SB91 Alabama 2017 Session

Summary

Primary Sponsor

Arthur OrrSenator

Republican

Session

Regular Session 2017

Title

Consumers and consumer protection, protection of data containing personal information, notification of breach of to Attorney General and consumers required, disposal of records, civil penalty

Summary

The bill creates the Alabama Information Protection Act to protect sensitive personal data and require breach notifications to the Attorney General, affected residents, and credit agencies, with penalties for noncompliance.

What This Bill Does

It requires entities that own, license, or maintain sensitive personal information to implement reasonable security measures to protect electronic data. If a breach affects 1,000 or more Alabama residents, the entity must notify the Attorney General and, to the extent possible, notify the affected residents and credit reporting agencies; resident notices must generally occur within 60 days of breach determination. The Act also requires disposal of records containing sensitive information when they are no longer needed, and it gives the Attorney General authority to enforce the rules and seek civil penalties up to $50,000 per breach; there is no private right of action. Some entities, like financial institutions under GLBA and HIPAA-related health care entities, are exempt from certain requirements.

Who It Affects

• Covered entities and governmental entities that own or process sensitive personally identifying information (they must implement security measures and issue breach notices).
• Third-party agents that maintain or process such data for covered entities (they must notify the covered entity promptly after a breach).
• Alabama residents whose personal information is breached (they may receive notices and certain free services related to the breach).
• Credit reporting agencies (they must be notified when a breach affects 1,000 or more residents).
• The Alabama Attorney General (receives breach notices, issues notices to affected individuals, and produces annual breach reports).

Key Provisions

• Defines terms: breach of security, covered entity (including governmental entities), customer records, data in electronic form, sensitive personally identifying information, and third-party agent.
• Requires reasonable security measures to protect sensitive data held by covered entities and governmental entities.
• Requires notice to the Attorney General for breaches affecting 1,000+ residents within 60 days of breach determination, with up to 15 extra days for good cause; notice must include a breach synopsis, affected numbers, available services, and contact information.
• Requires notice to affected residents within 60 days of breach determination, by mail or email, including date range, types of information involved, and contact methods; substitute notice allowed if feasible and cost-prohibitive, with online and media notices as alternatives.
• Requires notice to credit reporting agencies for large breaches (1,000+ residents) about timing, distribution, and content of notices.
• Requires third-party agents to notify the covered entity of breaches within 10 days of determining a breach.
• Annual Attorney General breach report to the Governor and Legislature detailing breaches by governmental entities or third-party agents and recommendations for security improvements.
• Requires disposal of customer records containing sensitive information when no longer needed, using methods to make data unreadable or indecipherable.
• Establishes penalties for noncompliance: up to $50,000 per breach, with penalties assessed per breach (not per affected individual), and enforcement by the Attorney General; penalties go to the General Fund, with costs to recover penalties handled separately.
• Provides exemptions: financial institutions and insurers under GLBA, HIPAA-regulated health care providers/entities, and certain other federal/state-regulated entities are exempt from parts of the act; no private right of action is created.

AI-generated summary using openai/gpt-5-nano on Feb 24, 2026. May contain errors — refer to the official bill text for accuracy.

Subjects

Consumers and Consumer Protection