Alabama Requires Entities to Safeguard Sensitive Information
By Seth Jaffe.
Alabama recently became the 50th state to pass a data breach notification law, but in doing so, the state upped the ante by including security obligations generally found in industry-specific cyber security laws. I’ve written about the Eight Principles of Cyber Security Laws in a prior blog post. Alabama adopted seven of them.
For covered entities—which is essentially any company that “that acquires or uses sensitive personally identifying information”—Alabama imposes the requirement that it:
- Conduct a risk assessment
- Implement appropriate safeguards to address those risks
- Involve the Board of Directors regarding cyber security
- Designate an individual to coordinate the entity’s security measures
- Respond to a breach (maintain an incident response program)
- Manage third party provides regarding security
- Evaluate and adjust the program as necessary
The only prong not included from my list of eight was training.
The implications of this law run deeper than just state prosecution. Attorney Fredric Bellamy recently wrote about the case of Community Bank of Trenton v. Schnuck Markets, Inc., where a federal court dismissed a claim brought by banks against a supermarket that suffered a data breach resulting in the compromise of hundreds of thousands of credit cards. The banks wanted compensation for losses incurred from fraud and replacing the cards. But the court dismissed the negligence per se claim because no statute or ordinance had been broken. Under Alabama’s law, and the similar statutes requiring security obligations, courts may come to a difference conclusion.
This means that companies failing to meet the security obligations imposed by Alabama’s law are more likely to find themselves ensnared in litigation due to a data breach.
The Alabama Data Breach Notification Act went into effect last Friday (June 1, 2018). Any company that resides in Alabama or holds sensitive personally identifying information of Alabama residents may want to reexamine its security program to ensure it meets the above principles.
Seth is our official rocket scientist in residence. Hailing from NASA’s Mission Control Center, Seth brings a unique perspective to incident response, applying aspects of one of the world’s preeminent emergency operations platforms to cyber response. In addition to twenty-plus years’ of technical experience, Seth was previously a member of the data protection task force at a large law firm, and served as the lead Legal team member of an incident response team at a major U.S. airline. Seth is a certified business continuity professional, and he holds a juris doctorate, which is why he also wears the General Counsel hat at LEO.