code, access code, password, expiration date or PIN, that's necessary to access the financial account or to conduct a transaction that will credit or debit the financial account
Any information regarding an individual's medical history, mental or physical condition, or medical treatment diagnosis by a health care professional
An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual
A user name or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that's reasonably likely to contain or is used to obtain sensitive personally identifying information
Covered entities that experience a breach must notify affected residents within a reasonable time to conduct an appropriate investigation, but no later than 45 days from the determination that a breach has occurred and is reasonably likely to cause substantial harm (with certain exceptions). Importantly, if a covered entity's third-party agent experiences a breach in the agent's system, the agent must notify the covered entity as soon as possible, but no later than 10 days following the determination of the breach or reason to believe the breach occurred. If more than 1,000 Alabama residents are affected by a breach, covered entities must notify the state attorney general and consumer reporting agencies with specific information. Therefore, covered entities need to review third-party service agreements to ensure they're meeting these requirements and to ensure breach procedures are in place should an incident occur.
In addition, the law imposes reasonable security requirements for covered entities and third-party vendors, including an assessment based on the security measures as a whole.
Therefore, employers with employees in Alabama should familiarize themselves with the specific data breach notification requirements, and they should update security measures to adequately protect the data they hold and respond appropriately to any potential data incident. This law is effective May 1, 2018.