Alabama Privacy Laws

Breach Notification

Mandated Timeframe

Within 45 days

Fines & Penalties

Violations

Up $500,000 per breach

REGULATION LEVELS

Breach Reporting Consumer Notifcations
Vendor Management Vendor Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Protect Personal Information

Vendor Specific Obligations

Vendor Mandated Contracts

Required Programs

Protection/Security

Employee Training

Vendor Protection/Search Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Within 45 days

Fines & Penalties

Violations

Up to$500,000 per breach

REGULATION LEVELS

Breach
Reporting
Consumer
Notifcations
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Protect Personal Information

Vendor Specific Obligations

Vendor Mandated Contracts

Required Programs

Protection/Security

Employee Training

Vendor Protection/Search Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Within 45 days

Fines & Penalties

Violations

Up to $500,000 per breach

REGULATION LEVELS

Breach
Reporting
Consumer
Notifcations
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Protect Personal Information

Vendor Specific Obligations

Vendor Mandated Contracts

Required Programs

Protection/Security

Employee Training

Vendor Protection/Search Program

Personal Information Protection

Data Disposal of Personal Information

Quick Facts

Alabama Privacy Law Information

  • Privacy Program

    Organizations must contract with Vendors to whom the Organization discloses personal information. Both Organizations and Vendors are required to implement and maintain security measures to protect the sensitive personal information in their possession. Organizations and Vendors must have measures in place for the secure disposal of personal information in their possession.

  • Breach Reporting

    Upon discovery of a breach, an investigation must be conducted to determine specific details about the breach including, cause, possible harm/risk to individuals and possible mitigation methods. There are specific details that must be included in consumer and regulatory notifications. If more than 1,000 Alabama residents have been affected by a breach, regulatory reporting to the Attorney General must be completed within 45 days and to all credit reporting agencies without delay.

  • Consumer Notification

    If the breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

  • Industry Specific Laws

    Alabama’s Insurance Data Security Law includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Licensees have until May 1, 2021 to comply with the vendor management requirements. Entities regulated by the Insurance Commissioner have a breach notification deadline of 3 business days.

  • Vendor/Third Parties

    Vendors that experience a breach must notify the Organization within 10 days of determining a breach occurred. Vendors must cooperate with Organizations and provide all necessary information about a breach incident. Vendors who fail to inform an Organization of a breach will face fines and penalties.

  • Fines & Violations

    A violation of the breach notification requirements constitutes unlawful trade practices under the Alabama Deceptive Trade Practices Act, Chapter 19, Title 8, Code of Alabama 1975. Civil penalties of up to $5,000 per day may be assessed for violations of notification requirements, for each consecutive day that a covered entity fails to take reasonable action.

Florida

Statutes and Laws

ALA. CODE § 27-62-1

Short title

ALA. CODE § 27-62-2

Purpose and intent

ALA. CODE § 27-62-3

Definitions

ALA. CODE § 27-62-4

Information security program

ALA. CODE § 27-62-5

Investigation of cybersecurity event

ALA. CODE § 27-62-6

Notification of cybersecurity event

ALA. CODE § 27-62-7

Power of commissioner

ALA. CODE § 27-62-8

Confidentiality