Alabama is the final US state to enact data breach notification legislation. The new law takes effect on June 1, 2018 and applies to electronic “sensitive” data. This includes full Social Security and government-issued identification numbers, account and payment card numbers (in combination with security or access codes or PIN numbers), health information, and a user name or email address (in combination with a password or security question). Exceptions exist for both encrypted and “truncated” information.

For a breach to occur, the information has to have been acquired. Companies are to conduct an investigation if they believe a breach may have occurred, and the law provides for several factors companies should consider when trying to determine if information has been subject to unauthorized acquisition. These include indications that the information is in the hands of an unauthorized person, that the information has become public, and evidence that the information has been downloaded or copied. Notice can be delayed if it interferes with law enforcement investigation.

The law provides for specific content to be included in notice to impacted individuals. This includes date or date range of the breach, type of information impacted, what the company has done to restore the security of the information, how the person can protect him or herself, and contact information for the company. Substitute notice is permitted if more than 100,000 people are impacted or the cost of notice is over $500,000. If more than 1,000 residents are impacted then the company also needs to notify Alabama’s Attorney General.

Putting it Into Practice: For companies with national incident response plans, you may want to update your IRP generally, and in particular to include the notice to the Alabama attorney general.