News & Events

You’ve Been Notified: Alabama May Join Other States in Enacting Data Breach Notice Law

Forty-seven states and the District of Columbia have laws requiring notice of a data breach to potentially affected individuals.[1] Alabama may soon join the crowd.

Bills creating the Alabama Information Protection Act of 2016 are progressing through the Alabama House and Senate. Currently, there is not a generally-applicable data breach notice law in Alabama. The proposed bill would require entities maintaining personal information to notify affected individuals, the Attorney General, and credit reporting agencies in the event of a security breach compromising personal information of more than 1,000 individuals. As a preemptive measure against data breaches, the law requires that companies maintain “reasonable security measures” to protect personal information in electronic form.

The subject of a data breach, the unauthorized acquisition” of “sensitive personally identifying information” is a low threshold. Disclosure of person’s name in connection with his or her driver’s license number, social security number, or a financial account number with an access code “in electronic form” is sufficient to trigger the law.

The Act explicitly would not create a private cause of action, and a violation would not be a criminal offense. A covered entity who fails to provide the required notice could be subject to a civil penalty of up to $50,000, however. And breaches by governmental entities and their third-party agents would be listed in an annual report to the Governor. Notably, the Act would not apply to entities covered by certain Alabama insurance laws, financial institutions covered by various federal laws, or entities otherwise covered by HIPAA.

With data breaches becoming an increasingly important aspect of law and business and with indications of a possible federal data breach law, the progression of this bill will be of interest. Of course, whether the standards it imposes are any more stringent than those already taken by covered entities on their own accord will remain to be seen.

[1] National Conference of State Legislatures, Security Breach Notification Laws, (Jan. 4 2016),

Carol Thetford Montgomery

Montgomery Carol