ARTICLE
18 July 2018

Enhanced Cybersecurity Measures Required In Alabama's Data Breach Notification Law

Aa
Adams and Reese

Contributor

Adams and Reese logo

At Adams & Reese, we take things personally. Our people are connected – to each other, to our clients, our families, and our communities. Our industry-focused practice groups of attorneys and advisors are strategically organized throughout the southern U.S. and Washington, DC.

Adams & Reese professionals are known as practical and personal advisors and advocates who tailor their approach and counsel to the specific needs of each situation and client. Many on our team have years of on-the-job experience within the industries that we serve as executives, professionals, and in-house counsel. Taking a hands-on, personal approach to every issue, challenge and opportunity our clients face, Adams & Reese lawyers and advisors are skilled and ready to help clients achieve their goals and make their lives easier.

Explore Firm Details
Alabama recently became the 50th state to pass a data breach notification law.
United States Technology
Adam V. Griffin,Roy E. Hadley, and Jack Pringle

Alabama recently became the 50th state to pass a data breach notification law.

Alabama's newly passed law1 (effective May 1, 2018): requires businesses and government agencies to 1) protect "sensitive personally identifying information"; and 2) notify Alabama residents (and other entities as applicable) in the event of a "breach of security" of that information.

While a number of states impose an obligation to "maintain reasonable security measures," Alabama's law is unique in that it identifies specific actions that may be considered in evaluating "reasonableness":

  1. Designation of an employee or employees to coordinate the covered entity's security measures to protect against a breach of security. An owner or manager may designate himself or herself.
  2. Identification of internal and external risks of a breach of security.
  3. Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards.
  4. Retention of service providers, if any, that are contractually required to maintain appropriate safeguards for sensitive personally identifying information.
  5. Evaluation and adjustment of security measures to account for changes in circumstances affecting the security of sensitive personally identifying information.
  6. Keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures; provided, however, that the management of a government entity subject to this subdivision may be appropriately informed of the status of its security measures through a properly convened execution session under the Open Meetings Act pursuant to Section 36—25A—7, Code of Alabama 1975.

By expressly defining what may constitute "reasonable" security measures, Alabama has provided a "roadmap" for entities subject to the law. At the same time, Alabama has arguably set a higher standard and burden for those entities. Those businesses that collect and store the information of Alabama residents must evaluate their security programs in order to protect "sensitive personally identifiable information" and ensure compliance with the law and endeavor to prevent the breach of that information.

Footnote

1. http://arc-sos.state.al.us/PAC/SOSACPDF.001/A0012674.PDF

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Adam V. Griffin
Adam V. Griffin
Photo of Roy E. Hadley
Roy E. Hadley
Photo of Jack Pringle
Jack Pringle
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More