Hearing
House State Government Hearing
Room 206 at 15:00:00
HB68 Alabama 2024 Session
Updated Feb 23, 2026
Summary
- Primary Sponsor
Chip BrownRepresentativeRepublican- Session
- Regular Session 2024
- Title
- State government, Office of Information Technology, cybersecurity requirements, provided
- Summary
HB68 would require Alabama state government entities that hold sensitive personal information to adopt cybersecurity rules modeled on the NIST Cybersecurity Framework, with incident reporting and data disposal requirements, effective January 1, 2025.
What This Bill DoesThe Secretary of the Office of Information Technology would be required to create and enforce cybersecurity rules for government entities that possess or access sensitive personal information. The rules must meet or exceed standards such as NIST CSF Version 1.1 (or successor) and include access controls, incident reporting, and data disposal procedures. Incidents would have to be reported to both the OIT and the Alabama State Law Enforcement Agency. Overall, it adds formal security requirements for state government handling of sensitive data.
Who It Affects- Alabama state government entities that possess or access sensitive personally identifying information, who must implement security measures and follow the new rules.
- The Office of Information Technology (OIT) and the Alabama State Law Enforcement Agency (ALEA), which will oversee rulemaking, governance framework, and incident notifications.
Key ProvisionsAI-generated summary using openai/gpt-5-nano on Feb 22, 2026. May contain errors — refer to the official bill text for accuracy.- Each government entity must implement and maintain reasonable security measures to protect sensitive PII from breaches.
- The Secretary of the Office of Information Technology must adopt a cybersecurity governance framework that meets or exceeds applicable state and federal standards, including NIST CSF Version 1.1 or successor.
- Procedures must be established for accessing sensitive PII to ensure confidentiality, integrity, and availability of the information.
- A cybersecurity incident reporting process must be established that includes notifying the OIT and ALEA.
- Reasonable disposal procedures must be established for records containing sensitive PII, including shredding, erasing, or otherwise modifying the information to make it unreadable or undecipherable, per industry standards.
- The act becomes effective January 1, 2025.
- Subjects
- Government Administration
Bill Actions
H
Pending House State Government
H
Read for the first time and referred to the House Committee on State Government
H
Prefiled
Calendar
Bill Text
Documents
Bill Text (Introduced)
HB68 Alabama 2024 Session - Introduced
Bill Text (Introduced)
HB68 Alabama 2024 Session - Introduced
Fiscal Note
Fiscal Note - As Introduced
Source: Alabama Legislature