SB106 Alabama 2015 Session

Summary

Primary Sponsor

Arthur OrrSenator

Republican

Session

Regular Session 2015

Title

Consumers and consumer protection, protection of data containing personal information, notification of breach of to Attorney General and consumers required, disposal of records, civil penalty

Summary

SB106 creates the Alabama Information Protection Act of 2015 to protect personal information, require breach notices, set penalties, and regulate data handling.

What This Bill Does

It requires covered entities and governmental entities to take reasonable security measures to protect personal information. It mandates breach notices to the Attorney General and to affected individuals, with specific timing, content, and exceptions for law enforcement delays. It requires notice to credit reporting agencies for large breaches, annual AG reporting, disposal of records, and enforcement with civil penalties. It also limits retention of card data, allows cost recovery for financial institutions after breaches, and provides safe harbors for GLBA/HIPAA compliance, while not creating a private lawsuit remedy.

Who It Affects

• Covered entities and governmental entities that own, license, or maintain personal information must implement protections, notify the Attorney General and individuals after breaches, and dispose of records containing personal information.
• Consumers and the financial ecosystem (credit reporting agencies, financial institutions, and service providers) will receive breach notices; large breaches trigger reporting to CRAs; service providers must notify covered entities; financial institutions can be reimbursed for breach-related costs; card data retention rules affect how card data is stored and managed.

Key Provisions

• Creates the Alabama Information Protection Act of 2015 and defines key terms such as covered entity, personal information, breach, access device, service provider, and third-party agent.
• Requires reasonable data security measures to protect data in electronic and paper form.
• Requres breach notification to the Attorney General for breaches affecting 500+ Alabama residents, with notice expeditiously but no later than 30 days after breach determination, plus a possible 15-day extension for good cause.
• Requires notice to affected individuals within 30 days, with allowances for law enforcement delays and possible written determinations delaying notices, and permits substitute notice under specific cost or reach conditions.
• Requires notice to consumer reporting agencies for breaches affecting 1,000+ individuals.
• Requires third-party agents to notify the covered entity of a breach within 10 days of discovery.
• Requires disposal of customer records containing personal information when no longer needed, using methods to make data unreadable or undecipherable.
• Imposes civil penalties up to $500,000 for violations of breach notification requirements, with a schedule of daily and per-30-day penalties per breach and no private right of action.
• Permits enforcement by the Attorney General; penalties support the General Fund; costs of enforcement may be directed to the AG’s office; allows cost recovery for financial institutions from violators for breach-related costs.
• Prohibits retaining certain card data (card security codes, PIN verification codes, or full magnetic stripe data) after authorization (or 48 hours for PIN debit), and requires reimbursements to financial institutions for protective actions following breaches.
• Provides safe harbors for compliance with GLBA and HIPAA rules and states governmental entities are not liable for damages; sets an effective date of the act beginning three months after passage.

AI-generated summary using openai/gpt-5-nano on Feb 24, 2026. May contain errors — refer to the official bill text for accuracy.

Subjects

Consumers and Consumer Protection