Mandated Timeframe for Breach Reporting and/or Consumer Notification
Within 45 days
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection & Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach notification laws:
- up to $500,000 per breach
None to minimal
Civil penalties of up to $5,000 per day may be assessed for violations of notification requirements, for each consecutive day that a covered entity fails to take reasonable action.
Both businesses and its vendors are required to implement and maintain security measures to protect the sensitive personal information in their possession.
Upon discovery of a breach, the business must conduct an investigation to determine specific details about the breach including, cause, possible harm/risk and possible mitigation methods.
There are specific details that must be included in consumer notifications.
If more than 1,000 Alabama residents have been affected by a breach, regulatory reporting to the Attorney General must be completed within 45 days and to all credit reporting agencies without delay.
There are specific details that must be included in your breach regulatory reports.
Vendors that experience a breach must notify the data owner no later than 10 days upon determining a breach has occurred. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
If the breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Alabama’s Insurance Data Security Law includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Licensees have until May 1, 2020 to comply with the information security requirements, and until May 1, 2021 to comply with the vendor management requirements.
Entities regulated by the Insurance Commissioner have a breach notification deadline of 3 business days.
Statutes and Laws
Ala. Code §§ 8-38-1 – 8-38-12 Data Breach Notification Act of 2018