Mandated Timeframe for Breach Reporting and/or Consumer Notification
Within 45 days
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection & Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach and notification laws:
- up to $500,000 per breach
None to minimal
Civil penalties of up to $5,000 per day may be assessed for violations of notification requirements, for each consecutive day that a covered entity fails to take reasonable action.
Both businesses and its vendors are required to implement and maintain security measures to protect the sensitive personal information in their possession.
Upon discovery of a breach, the business must conduct an investigation to determine specific details about the breach including, cause, possible harm/risk and possible mitigation methods.
There are specific details that must be included in consumer notifications.
If more than 1,000 Alabama residents have been affected by a breach, regulatory reporting to the Attorney General must be completed within 45 days and to all credit reporting agencies without delay.
There are specific details that must be included in your breach regulatory reports.
Vendors that experience a breach must notify the data owner no later than 10 days upon determining a breach has occurred.
Alabama passed the sector-specific Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Licensees have until May 1, 2020 to comply with the information security requirements, and until May 1, 2021 to comply with the vendor management requirements.
Statutes and Laws
Ala. Code §§ 8-38-1 – 8-38-12 Data Breach Notification Act of 2018