SB238 Alabama 2016 Session

Summary

Primary Sponsor

Arthur OrrSenator

Republican

Session

Regular Session 2016

Title

Consumers and consumer protection, protection of data containing personal information, notification of breach of to Attorney General and consumers required, disposal of records, civil penalty

Summary

SB238 creates the Alabama Information Protection Act to protect sensitive personal data, require breach notifications to the Attorney General and affected individuals (and credit agencies), and set penalties and disposal rules for noncompliance.

What This Bill Does

The bill requires covered entities and governmental entities to use reasonable security measures for data containing sensitive personal information. If a breach affects 1,000 or more Alabama residents, the entity must notify the Attorney General within 60 days (with a possible 15-day extension) and notify affected individuals; it must also notify credit reporting agencies for large breaches. The Attorney General must annually report breach information to the Governor and Legislature, and the bill requires disposal of records containing sensitive information when no longer needed, with enforcement actions and civil penalties for noncompliance, while not creating a private right of action. Third-party agents must alert the covered entity within 10 days of a breach, and there are exemptions for certain financial and health care entities.

Who It Affects

• Residents of Alabama whose sensitive personal information is breached; they will receive notification and may be offered free services related to the breach.
• Covered entities and governmental entities that maintain sensitive personal information (and their third-party agents); they must implement security measures, notify the Attorney General and affected individuals (and credit bureaus for large breaches), dispose of records properly, and may face penalties for noncompliance.

Key Provisions

• Creates the Alabama Information Protection Act of 2016 to protect sensitive personally identifying information and require breach notices.
• Requires reasonable security measures for electronic data containing sensitive PII by covered and governmental entities.
• Mandates breach notice to the Attorney General for breaches affecting 1,000+ residents, within 60 days (with possible 15-day extension).
• Requires notice to affected residents and to credit reporting agencies for large breaches; specifies notice content and methods; allows substitute notice when direct notice is not feasible.
• Requires third-party agents to notify the covered entity within 10 days of a breach.
• Authorizes annual breach reporting by the Attorney General to the Governor and Legislature; includes enforcement provisions.
• Requires disposal of customer records containing sensitive information when no longer needed, with methods to make data unreadable.
• Imposes civil penalties up to $50,000 per breach for violations of notice requirements; penalties go to the State General Fund (with certain allocations for the AG’s costs).
• Exempts certain entities (e.g., GLBA-regulated financial institutions, HIPAA-covered entities/services, and health care providers) from the act.
• Does not create a private right of action; enforcement rests with the Attorney General; effective date is the first day of the third month after passage/approval.

AI-generated summary using openai/gpt-5-nano on Feb 24, 2026. May contain errors — refer to the official bill text for accuracy.

Subjects

Consumers and Consumer Protection