Alabama Breach Notification Law


Breach Notification Guide in Alabama

Alabama S.B. 318 was put into law March 28, 2018 and became effective June 1 that year. Breach laws for Alabama apply to individuals or commercial entities pertaining to sensitive PI. A breach in Alabama is the unauthorized acquisition of such data electronically.

Legal Requirements

When it comes to a business’s obligation to notify affected parties, should PI have been breached which can harm those affected, notice is required to each affected
party. Also, consumer reporting agencies should be notified if 1,000 or more entities are affected. This must be done as expediently as possible. Also, 1,000 or more affected parties require entities to notify the AG with matching expediency. If substantial harm is determined from a breach, the AG must be notified no later than 45 days. Thankfully, time to investigate is included in reporting windows.

PI, as defined by Alabama, refers to a person’s last name and first name, or the first initial of their first name, combined with other details like SSNs, driver’s license or other identification, financial information, medical history, health insurance, email addresses, or any password/PIN information. If that data is effectively encrypted, it’s not classified as a PI breach. Anything lawfully public in a federal, state, or local government sense, or info widely distributed by MSM outlets, isn’t included in this definition.


Alabama does not allow for telephone notification. Affected parties must be notified either by email or written notice. If the cost of notifying personnel exceeds the breached party’s resources (Alabama defines this as a cost in excess of $500k), more than 100,000 people have been affected, or there isn’t enough contact information available to reach affected parties, substitute notification options include posting conspicuously on affected parties’ websites over a thirty day period or providing breach notification to major media broadcasting agencies including urban or rural outlets where affected parties may live.

Exceptions include entities that are subject to other laws. When said entity maintains idiosyncratic requirements reflecting those laws, give proper notice considering those laws, and lets the AG know what happened ASAP should more than 1,000 individuals are affected, that entity is in compliance.

Contact SCA for More Information about Breach Notification Law in Alabama

Security Compliance Associates has years of experience with breach notification law and information security in Alabama and throughout the United States. For more information about breach notification law in Alabama and any other part of the United States, download your free SCA Breach Notification Guide today. Contact SCA today at 727-571-1141 for more information and to schedule a free system analysis.