Application. A person or commercial entity (collectively, Entity) that acquires or uses sensitive personally identifying information.
Security Breach Definition. The unauthorized acquisition of data in electronic form containing sensitive personally identifying information.
- Good-faith acquisition of sensitive personally identifying information by an employee or agent of an Entity is not a security breach, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.
- A security breach also does not include the release of a public record not otherwise subject to confidentiality or nondisclosure requirements, nor does it include any lawful, investigative, protective, or intelligence activity of a law enforcement or intelligence agency of the state, or a political subdivision of the state.
Notification Obligation. Any Entity that determines that, as a result of a breach of security, sensitive personally identifying information has been acquired by an unauthorized person, and is reasonably likely to cause substantial harm to an AL resident to whom the information relates, shall give notice of the breach to each AL resident to whom the information relates.
Notification to Consumer Reporting Agencies. If the number of affected individuals exceeds 1,000, the Entity must notify all consumer reporting agencies without unreasonable delay once it is determined that a breach has occurred and is reasonably likely to cause substantial harm to affected individuals.
Attorney General/Agency Notification. If the number of affected individuals exceeds 1,000, the Entity must notify the Attorney General as expeditiously as possible and without unreasonable delay, and within 45 days once it is determined that a breach has occurred and is reasonably likely to cause substantial harm to affected individuals.
Timing of Notification. Notice shall be made as expeditiously as possible and without unreasonable delay, taking into account the time necessary to conduct an investigation, and within 45 days of discovering that a breach has occurred and is reasonably likely to cause substantial harm to affected individuals.
Personal Information Definition. An AL resident’s first name or first initial and last name, in combination with one or more of the following data elements that relate to the resident, when either the name or the data elements are not truncated, encrypted, secured or modified in a way that removes elements that personally identify an individual or render the data unusable:
- Social Security number;
- Driver’s license number or state identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual;
- Account number, credit card number or debit card number in combination with any required security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account;
- Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
- An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual; or
- A user name or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the Entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.
Sensitive personally identifying information does not include information about an individual that is lawfully made public by a federal, state, or local government record or widely distributed media.
Notice Required. Notice may be provided by one of the following methods:
- Written notice; or
- Email notice.
Substitute Notice Available. If the Entity demonstrates that the cost of providing notice is excessive relative to the Entity’s resources, (provided that the cost of notification is considered excessive if it exceeds $500,000), or that the affected AL residents to be notified exceeds 100,000 persons, or the Entity does not have sufficient contact information to provide notice. Substitute notice shall consist of the following:
- Conspicuous posting of the notice on the website of the Entity if the Entity maintains one, for a period of 30 days; and
- Notice to major print and broadcast media, including major media in urban and rural areas where the affected individuals reside.
Exception: Compliance with Other Laws.
- An Entity subject to or regulated by federal laws, rules, regulations, procedures, or guidance is exempt as long as the Entity: maintains procedures pursuant to those requirements; provides notice to consumers pursuant to those requirements; and timely provides notice to the Attorney General when the number of affected individuals exceeds 1,000.
- An Entity subject to or regulated by state laws, rules, regulations, procedures, or guidance—that are at least as thorough as the notice requirements in this law—is exempt as long as the Entity: maintains procedures pursuant to those requirements; provides notice to consumers pursuant to those requirements; and timely provides notice to the Attorney General when the number of affected individuals exceeds 1,000.
Other Key Provisions:
- Delay for Law Enforcement. Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation or national security, and the law enforcement agency has submitted a written request for the delay. The law enforcement agency may revoke the delay as of a specified date or extend the delay, if necessary.
- Government entities are subject to the Act as well and must provide notice in line with the provisions of the law.
- AG Enforcement. The Attorney General has exclusive authority to bring an action for civil penalties under the Act.