Alabama

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: YES
Deadline for Consumer Notice: No later than 45 days
Government Notification Required: YES, if>1,000 residents notified

Ala. Code § 8-38-1 to 12

More Details

Scope of this Summary

Notification requirements applicable to individuals or entities that acquire, use, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements.

Risk of Harm Threshold

Notification not required if, after good-faith and prompt investigation, the covered entity determines that the breach is not reasonably likely to cause substantial harm to residents. Determination must be documented in writing and maintained for at least five years.

Breach Defined

The unauthorized acquisition of data in electronic form containing sensitive personally identifying information. Acquisition occurring over a period of time committed by the same entity constitutes one breach.

Encryption Safe Harbor

Statute does not apply to covered information that is truncated, encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable, including encryption of the data, document, or device containing the sensitive personally identifying information, unless the covered entity knows or has reason to know that the encryption key or security credential that could render the personally identifying information readable or useable has been breached together with the information.

Forms of Covered Information

Electronic Only

Covered Information

First name or first initial and last name in combination with one or more of the following:

  • A non-truncated Social Security number or tax identification number.
  • A non-truncated driver's license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual.
  • A financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account.
  • Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional.
  • An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
  • A username or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.

Consumer Notice Timing

If notification required following good-faith and prompt investigation, must be made in the most expedient time possible, but no later than 45 calendar days following notification of breach or determination that breach occurred and is reasonably likely to cause substantial harm to residents.

Consumer Notice Method

By written notice (to address in covered entity's records) or electronic notice (to email address in covered entity's records). Substitute notice is available if certain criteria are satisfied.

Consumer Notice Content

Notice must contain:

  • Description of covered info subject to breach;
  • Date, estimated date, or estimated date range of breach;
  • General description of actions taken to restore security and confidentiality of covered info;
  • General description of steps the affected resident can take to protect against identity theft; and
  • Contact info for covered entity that affected resident can use to inquire about breach.

Delayed Notice

Notification may be delayed if law enforcement determines that notification will impede a criminal investigation or national security, and if the law enforcement agency has submitted a written request for the delay.

Government Notice

If over 1,000 residents notified, must notify AG as expeditiously as possible, but no later than 45 days after notification of breach or close of investigation. Must include synopsis of events surrounding incident; approximate number of affected residents; any services being offered to residents free of charge and how to use them; contact information that AG can use to obtain additional information; supplemental or updated information may be provided at any time.

Consumer Reporting Agency Notice

If over 1,000 residents notified, must notify major Consumer Reporting Agencies without unreasonable delay of timing, distribution, and content of notices.

Exceptions for Other Laws

The statute exempts any entity subject to or regulated by federal or state laws or regulations on data breach notification, provided the entity:

Maintains procedures under those laws and regulations.

Provides notice to affected individuals according to those laws and regulations.

Timely provides a copy of the notice sent to residents to the Attorney General when the entity notifies more than 1,000 individuals.

Third-Party Notice

If you maintain, store, process, or otherwise have access to covered info on behalf of another entity, you must notify it as expeditiously as possible and without unreasonable delay, but no later than 10 days following discovery of a breach or reason to believe breach occurred, and must cooperate by providing information in your possession so covered entity can comply with its notice requirements.

Private Right of Action

The Alabama general breach notification statute does not provide a private right of action.

Potential Penalties

Violations may result in civil penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on June 15, 2023