Alabama passed a bill enacting the Data Breach Notification Act of 2018 (DBNA). The DBNA imposes requirements on “covered entities” (entities that acquire or use sensitive personally identifying information) and “third-party agents (entities that maintain, store, process or otherwise access sensitive personally identifying information in connection with providing services to covered entities). Under the DBNA, covered entities must disclose a security breach to all Alabama residents whose sensitive personally identifying information was (or is reasonably believed to have been) acquired by an unauthorized person. The DBNA also requires covered entities to notify the attorney general and all consumer reporting agencies operating on a nationwide basis if the covered entity is required to disclose a security breach to more than 1,000 Alabama residents. In addition, the DBNA: requires third-party agents to disclose a security breach to the covered entity on whose behalf the third-party agent is providing services; mandates that covered entities and third-party agents maintain reasonable security measures to protect sensitive personally identifying information; and requires covered entities and third-party agents to take reasonable measures to dispose of records containing sensitive personally identifying information when the records are no longer required to be retained. The bill becomes effective June 1, 2018.
See Alabama Legislature website for the full text of the Statutes:
http://alisondb.legislature.state.al.us/alison/searchableinstruments/2018RS/bills/SB318.htm
