The Alabama Data Breach Notification Act is the state's main data breach law. It applies to businesses that operate within the state or handle the "sensitive personally identifying information" of its residents, and experience a data breach.

Under Alabama's law, a data breach is defined as:

"the unauthorized acquisition of data in electronic form containing sensitive personally identifying information."

This definition notably excludes:

  • Good-faith data collection by an employee or agent for legitimate purposes
  • Disclosure of public records not bound by confidentiality agreements
  • Investigations carried out by law enforcement agencies

Notification Requirements

If a data breach will likely cause "substantial harm" to consumers, Alabama's law requires you to send consumers a written notification as quickly as possible within 45 days. You can send this notice to consumers by mail or email.

alabama-data-breach-notification-law-requirements-section
Alabama Data Breach Notification Law: Notification Requirements section

For breaches affecting over 1,000 Alabama residents, you must also notify the Alabama Attorney General and all consumer reporting agencies. You can notify the Attorney General via this form.

Some important caveats to take note of:

  1. You can delay notifications if a law enforcement agency determines that sending them could hinder a criminal investigation or jeopardize national security.
  2. Third parties who suffer data breaches must notify the relevant businesses within 10 days.
  3. Compliance with federal laws like HIPAA or GLBA exempts you from all notification requirements except the notice to the Attorney General when affected consumers exceed 1,000.

  4. You can use substitute notices like posting the breach on your website or in broadcast/print media if any of the following is true:

    • The cost of sending notifications is over $500,000,
    • The number of affected consumers adds up to more than 100,000 people, or
    • You're missing sufficient contact details to notify affected consumers

Types of Personal Information Protected

Alabama's data breach law protects "sensitive personally identifying information." It defines this as:

An Alabama resident's first name or first initial and last name, along with at least one of the following data elements:

  • A non-truncated Social Security or tax ID number
  • A non-truncated driver's license, passport, military ID or other government ID numbers
  • Financial account numbers in combination with any security or access codes needed to use the financial account
  • Health records or health insurance policy numbers
  • Online usernames or email addresses in combination with a password or security question and answer

Keep in mind that Alabama's data breach law only applies to personal information in electronic form, not paper records. And the data type defined above excludes publicly available information.

Penalties for Non-Compliance

Non-compliance with Alabama's data breach law is considered an unlawful trade practice under Alabama's Deceptive Trade Practices Act. Enforcement rests exclusively in the hands of Alabama's Attorney General.

Violators are liable to civil penalties of up to $5,000 per day for each consecutive day they fail to comply. Civil penalties are capped at $500,000 per breach.