Not to be outdone Alabama is the final state to pass a Data Protection Bill

Right on the heels of South Dakota, who passed their data protection bill in February of this year, Alabama is the 50th and final State to pass a data protection bill. Alabama SB 318 was passed this month. The codification of state data protection laws began in 2003 with California. To date all remaining states have followed suit.

SB 318, seemingly incorporates Health Insurance Portability Accountability Act's (HIPAA) terminology and some application.

Class of protected

The statute applies to individuals residing within the state.

Individuals rights

Individuals are afforded protection from the breach, which is defined as the unauthorized acquisition of personally identifiable information (PII). PII is also referred to as personal data, in some jurisdictions.

Data Protected
The statute outlines the type of PII that is protected under the statute as “electronic data” that can be any of the following :
  • Identification number (military, driver’s license,  social security numbers, or other government issued ID),
  • financial account information (account numbers, routing numbers, pin),
  • a combination of username and password used to access account information,
  • Security codes, encryption key*,  and
  • Protected health information (phi), etc.

The statute does not apply to publicly available information or information obtained in good faith.

Compliance
Data controllers, data processors and business associates are tasked with complying with the law. The statute refers to data controllers as covered entities, a term used HIPAA. The AL statute’s use of the term covered entity is broader than HIPAA’s and extends to persons and entities that acquire and use PII. Further, it can be inferred that Business Associates and processors are referred to as third party agents.

Safe harbors
Disclosure of a breach is not required if the data is encrypted. Encryption significantly reduces the risk of harm to individuals, making it virtually impossible to access the data without a key.

Duties of data controllers
Controllers of data must maintain safeguards to protect that personal data, use appropriate measures to mitigate the harm caused by breaches and report breaches within 45 days after reasonable discovery to individuals.

Controllers may provide substitute notice, if the cost to notify the affected parties exceeds $500,000. Substitute notice is also appropriate where the amount of individuals affected exceeds 100,000 persons. Substitute notice can be achieved through print, broadcast and or online other media outlet.

If more than 1,000 individuals are affected by the breach, the controller must report to the details of the breach to the State Attorney General.

In addition, the bill imposes a duty on Business associates and data processors to safeguard the personal data and report data breach to controllers within 10 days of discovery.

Enforcement
Individuals do not have have a Private right of action to sue data controllers/processors/business associates, if a breach of their personal data occurs.

The statute is enforced through the state attorney general’s office. A controller could be fined $5,000 per day for failing to take steps necessary to mitigate the breach and up to $500,000 for failing to notify the appropriate parties. Government entities are excluded from fines but not the notice requirements.

You may Click the links within this article to get further information on the term’s meaning and usage in this context. Lastly, I have an article on LinkedIn that compares AL SB 318 and SD SB 62, as the two last state data protection bills.

Comments

Post a Comment

all comments to this blog are moderated

Popular posts from this blog

Sample Privacy Risk Assesment Example and Explanation

Image
Privacy impact assessments (PIAs) are a tool that can be used to identify and reduce privacy risks. A PIAs can reduce the risks of harm to individuals by preventing the misuse of their personal information. PIAs are an integral part of taking a privacy by design ( PbD ) approach. They are used to design more efficient and effective processes for handling personal data. The use of PIAs is not something new, in fact the process has been used by a number of companies, entities and governments for over forty years now.  The PIA was created by the United States Office of Technology Assessment. The U.S. office of Management and Budget (OMB) publishes guidance on the implementation the privacy provisions by Federal Agencies under E-Government Act of 2002, including when to conduct a PIA. Under GDPR,  PIAs have become a centerpiece and necessary in certain situations. A PIA must be completed if a company is doing one of the following: Data controller or the data processor o
Read more

Preserving User Privacy in Digital Advertising: Navigating Consent and Privacy by Design

  By Victorianne Musonza #privacy-by-design #digitaladvertising #dataprivacy #CCPA #GDPR In the ever-evolving world of digital advertising, user consent, and data privacy should be an afterthought but rather something that is built into the design. As companies strive to engage consumers effectively, it is important to address these issues and implement robust mitigation strategies, all while embracing the concept of privacy by design. User consent is a major focus for data privacy in digital advertising. Consumers must have clear, transparent information about how their data is collected, used, and shared. By obtaining explicit consent, companies can establish trust and ensure that users are aware of the purpose and extent of data processing. This consent should be easily accessible, providing users with options to manage their preferences and exercise control over their personal information. However, obtaining mere consent is not enough; organizations must prioritize data privacy mit
Read more

Cross Border Transfer Mechanism: Model Clauses

A cross border transfer is one where the personal data is transferred from the EU to a country that is outside of the EU (EEA*). If the country where the data is transferred to does not have an adequate level of protection, a transfer mechanism must be used. Under GDPR, Model clauses are one of the many mechanism that can use used for cross border transfers . Model Clauses (Also known as Standard Clauses) are contractual clauses that are generally drafted and adopted a Data Protection Authority (DPA).  The Commission (One of the many EU governmental bodies) may also adopt Model Clauses, but have yet to do so. MCs set out the duties and obligations for both Controllers and Processors.  There are several noticeable differences between MCs and Binding Corporate Rules (BCRs): MCs require processors to provide an adequate level of protection of the personal data. MCs maybe used by unrelated entities. MCs do not require approval by the DPA.  MCs can not be altered and tailored.
Read more