Code of Alabama - Title 8: Commercial Law and Consumer Protection - Chapter 38 - Data Breach Notification Act of 2018

• Section 8-38-1 Short title
  This chapter may be cited and shall be known as the Alabama Data Breach Notification Act of 2018.
• Section 8-38-2 Definitions
  For the purposes of this chapter, the following terms have the following meanings: (1) BREACH OF SECURITY or BREACH. The unauthorized acquisition of data in...
• Section 8-38-3 Reasonable security measures; assessment
  (a) Each covered entity and third-party agent shall implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security....
• Section 8-38-4 Investigation of security breach
  (a) If a covered entity determines that a breach of security has or may have occurred in relation to sensitive personally identifying information that is...
• Section 8-38-5 Notice of security breach - Individuals affected
  (a) A covered entity that is not a third-party agent that determines under Section 8-38-4 that, as a result of a breach of security, sensitive...
• Section 8-38-6 Notice of security breach - Attorney General
  (a) If the number of individuals a covered entity is required to notify under Section 8-38-5 exceeds 1,000, the entity shall provide written notice of...
• Section 8-38-7 Notice of security breach - Consumer reporting agencies
  If a covered entity discovers circumstances requiring notice under Section 8-38-5 of more than 1,000 individuals at a single time, the entity shall also notify,...
• Section 8-38-8 Notice of security breach - Covered entity
  In the event a third-party agent has experienced a breach of security in the system maintained by the agent, the agent shall notify the covered...
• Section 8-38-9 Violations of notification requirements
  (a) A violation of the notification provisions of this chapter is an unlawful trade practice under the Alabama Deceptive Trade Practices Act, Chapter 19 of...
• Section 8-38-10 Disposal of records containing sensitive personally identifying information
  A covered entity or third-party agent shall take reasonable measures to dispose, or arrange for the disposal, of records containing sensitive personally identifying information within...
• Section 8-38-11 Exemptions - Federal
  An entity subject to or regulated by federal laws, rules, regulations, procedures, or guidance on data breach notification established or enforced by the federal government...
• Section 8-38-12 Exemptions - State
  An entity subject to or regulated by state laws, rules, regulations, procedures, or guidance on data breach notification that are established or enforced by state...

Last modified: May 3, 2021