Trenam Cybersecurity Update: All 50 States Now Have Data Breach Laws
Data privacy law in the United States continues to evolve at a rapid pace, and all companies would be wise to pay close attention. As any company that has experienced a data breach can attest, the location of a company’s offices does not solely determine which law applies. Instead, companies must comply with the data privacy and notification laws of all states where affected employees, customers, or other individuals live. For that reason, companies should update their information-governance policies and procedures to comply with changes to any state’s data privacy laws.
In March 2018, Alabama became the 50th state to enact a data breach law. As a result, the proverbial patchwork of state data breach laws is finally complete. This is important for companies not only in Alabama, but in every state. The new Alabama data privacy law is also noteworthy because it lists factors to determine whether a company’s data privacy practices are “reasonable.”
Summary of Alabama Data Breach Notification Act of 2018
Effective June 1, 2018, the Alabama Data Breach Notification Act of 2018 will apply to all “covered entities.” A covered entity is “a person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses personally identifying information.” Sensitive personally identifying information includes an Alabama resident’s name in combination with a social security number, driver’s license number, financial account number, medical information, health insurance policy information, login credentials to an email or other online account, or other specific information listed in the statute.
The Alabama statute contains typical notification requirements. A data breach would require notification to the affected Alabama residents within 45 days and, depending on the extent of the breach, to the Alabama Attorney General, consumer reporting agencies, or the media. If the breached company is a “third-party agent,” such as a vendor or supplier contracted to handle personal information on behalf of another company or other covered entity, the agent must notify the covered entity within 10 days. Penalties for violating the notification provisions may be up to $5,000 per day or $500,000 per breach, and the state attorney general may bring an additional enforcement action for violations.
The statute has other important provisions, including those relating to investigations, law enforcement, governmental entities, disposal of records, and exemptions for regulated entities.
“Reasonable” Security Measures
As in Florida and many other states, the Alabama statute requires companies to take “reasonable” measures to safeguard personal information. But Alabama’s statute is unique because it specifically lists factors to consider in determining what constitutes “reasonable” measures. Most state data privacy statutes do not list factors.
Under the Alabama statute, one aspect of “reasonable” measures concerns vendor contracts. The statute says companies should consider requiring vendors, by contract, to maintain appropriate safeguards of sensitive personal information. For example, a company allowing a payroll processor to access the personal information of the company’s employees may contractually require the payroll processor to maintain reasonable security measures. Contractually requiring vendors to maintain appropriate safeguards gives them a business incentive to focus on data privacy. If they don’t focus on data privacy, vendors could lose the contract and the business. Of course, this added incentive also may reduce the chance of a security breach, which is the ultimate goal of the statute.
Other “reasonable” security measures listed in the Alabama statute focus on internal data privacy practices. Under the statute, companies should designate an employee to coordinate the company’s security measures, identify internal and external security risks, and adopt appropriate safeguards. Companies should then evaluate and adjust their practices as circumstances affecting security change. Finally, the company’s management, including the board of directors, should stay informed of the status of the company’s security measures.
The “reasonableness” factors listed in the Alabama statute are not new to the world of data privacy law or to established best practices. Nor are they a complete list of factors regulators and industries have deemed to be reasonable. The Alabama statute is unique, however, because it lists “reasonableness” factors, thus providing some guidance to companies holding the personal information of Alabama residents. Depending on how this plays out over time, other states are likely to define what they deem reasonable as they update or amend their data privacy statutes. Companies should stay informed of their evolving legal obligations and update their data privacy practices accordingly.