Data Privacy Map - Alabama

Highlights

Covered Entities: A person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information for Alabama residents.

Consumer Notification: Notification must be provided to any Alabama resident whose sensitive personally identifying information has been acquired by an unauthorized person.

Regulatory Notification: Notification must be provided to the Alabama Attorney General where more than 1,000 Alabama residents are required to be notified of a breach.

Notification Timeline: Notice shall be made as expeditiously as possible and without unreasonable delay, taking into account the time necessary to conduct an investigation, and within 45 days of discovering that a breach has occurred and is reasonably likely to cause substantial harm to affected individuals.

Data Format: Electronic.

Citations: Ala. Code §§ 8-38-1 to 8-38-12.

More Details

Definitions:

• Breach: Unauthorized acquisition of data in electronic form containing personal information for Alabama residents.
• Personal information (PI):
  • An Alabama resident’s first name or first initial and last name in combination with one or more of the following with respect to the same Alabama resident:
    • Social Security number or tax identification number;
    • Driver’s license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual;
    • Financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account;
    • Medical information; or
    • Health insurance information.
  • A username or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.
• Medical Information: Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
• Health Insurance Information: An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.

Safe Harbors:

• Encryption: Notification is not required when the PI is truncated, encrypted, secured, or modified by any other method or technology that renders PI unreadable or unusable, unless the encryption key or security credential is also acquired.
• Good Faith: Notification is not required where there is good faith acquisition of PI by an employee or agent of an entity, unless the information is used for a purpose unrelated to the business or subject to further unauthorized use.
• Risk of Harm: Notification is not required unless the breach is reasonably likely to cause substantial harm to the individuals to whom the PI relates.
• Law Enforcement Delay: Notification may be delayed if a federal or state law enforcement agency determines that notice would interfere with a criminal investigation or national security, and if the agency provides a written request for the delay.
• Public Record: Notification is not required where there is a breach of information about an individual where such information has been lawfully made public by a federal, state, or local government record or a widely distributed media.

Direct Notice:

• Timing: Notification must be provided “as expeditiously as possible and without unreasonable delay,” taking into account the time necessary to conduct an appropriate investigation, but no later than 45 days after discovery and determination that the breach is likely to cause substantial harm.
• Format: N/A
• Content: Notification letters must include, at a minimum:
  • The date, estimated date, or estimated date range of the breach;
  • A description of the PI that was acquired by an unauthorized person as part of the breach;
  • A general description of actions taken to restore the security and confidentiality of PI involved in the breach;
  • A general description of steps an affected individual can take to protect against identity theft; and
  • Information that the individual can use to contact the subject entity about the breach.
• Method: Notification letters must be provided by mail or by email to the individual at the mailing address or email address of the individual, as reflected in the records of the entity.

Substitute Notice:

An entity may provide substitute notice if (1) the cost of providing direct notice is excessive relative to the entity’s resources (provided that the cost of notification is considered excessive if it exceeds $500,000); (2) the affected individuals to be notified exceeds 100,000 persons; or (3) the entity does not have sufficient contact information to provide direct notice. Substitute notice must include: (1) conspicuous posting of the notice on the website of the entity if the entity maintains one, for a period of 30 days; and (2) Notice to major print and broadcast media in Alabama.

Remediation Services:

N/A

Regulatory Notice:

Notification must be provided to the Alabama Attorney General where the number of residents to be notified “exceeds 1,000.” Notice to the Attorney General must include:

• A synopsis of events surrounding the breach;
• The approximate number of affected state residents;
• Information and instructions on any services the entity is offering to affected residents, without charge, related to the breach;
• The contact information of the employee or agent from whom additional information may be obtained.

Credit Reporting Agencies Notice:

If an entity learns of a breach requiring notice to more than 1,000 Alabama residents at one time, the entity must also notify all consumer reporting agencies of the timing, distribution, and content of the notices without unreasonable delay.

Third-Party Notice:

If a third party agent “that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity” learns of a breach, the third party agent must notify the covered entity no later than 10 days after the determination of a breach or a reason to believe a breach has occurred.

HIPAA:

An entity subject to or regulated by federal laws, rules, regulations, procedures, or guidance on data breach notification established or enforced by the federal government (including HIPAA) is exempt from notification under Alabama’s data breach notification law, as long as the entity: (1) maintains procedures pursuant to such federal authorities; (2) provides notice pursuant to such federal authorities; and (3) timely provides a copy of the notice to the Alabama Attorney General when the number of Alabama residents the entity notified exceeds 1,000.

Private Action:

N/A

Associated Regulations:

• Information Security Standards (Ala. Code §§ 8-38-3, 8-38-10)
• Insurance Data Security Law (Ala. Code §§ 27-62-1 to 27-62-11)

Highlights

Covered Entities: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Alabama, not including a purchasing group or a risk retention group chartered and licensed in a state other than Alabama or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

Security Standard: A licensee must develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment that contains administrative, technical, and physical safeguards for nonpublic information and the licensee’s information systems. Certain licensees may be exempt as set forth in Ala. Code § 27-62-9.

Consumer Notification: A licensee shall comply with the Alabama Data Breach Notifications Act of 2018, Chapter 38 of Title 8, as applicable.

