Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 45 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection & Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- up to $500,000 per breach

Regulation Levels
  • Breach Reporting
  • Consumer Notification
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Civil penalties of up to $5,000 per day may be assessed for violations of notification requirements, for each consecutive day that a covered entity fails to take reasonable action.
  • Both businesses and its vendors are required to implement and maintain security measures to protect the sensitive personal information in their possession.
  • Upon discovery of a breach, the business must conduct an investigation to determine specific details about the breach including, cause, possible harm/risk and possible mitigation methods.
  • There are specific details that must be included in consumer notifications.
  • If more than 1,000 Alabama residents have been affected by a breach, regulatory reporting to the Attorney General must be completed within 45 days and to all credit reporting agencies without delay.
  • There are specific details that must be included in your breach regulatory reports.
  • Vendors that experience a breach must notify the data owner no later than 10 days upon determining a breach has occurred. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
  • If the breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Alabama’s Insurance Data Security Law includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Licensees have until May 1, 2020 to comply with the information security requirements, and until May 1, 2021 to comply with the vendor management requirements.
  • Entities regulated by the Insurance Commissioner have a breach notification deadline of 3 business days.
Statutes and Laws
  • Ala. Code §§ 8-38-1 – 8-38-12 Data Breach Notification Act of 2018
  • Ala. Code §§ 27-62-1 – 27-62-11 Insurance Data Security Law
BAck to map