HB37 Alabama 2016 1st Special Session Session

Summary

Primary Sponsor

Connie C. Rowe

Republican

Session

First Special Session 2016

Title

Consumers and consumer protection, protection of data containing personal information, notification of breach of to Attorney General and consumers required, disposal of records, civil penalty

Summary

HB37 creates the Alabama Information Protection Act to protect sensitive personal information, require breach notifications to the Attorney General and residents, and set penalties and disposal rules for data breaches.

What This Bill Does

It requires covered entities and governmental entities to implement reasonable security measures for sensitive data. It requires notifying the Attorney General within 60 days of a verified breach affecting 1,000 or more Alabama residents, and also notifies affected residents and credit reporting agencies for large breaches, with a possible 15-day extension. It requires disposal of records containing sensitive information and allows enforcement actions and civil penalties of up to $50,000 per breach. It provides exemptions for certain financial and health-related entities and clarifies that the act does not create a private right of action.

Who It Affects

• Covered entities and governmental entities: must protect data and report breaches to the Attorney General, affected residents, and credit reporting agencies; may face civil penalties.
• Alabama residents: if personally identifiable information is involved in a breach affecting 1,000+ residents, must be notified with breach details and access to free services.
• Third-party agents: must notify the covered entity within 10 days after identifying a breach.
• Credit reporting agencies: must be notified for large breaches (affecting 1,000+ residents) about timing, scope, and notices.
• Financial institutions, insurers, and HIPAA-related entities: exempt from some provisions of this act.
• Attorney General, Governor, and Legislature: receive annual breach reports and oversee enforcement.

Key Provisions

• Defines terms such as 'sensitive personally identifying information,' 'breach,' 'covered entity,' and 'governmental entity' and sets scope for which entities are covered.
• Requires covered entities and governmental entities to take reasonable security measures to protect data containing sensitive PII.
• Requires notice to the Attorney General within 60 days of a verified breach affecting 1,000+ residents, with potential 15-day extension; notice must include breach synopsis, affected count, services offered, and contacts.
• Requires notice to affected residents and to consumer reporting agencies for large breaches; allows substitute notice if direct notice is not feasible due to cost or other constraints.
• Requires disposal of customer records containing PII when no longer needed, via shredding or erasing to render information unreadable.
• Authorizes enforcement actions by the Attorney General and imposes civil penalties up to $50,000 per breach; penalties apply per breach and go to the General Fund; third-party agents can be held responsible for penalties.
• Exempts certain financial institutions, insurers, HIPAA-covered entities, and health care providers from certain provisions; states there is no private right of action.

AI-generated summary using openai/gpt-5-nano on Feb 24, 2026. May contain errors — refer to the official bill text for accuracy.

Subjects

Consumers and Consumer Protection