Several weeks ago, South Dakota and Alabama became the final two states to enact data breach notification laws. The Alabama Data Breach Notification Act of 2018 takes effect on May 1, 2018, and imposes information security, breach notification and data disposal requirements on organizations handling Alabama residents’ personal information.
Alabama requires organizations to implement and maintain reasonable security measures
Alabama joins a minority of states that mandate security controls; its new law requires organizations that acquire or use personal information (“covered entities”) to protect the information with “reasonable security measures.” To guide organizations and regulators, the statute lists several considerations to help identify reasonable security measures, including whether the organization has designated an individual to coordinate its security measures, tailored security measures to an appropriate assessment of the organization’s risk scenarios and kept its management informed of the security measures. A reasonableness assessment must also consider the organization’s size, the amount of sensitive data it uses and how it uses it, and the cost to implement certain measures, and should focus on failures that are “multiple or systemic.” The statute also requires organizations to properly dispose of sensitive data that is no longer required to be retained pursuant to applicable law, regulations or business needs. Notably, however, the statute’s civil penalty provisions apply only to violations of the notice requirements discussed below. Continue Reading