On Wednesday, March 28th, Alabama became the 50th state to enact a breach notification law with the passing and signing of the Alabama Data Breach Notification Act of 2018 (2018-396) (the Act). This Act requires a business entity that “acquires or uses sensitive personally identifiable information” to have certain security measures in place to help prevent a cybersecurity breach from occurring, as well as certain response and notification measures to alert affected individuals of the breach or cybersecurity event within a reasonable amount of time.
Sensitive personally identifiable information relates to (1) non-truncated or non-encrypted social security numbers, Tax IDs, drivers licenses, (2) financial institution account numbers in connection with security access codes and passwords, (3) medical history or diagnosis, (4) health insurance numbers or IDs or (5) a user name or email address in connection with a password or security question and answer. Already made public information is exempt from this definition, along with truncated, encrypted, secured or securely removed elements of the identity of the individual.
Companies that work in cyberspace face a never-ending barrage of potential security events from a growing list of internal and external risks. Warren Averett’s IT experts have dedicated their careers to helping companies identify these risks and employ effective security measures to respond to breaches. In light of the measures presented in this Act (Section 3), our professionals have evaluated the new requirements concerning security measures and have given insight into which steps organizations should take in response below:
- What the law requires: (3.c.1) Designation of an employee or employees to coordinate the covered Entity’s security measures.
- What that means for your company: An individual or a group within your organization should be designated as the Information Security Officer or the Information Security Committee or have an equivalent title. This person or group of persons should oversee and have knowledge of the organization’s risks, potential risks the organization may face in the future, controls that have been put in place to prevent breaches, controls put in place by third-party providers, how vendors use sensitive information, ways the company may change in the future and what controls will be needed to respond to such change and how all of this information is communicated internally, among other general cybersecurity knowledge and insight as it specifically pertains to your organization.
- What the law requires: (3.c.2) Identification of internal and external risks of a breach of security.
- What that means for your company: An annual risk assessment should be completed for the entire organization, or at least the IT department. Consider where your organization may have weaknesses pertaining to cybersecurity, including an evaluation of which of your service providers have information about your business and the type of information in their procession.
- What the law requires: (3.c.3) Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards.
- What that means for your company: Your organization should have solid information technology and security controls in place to prevent breaches/incidents. Use the risks that your company identifies in itself to identify areas of concern, and respond to those by implementing provisions that will reduce or eliminate your risk. Once you have established these safeguards, continue to test them regularly to determine their effectiveness (i.e., IT reviews, vulnerability scans, or penetration testing).
- What the law requires: (3.c.4) Retention of service providers, if any, that are contractually required to maintain appropriate safeguards for sensitive personally identifying information.
- What that means for your company: Ensure that your organization has a thorough understanding of what pieces of sensitive information each of your vendors has access to and what they are doing with them. Contact your third-party service providers to discuss safeguards they have in place for their own organizations, and learn how that will in turn impact your company. Organizations should understand the risks associated with allowing third-parties to have access to sensitive information. Verify the controls that have been put in place by those third-party service providers (i.e., a solid vendor management policy that requires security questionnaires and auditing of certain safeguards, if deemed applicable).
- What the law requires: (3.c.5) Evaluation and adjustment of security measures to account for changes in circumstances affecting the security of sensitive personally identifying information.
- What that means for your company: Your organization should have all security measures reviewed periodically and be able to change those controls around sensitive information and data. Cybersecurity is always changing, and your organization is too. It’s important to keep evaluating your company’s happenings, its controls and how the two are interacting to achieve optimum effectiveness.
- What the law requires: (3.c.6) Keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures; provided however, that the management of a government entity subject to this subdivision may be appropriately informed of the status of its security measures through a properly convened execution session under the Open Meetings Act pursuant to Section 36—25A—7, Code of Alabama 1975.
- What that means for your company: Outside of governmental entities, all organizations should have a clear communication line between the information security department/division of the organization and the board of directors and management through minutes of the status of security posture to information security/technology committees that oversee the role and controls of the IT and Information Security Environment of the Organization.
This Act by the State of Alabama provides relevant and effective guidance for all businesses in all industries. However, these can be intimidating steps for organizations, especially those that are small in size or that have not previously had someone who kept abreast of IT risks, needs and effects. Warren Averett’s Risk and Controls group has experts on hand to discuss maintaining and validating solid Information Technology and Security Environments – through IT Control Reviews/Examinations, SOC 2® Reports on Security or the newly created, SOC for Cybersecurity. These examinations and frameworks provide organizations of all sizes the appropriate roadmap to maintain “reasonable security measures” against cybersecurity risks and threats.