Can I avoid having a data breach response plan in Alabama? What are the requirements?

To answer your question, no, you cannot avoid having a data breach response plan in Alabama if you are a covered entity or third-party agent that handles sensitive personally identifying information. The Alabama Data Breach Notification Act of 2018 requires covered entities and third-party agents to have a data breach response plan in place and to notify affected individuals in the event of a breach ^[1.6].

Requirements for Covered Entities and Third-Party Agents

Covered entities and third-party agents must comply with the notification provisions of the Alabama Data Breach Notification Act of 2018 ^[1.1]. In the event of a breach, they must notify affected individuals as soon as possible and without unreasonable delay ^[1.6].

If the number of individuals a covered entity is required to notify under Section 8-38-5 exceeds 1,000, the entity shall provide written notice of the breach to the Attorney General as expeditiously as possible and without unreasonable delay ^[1.2].

Penalties for Non-Compliance

A covered entity or third-party agent who knowingly engages in or has knowingly engaged in a violation of the notification provisions of the Alabama Data Breach Notification Act of 2018 is subject to civil penalties of up to $500,000 per breach ^[1.1]. Additionally, a covered entity that violates the notification provisions of the Act may be liable for a civil penalty of up to $5,000 per day for each consecutive day that the covered entity fails to take reasonable action to comply with the notice provisions of the Act ^[1.1].

Exemptions

Entities subject to or regulated by federal laws, rules, regulations, procedures, or guidance on data breach notification established or enforced by the federal government are exempt from the Alabama Data Breach Notification Act of 2018 as long as they maintain procedures pursuant to those laws, rules, regulations, procedures, or guidance and provide notice to affected individuals pursuant to those laws, rules, regulations, procedures, or guidance ^[1.7].

An entity subject to or regulated by state laws, rules, regulations, procedures, or guidance on data breach notification that are established or enforced by state government, and are at least as thorough as the notice requirements provided by the Alabama Data Breach Notification Act of 2018, is exempt from this Act so long as the entity maintains procedures pursuant to those laws, rules, regulations, procedures, or guidance and provides notice to affected individuals pursuant to the notice requirements of those laws, rules, regulations, procedures, or guidance ^[1.3].

In summary, covered entities and third-party agents that handle sensitive personally identifying information must have a data breach response plan in place and comply with the notification provisions of the Alabama Data Breach Notification Act of 2018. Failure to comply may result in civil penalties. However, entities subject to or regulated by federal or state laws, rules, regulations, procedures, or guidance on data breach notification may be exempt from the Alabama Data Breach Notification Act of 2018 if they maintain procedures pursuant to those laws, rules, regulations, procedures, or guidance and provide notice to affected individuals pursuant to those laws, rules, regulations, procedures, or guidance.

Source(s):

• [1.1] Violations of notification requirements.
• [1.2] Notice of security breach - Attorney General.
• [1.3] Exemptions - State.
• [1.6] Short title.
• [1.7] Exemptions - Federal.

Jurisdiction

Alabama

• Privacy