Alabama Requires Entities to Safeguard Sensitive Information

Alabama Requires Entities to Safeguard Sensitive Information

Alabama Requires Entities to Safeguard Sensitive Information 1280 853 SethJaffe

By Seth Jaffe.

Alabama recently became the 50th state to pass a data breach notification law, but in doing so, the state upped the ante by including security obligations generally found in industry-specific cyber security laws. I’ve written about the Eight Principles of Cyber Security Laws in a prior blog post. Alabama adopted seven of them.

For covered entities—which is essentially any company that “that acquires or uses sensitive personally identifying information”—Alabama imposes the requirement that it:

  1. Conduct a risk assessment
  2. Implement appropriate safeguards to address those risks
  3. Involve the Board of Directors regarding cyber security
  4. Designate an individual to coordinate the entity’s security measures
  5. Respond to a breach (maintain an incident response program)
  6. Manage third party provides regarding security
  7. Evaluate and adjust the program as necessary

The only prong not included from my list of eight was training.

The implications of this law run deeper than just state prosecution. Attorney Fredric Bellamy recently wrote about the case of Community Bank of Trenton v. Schnuck Markets, Inc., where a federal court dismissed a claim brought by banks against a supermarket that suffered a data breach resulting in the compromise of hundreds of thousands of credit cards. The banks wanted compensation for losses incurred from fraud and replacing the cards. But the court dismissed the negligence per se claim because no statute or ordinance had been broken. Under Alabama’s law, and the similar statutes requiring security obligations, courts may come to a difference conclusion.

This means that companies failing to meet the security obligations imposed by Alabama’s law are more likely to find themselves ensnared in litigation due to a data breach.

The Alabama Data Breach Notification Act went into effect last Friday (June 1, 2018). Any company that resides in Alabama or holds sensitive personally identifying information of Alabama residents may want to reexamine its security program to ensure it meets the above principles.