The Alabama Data Breach Notification Act of 2018 (2018-396) (the Act) requires a business entity to notify its consumers of a breach in security that results in the “unauthorized acquisition of sensitive personally identifiable information.” With the passing of the Act on March 28, Alabama is now the final state to enact a breach notification law.
Any information that is already made public is exempt from the Act’s definition of personally identifying information, as well as information that is truncated, encrypted, secured or modified by any other method or technology that removes elements that personally identify an individual or otherwise render the information unusable.
If an entity determines that a breach of security “has or may have occurred in relation to sensitive and personally identifying information,” the entity is required to conduct a “good faith and prompt investigation” to:
- Assess the nature and scope of the breach;
- Identify any sensitive personally identifying information that may have been involved;
- Determine whether the sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person who is likely to cause substantial harm to affected individuals; and
- Identify and implement measures to restore the security and confidentiality of the systems compromised in the breach.
While conducting the investigation, the entity should consider the following indications stated in the Act to determine whether sensitive personally identifying information has been acquired.
- An unauthorized person has physical procession or control of sensitive personally identifying information, such as a lost or stolen computer or another device.
- Sensitive personally identifying information has been downloaded or copied.
- An unauthorized person has used the information to open fraudulent accounts, or there are instances of reported identity theft.
- The information has been publicized
After conducting the investigation, the entity must provide notification to its consumers within 45 days of determining that a breach of security has occurred. According to the Act, the written notice should include:
- The date, estimated date or the estimated date range of the breach;
- A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach;
- A general description of the actions taken by the entity to restore the security and confidentiality of the personal information involved in the breach;
- A general description of protective measures that the individual may take; and
- Contact information should the consumer wish to inquire about the breach.
If the entity is reporting to more than 1,000 individuals, the entity must also provide a written notice to the Alabama Attorney General stating that a breach has occurred and there is a reason to believe that the breach may cause harm to the individuals whose information has been compromised. This notice should be provided as “expeditiously as possible” and within 45 days. In addition, the entity must also notify the three major credit card reporting agencies of the timing, distribution and content of the notices sent to individuals.
In addition to the notification measures, the Act also states that entities should utilize proactive measures to prevent a breach of security from taking place. These obligations can be found here, along with steps that your organization should take concerning proactive security measures. Failure to comply with the Act’s notification provisions constitutes an “unlawful trade practice” under the Alabama Deceptive Trade Practice Act.
Warren Averett Technology Group can assist your company in several ways related to the Act. The first and best way to address the responsibility of security is to take preventative measures. A few examples of proactive IT security assistance Warren Averett Technology Group might provide, as well as tips for establishing reliable security measures, are as follows.
- Strong policies, procedures and employee training are vital.
- Encryption of user devices and email also aid in security by making the information unusable by outside parties.
- Penetration testing, also known as an “ethical hack,” and vulnerability scanning can reveal network vulnerabilities that might have been exploited by those with malicious intent.
- An IT Risk Assessment reviews a company’s administrative, technical and physical controls and provides a formal Report of Findings to management to aid in making necessary adjustments in advance of a breach occurring.
- Business Continuity planning is important to ensure that your company has steps in place to avoid and mitigate risks associated with a disruption in operations.
- Warren Averett Technology Group provides best practice hardware, software and cloud-based solution recommendations, as well as project and implementation assistance.
- Additionally, Warren Averett Technology Group can aid in the creation, implementation and maintenance of a plan that includes:
- Documentation of the policy and control environment;
- Assistance in selecting and assigning appropriate compliance management oversight;
- Provision of recommendations for resources who can aid in compliance through regular training and communications;
- Aid in the implementation of regularly scheduled maintenance and auditing of IT Controls;
- Consistent enforcement of the control environment; and
- Assistance in developing a prevention strategy and response to incidents and gaps in IT Controls.
Finally, while it is important to note that responsibility cannot be outsourced, if a breach has occurred, Warren Averett Technology Group can provide knowledge and resources to aid in remediation services and support. For more information about how the new law will impact your business, contact your Warren Averett Technology Group advisor.