Understanding Alabama’s data breach notification law: What is SPII?

Understanding Alabama’s data breach notification law: What is SPII?

Data breaches are increasingly becoming more worrying. Cybercriminals are constantly devising new techniques for infiltrating systems and stealing sensitive data from small- to medium-sized businesses (SMBs) and large corporations. To make things worse, what hackers run off with does not only comprise of confidential company data, but personal details and financial information of clients as well. As a result, data breaches are damaging the reputation of organizations, and once consumer trust is broken, it is difficult to regain.

Just recently, a hospital in Huntsville revealed that personal data of job applicants may have been compromised after an external recruitment platform was breached, forcing the institution to offer identity theft protection to those affected.

To combat this alarming trend, all states have enacted their own statewide privacy and data security laws, with Alabama being the last to do so. The Alabama Data Breach Notification Act was signed into state law on March 28, 2018, and took effect on June 1. The law requires entities that acquire or use sensitive personally identifying information (SPII) to notify any Alabama resident whose data might have been acquired by an unauthorized party as a result of a data breach.

What counts as sensitive personally identifying information?

SPII generally includes an individual’s first name (or first initial and last name such as J. Smith), combined with their social security or tax identification number, driver’s license or passport number, and financial information. It also covers medical or mental health records, health insurance information, and email addresses or usernames with passwords. These are usually submitted by account holders to organizations, who must then keep the SPII secure.

It does not include information truncated or encrypted by any technology that makes it impossible for a third-party entity to personally identify an individual. For instance, if an individual’s credit card number was leaked but only displays the last four digits, this would not be enough to be classified under SPII.

The law broadly applies to all people, businesses, and government entities that acquire SPII. These may include retail providers, large corporations, healthcare providers, and public and private institutions.

What do I need to do if I suffer a breach?

The data breach law requires covered entities to notify affected Alabama residents within 45 days of discovery. If more than 1,000 residents have fallen victim to the breach, the state attorney general and consumer reporting agencies should be immediately notified “without unreasonable delay.”

The report should contain a summary of the events surrounding the breach, the approximate number of individuals affected, and information about any services. These include ID theft prevention or monitoring services being offered without charge to individuals and instructions on how to use them, and contact information for the covered entity or a representing agent.

Notification won’t be required if, after a prompt investigation, it is determined that the security breach won’t likely cause any significant harm to those who were affected.

What security measures must I take moving forward?

Under the new law, covered entities and third-party agents are required to implement and maintain reasonable security measures to protect SPII from future security breaches. They include:

  • Designation of an employee(s) to coordinate the covered entity’s security measures to protect against a breach of security;
  • Identification of the internal and external risks of a breach of security;
  • Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards;
  • Retention of service providers that are contractually required to maintain appropriate safeguards for SPII;
  • Evaluation and adjustment of security measures to account for changes in circumstances affecting the security of SPII; and
  • Keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.

Failure to provide notice of a data breach is considered trade malpractice under Alabama law, and willful disregard of the notification requirements may result in fines of up to $500,000 per breach. Moreover, any entity that fails to provide notification before the 45-day deadline lapses can be fined up to $5,000 per day. Sanctions and enforcement options can vary, however, based on the status of the affected entity or third-party agent contracted to manage sensitive information.

When records no longer need to be retained, pursuant to applicable law or business needs, the law requires covered entities and third-party agents to shred, erase, or modify SPII.

All things considered, it helps to be more proactive than reactive when it comes to security. Preventing breaches is easier and more logical than working on it when the damage has been done.

Don’t let these new data protection and privacy rules and regulations catch your business off guard. F1 Solutions can help you comply with the Alabama Data Breach Notification Act by performing a full security risk assessment of your data against the appropriate regulatory controls. Give us a call today and allow us to make a proactive solution for you.