Not to be outdone Alabama is the final state to pass a Data Protection Bill

Right on the heels of South Dakota, who passed their data protection bill in February of this year, Alabama is the 50th and final State to pass a data protection bill. Alabama SB 318 was passed this month. The codification of state data protection laws began in 2003 with California. To date all remaining states have followed suit.

SB 318, seemingly incorporates Health Insurance Portability Accountability Act's (HIPAA) terminology and some application.

Class of protected

The statute applies to individuals residing within the state.

Individuals rights

Individuals are afforded protection from the breach, which is defined as the unauthorized acquisition of personally identifiable information (PII). PII is also referred to as personal data, in some jurisdictions.

Data Protected
The statute outlines the type of PII that is protected under the statute as “electronic data” that can be any of the following :
  • Identification number (military, driver’s license,  social security numbers, or other government issued ID),
  • financial account information (account numbers, routing numbers, pin),
  • a combination of username and password used to access account information,
  • Security codes, encryption key*,  and
  • Protected health information (phi), etc.

The statute does not apply to publicly available information or information obtained in good faith.

Compliance
Data controllers, data processors and business associates are tasked with complying with the law. The statute refers to data controllers as covered entities, a term used HIPAA. The AL statute’s use of the term covered entity is broader than HIPAA’s and extends to persons and entities that acquire and use PII. Further, it can be inferred that Business Associates and processors are referred to as third party agents.

Safe harbors
Disclosure of a breach is not required if the data is encrypted. Encryption significantly reduces the risk of harm to individuals, making it virtually impossible to access the data without a key.

Duties of data controllers
Controllers of data must maintain safeguards to protect that personal data, use appropriate measures to mitigate the harm caused by breaches and report breaches within 45 days after reasonable discovery to individuals.

Controllers may provide substitute notice, if the cost to notify the affected parties exceeds $500,000. Substitute notice is also appropriate where the amount of individuals affected exceeds 100,000 persons. Substitute notice can be achieved through print, broadcast and or online other media outlet.

If more than 1,000 individuals are affected by the breach, the controller must report to the details of the breach to the State Attorney General.

In addition, the bill imposes a duty on Business associates and data processors to safeguard the personal data and report data breach to controllers within 10 days of discovery.

Enforcement
Individuals do not have have a Private right of action to sue data controllers/processors/business associates, if a breach of their personal data occurs.

The statute is enforced through the state attorney general’s office. A controller could be fined $5,000 per day for failing to take steps necessary to mitigate the breach and up to $500,000 for failing to notify the appropriate parties. Government entities are excluded from fines but not the notice requirements.

You may Click the links within this article to get further information on the term’s meaning and usage in this context. Lastly, I have an article on LinkedIn that compares AL SB 318 and SD SB 62, as the two last state data protection bills.

Comments

Popular posts from this blog

Sample Privacy Risk Assesment Example and Explanation

Preserving User Privacy in Digital Advertising: Navigating Consent and Privacy by Design

Cross Border Transfer Mechanism: Model Clauses