SB318 Alabama 2018 Session

Summary

Primary Sponsor

Arthur OrrSenator

Republican

Session

Regular Session 2018

Title

Consumer protection, Alabama Data Breach Notification Act

Summary

Alabama SB 318 creates the Alabama Data Breach Notification Act, requiring certain entities to protect sensitive information and notify people and the state when a breach happens.

What This Bill Does

It requires covered entities and their third-party agents to implement reasonable security measures to protect sensitive personal information. If a breach occurs, they must investigate, identify what information was involved, determine if it was accessed by an unauthorized person, and notify affected individuals within 45 days (with possible delays for law enforcement). If more than 1,000 people are affected, they must also notify the Attorney General and, in most cases, consumer reporting agencies. The act also covers disposal of records, provides for penalties for noncompliance, and includes exemptions for entities already regulated by federal or state breach laws.

Who It Affects

• Covered entities and third-party agents that acquire, store, or use sensitive personally identifying information of Alabama residents, who must implement security measures and perform breach notifications.
• Alabama residents whose sensitive personal identifying information is involved in a breach and who must receive notice and guidance on protective steps.

Key Provisions

• Creates the Alabama Data Breach Notification Act and defines key terms (breach, covered entity, data in electronic form, sensitive PII, third-party agent).
• Requires covered entities and third-party agents to implement and maintain reasonable security measures, including designating a security coordinator, risk assessment, safeguards, vendor oversight, ongoing evaluations, and board involvement where applicable.
• Governs breach investigations: entities must assess the breach, identify impacted information and individuals, determine if data was obtained by unauthorized persons, and implement measures to restore security.
• Requires notice to affected individuals within 45 days after determining a breach is likely to cause substantial harm, with content requirements and options for substitute notice when direct notice is not feasible.
• Mandates notice to the Attorney General when more than 1,000 individuals are affected, and requires notice to consumer reporting agencies for large breaches; sets timing and content rules for these notices.
• Provides penalties for violations (civil) under the Alabama Deceptive Trade Practices Act, with up to $500,000 per breach and up to $5,000 per day for willful or reckless noncompliance; no private right of action, but AG can sue.
• Allows exemptions for entities regulated by federal or state breach notification laws that meet certain conditions, including providing notice under those laws and sharing the notice with the AG when applicable.
• Requires proper disposal of records containing sensitive information when no longer needed, and governs government entities with additional reporting requirements.
• Effective date: the act takes effect on the first day of the third month after passage.

AI-generated summary using openai/gpt-5-nano on Feb 24, 2026. May contain errors — refer to the official bill text for accuracy.

Subjects

Consumers and Consumer Protection