The September 2017 Equifax data breach compromised the personal information of nearly 148 million Americans. Less than a year later, every state in the country had a consumer data breach notification law in place. Alabama was the last state to enact legislation mandating when and how affected residents were to be notified of a breach’s discovery.
The Alabama Data Breach Notification Act (SB318) went into effect on May 1, 2018. It requires companies in the state to, among other things, provide residents with timely notification of a breach of their data. The law aligns with the current administration’s cybersecurity executive order, which we’ll cover in a separate post. For now, here’s what you should know about SB318, including how to stay compliant.
The Challenges of Keeping Critical Company Data Secure
We live in a data-driven world where each day companies big and small contend with massive amounts of sensitive data. To protect the security of that data, they’ve invested in solutions like multi-factor authentication, technical security assessments, and partnering with third parties such as managed services providers. Remote work has created even bigger challenges in protecting sensitive data, as many home networks are insecure and susceptible to ransomware attacks.
While the U.S. currently has no federal law governing data protection, Alabama businesses must adhere to the state’s requirements to protect sensitive personally-identifying information.
Your Business’s Responsibilities Under The Alabama Data Breach Notification Act
The primary aim of SB318 is to require timely notification to affected individuals when their personal information has been compromised. What does this mean for business owners? That they must be aware of two crucial facts:
- Any business of any size can experience a data security breach.
- According to the new Alabama law, it’s not enough to merely fix the breach.
The Alabama Data Breach Notification Act includes four main requirements covered entities, including businesses and third-party service providers who store, process, or transmit sensitive personally identifying information (SPII), and government entities, must comply with:
1. Implement Reasonable Security Efforts to Protect Sensitive Data
Reasonable security efforts include:
- Designating a person responsible for data security issues.
- Identifying internal and external risks to SPII.
- Establishing a data protection program to mitigate identified risks.
- Contractually obligating third-party vendors to comply with the Act by maintaining safeguards that protect SPII.
- Evaluating and adjusting data protection mechanisms when changes occur.
- Keeping management informed of the state of the business’s security.
Businesses should conduct a risk assessment to determine where their data is flowing and how SPII might be lost. Proper cybersecurity controls and best practices should then be put in place to protect SPII from cyber threats.
2. Conduct Good Faith Investigations After Data Breaches
When a business discovers a breach has occurred, whether recently or in the past, it must conduct a prompt investigation that includes:
- Assessing the nature and scope of the breach.
- Identifying any SPII involved and the identity of affected individuals.
- Determining whether SPII has been or is reasonably believed to have been acquired by an unauthorized person and is likely to cause substantial harm.
- Identifying and implementing measures to restore security.
Experts suggest businesses that fall victim to a data breach consult with a privacy attorney to assist them with their response, evidence collection, and notification process.
3. Provide Written Notification to Victims Post-Breach
If your business suffers a security incident involving SPII of Alabama residents, you must notify them of the breach if:
- Your electronically stored SPII is reasonably believed to have been or has been acquired by an unauthorized person.
- The acquisition is likely to cause substantial harm to the affected individual.
SPII consists of things like an individual’s first name or initial and last name combined with a non-truncated Social Security, tax identification, driver’s license, military ID, passport, or state-issued identification card number. Other SPII that triggers action under SB318 includes:
- Financial account, credit, and debit card numbers and their security codes, expiration dates, PINs, passwords, or access codes.
- Histories of individual medical or mental treatment.
- Health insurance policies or identification numbers.
- User names and email addresses together with passwords or security questions and answers.
4. Dispose of Records Containing SPII
Businesses must dispose of all records containing SPII by erasing, shredding, or otherwise altering the records’ information to make it undecipherable or unreadable through any reasonable means consistent with industry standards.
Alabama businesses that violate SB318 are not charged with a criminal offense, but the attorney general can seek penalties for deceptive trade practice if the company knowingly violates the law. Violators are subject to a $2000 per person penalty, which is capped at $500,000.
Maintaining your business’s SPII security is a complex task. An IT managed services provider can ensure you stay compliant with the Alabama Data Breach Notification Act while mitigating the chances of a cyber breach at your company. There’s no easier way to ensure your business is secure.