HB291 Alabama 2016 Session

Summary

Primary Sponsor

Connie C. Rowe

Republican

Session

Regular Session 2016

Title

Consumers and consumer protection, protection of data containing personal information, notification of breach of to Attorney General and consumers required, disposal of records, civil penalty

Summary

HB291 creates the Alabama Information Protection Act to protect sensitive personal data and require notice to the Attorney General and individuals when a data breach occurs.

What This Bill Does

The bill requires entities that own or manage sensitive personal information to use reasonable security measures. If a data breach affects 1,000 or more Alabama residents, the entity must notify the Attorney General and the affected individuals within 60 days (with a possible 15-day extension for good cause) and may need to inform credit reporting agencies. It also requires disposal of records containing sensitive information, and it provides for enforcement by the Attorney General with civil penalties up to $50,000 per breach; there is no private right of action. The act includes exemptions for certain financial institutions, HIPAA entities, and health care providers, and sets annual reporting requirements for the Attorney General.

Who It Affects

• Covered entities and governmental entities that own, license, or maintain data containing sensitive personally identifying information must implement security measures, notify the Attorney General and affected residents of breaches, notify credit reporting agencies for large breaches, dispose of records securely, and may face civil penalties for noncompliance.
• Alabama residents whose sensitive personal information is breached would be notified with details about the breach, the data involved, how to seek assistance, and any services offered by the entity; substitute notice is allowed in some cases, and affected residents may be indirectly impacted by penalties and reporting requirements on the entities holding their data.

Key Provisions

• Establishes the Alabama Information Protection Act of 2016 and defines terms such as sensitive personally identifying information and breach of security.
• Requires reasonable security measures to protect data containing sensitive information in electronic and paper form.
• Mandates breach notification to the Attorney General for breaches affecting 1,000+ residents, within 60 days (with a potential 15-day extension for good cause) and includes required contents of the notice.
• Requires notice to affected residents and to credit reporting agencies for large breaches, with methods of notice (written, email, or substitute notice when direct notice is not feasible).
• Allows substitute notice (internet posting and media) under cost or scale conditions and outlines content to be included in notices.
• Requires third-party agents to notify the covered entity within 10 days of a breach detected by the agent.
• Imposes an annual reporting duty on the Attorney General to inform the Governor and Legislature about breaches and security improvements.
• Provides for secure disposal of customer records containing sensitive information when no longer needed.
• Imposes civil penalties up to $50,000 per breach for violations of notification requirements; penalties are collected into the State General Fund with some costs retained by the Attorney General.
• Excludes certain entities from the Act (e.g., financial institutions subject to GLBA, HIPAA-covered entities, and some health care providers) and clarifies there is no private right of action.

AI-generated summary using openai/gpt-5-nano on Feb 24, 2026. May contain errors — refer to the official bill text for accuracy.

Subjects

Consumers and Consumer Protection