Regulatory Notification: A licensee shall notify the Commissioner of Insurance as promptly as possible, but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below has been met.

Notification Timeline: As promptly as possible, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred.

Citations: Ala. Code §§ 27-62-1 – 27-62-11

More Details

Definitions:

• Consumer: An individual, including, but not limited to, an applicant, policyholder, insured, beneficiary, claimant, or certificate holder, who is a resident of Alabama and whose nonpublic information is in the possession, custody, or control of a licensee.
• Cybersecurity Event: An event resulting in unauthorized access to, disruption, or misuse of an information system or nonpublic information stored on an information system, not including an event resulting in the unauthorized acquisition of encrypted nonpublic information or an event where the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
• Licensee: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Alabama, not including a purchasing group or a risk retention group chartered and licensed in a state other than Alabama or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
• Nonpublic Information: Electronic information that is not publicly available information and is any of the following:
  
  • Any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify the consumer, in combination with:
    
    • Social Security number;
    • Driver’s license number or nondriver identification card number;
    • Financial account number or credit or debit card number;
    • Security code, access code, or password that would permit access to a consumer’s financial account; or
    • Biometric records.
  • Any information or data, except age or gender, created by or derived from a health care provider or a consumer, that can be used to identify a consumer and relates to:
    
    • The past, present, or future physical, mental, or behavioral health or condition of a consumer or a member of the consumer’s family;
    • The provision of health care to any consumer; or
    • The payment for the provision of health care to any consumer.

Regulatory Notice:

A licensee shall notify the Commissioner of Insurance as promptly as possible, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information has occurred, when either of the following criteria has been met:

• Alabama is the state of domicile of the licensee, in the case of an insurer, or the home state of the licensee, in the case of a producer, as those terms are defined in Ala. Code § 27-7-1, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing Alabama or any material part of licensee’s operations.
• The licensee reasonably believes that the nonpublic information involves 250 or more consumers residing Alabama and the cybersecurity event is either:
  
  • A cybersecurity event impacting the licensee that the licensee is required to notify any government body, self-regulatory agency, or any other supervisory body about pursuant to any state or federal law, or
  • A cybersecurity event that has a reasonable likelihood of materially harming either a consumer residing in Alabama or a material part of licensee’s operations.

Content Requirements:

When notifying the Commissioner of Insurance of a cybersecurity event, a licensee shall provide as much of the following information as possible:

• The date of the cybersecurity event.
• A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of any third-party service providers.
• How the cybersecurity event was discovered.
• Whether any lost, stolen, or breached information has been recovered and if so, how this was done.
• The identity of the source of the cybersecurity event.
• Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when the notification was provided.
• A description of the specific types of information acquired without authorization. Specific types of information means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer.
• The period during which the information system was compromised by the cybersecurity event.
• The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this section.
• The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed.
• A description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur.
• A copy of the privacy policy of the licensee and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event.
• The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.

Third-Party Notice Requirements:

If a licensee discovers that a cybersecurity incident in a system maintained by a third-party service provider, the licensee shall treat the event in the same manner for purposes of notification to the Commissioner of Insurance unless the third-party service provider provides the notice.

Penalties:

An insurance producer violating this chapter may be penalized in accordance with Section 27-7-19. Any other licensee may be subject to the suspension or revocation of the license or certificate of authority of the licensee or, in lieu thereof and at the discretion of the Commissioner, subject to a fine of up to $10,000 per violation.

Associated Regulations:

N/A

Highlights

Covered Entities: A person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information.

First Party Security Standard: A business that owns, licenses, or maintains personal information about an Alabama resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Third Party Security Standard: Each covered entity and third-party agent shall implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security.

Disposal/Destruction Standard: Must take reasonable measures to dispose, or arrange for the disposal, of records containing personal information when such records are no longer needed for business purposes or to comply with applicable law or regulations.

Data Format: Electronic.

Citations: Ala. Code §§ 8-38-3 and 10

More Details

Definitions:

• Personal Information (PI): An individual’s first name / first initial and last name in combination with one (1) or more of the following data elements:
  
  • Social Security number or tax ID number;
  • Driver’s license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual;
  • Financial account number, including a bank account number, credit or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account;
  • Information regarding medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional;
  • Health insurance policy number or subscriber identification number and any unique identifier used by a healthcare provider to identify an individual; or
  • Username or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the entity that is reasonably likely to contain or is used to contain personal information

Methods of Compliance:

Pursuant to subsection (c), entities must implement and maintain reasonable security measures which take into account multiple factors to include the size of the organization protecting data; the scope and size of sensitive data collections along with the means to access, acquire, maintain, store, or utilize data; and the costs to implement and maintain security measures to prevent a data breach.

Exclusions:

• Health Care: N/A
• Financial: N/A
• Other: N/A

Enforcement/Penalties:

• Enforcement: A violation of the notification provisions of this chapter is an unlawful trade practice under the Alabama Deceptive Trade Practices Act, Chapter 19 of this title, but does not constitute a criminal offense under Section 8-19-12. The Attorney General shall have the exclusive authority to bring an action for civil penalties under this chapter.

Associated Regulations:

N/A