Organizations must contract with Vendors to whom the Organization discloses personal information. Both Organizations and Vendors are required to implement and maintain security measures to protect the sensitive personal information in their possession. Organizations and Vendors must have measures in place for the secure disposal of personal information in their possession.

Upon discovery of a breach, an investigation must be conducted to determine specific details about the breach including, cause, possible harm/risk to individuals and possible mitigation methods. There are specific details that must be included in consumer and regulatory notifications. If more than 1,000 Alabama residents have been affected by a breach, regulatory reporting to the Attorney General must be completed within 45 days and to all credit reporting agencies without delay.

If the breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

Alabama’s Insurance Data Security Law includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Licensees have until May 1, 2021, to comply with the vendor management requirements. Entities regulated by the Insurance Commissioner have a breach notification deadline of 3 business days.

Vendors that experience a breach must notify the Organization within 10 days of determining a breach occurred. Vendors must cooperate with Organizations and provide all necessary information about a breach incident. Vendors who fail to inform an Organization of a breach will face fines and penalties. Vendors may contract with Organizations to handle any required consumer notifications and/or regulatory reporting following a breach of security, however, Organizations are ultimately responsible to ensure consumer notification and/or regulatory reporting is complete when necessary.

A violation of the breach notification requirements constitutes unlawful trade practices under the Alabama Deceptive Trade Practices Act, Chapter 19, Title 8, Code of Alabama 1975. Civil penalties of up to $5,000 per day may be assessed for violations of notification requirements, for each consecutive day that a covered entity fails to take reasonable action.