On March 28, 2018, Alabama became the final state in the U.S. to enact a data breach notification law. The Alabama Data Breach Notification Act of 2018 (S.B. 318) (“the Law”) goes into effect on May 1, 2018. The Act, which was signed into law by Alabama Governor, Kay Ivey, requires companies to provide Alabama residents with notification of a breach within 45 days of discovery. Notification is triggered by a determination of a breach that poses a risk of harm to impacted individuals.
Things to take note of under the Alabama law:
- The law requires entities to “implement and maintain reasonable security measures” and includes a granular list of what such security measures should include. An interesting component of reasonable security measures is “keeping the management of the covered entity, including its board of directs, if any, informed of the overall status of its security measures”.
- Notification to residents within 45 days after a breach has been discovered if it is reasonably likely to cause substantial harm.
- The definition of “personal information” is expanded to include health information and user name or email address in combination with a password.
- Notice to the Alabama Attorney General if notice is provided to more than 1,000 individuals at a single time.
- No private right of action, but the AG may enforce violations of the Act as a deceptive trade practice.
- The Act provides for civil penalties of not more than $5,000 per day for each consecutive day that a covered entity fails to take action to comply with notice provisions. “Knowing” violations of the Act (including a “reckless disregard in failing to comply with notice requirements”) could subject a covered entity to civil penalties of up to $500,000 per breach.
What does this mean for business owners?
Well, as an example, we’ll look at a small gift store in Vermont which was fined $3,000 by the Attorney General’s office for not informing its customers of a credit card security breach. Turns out, the shop’s website was hacked last year, exposing 721 online shoppers’ credit card information.
If nothing else, this story reminds small business owners of two important things:
- Any business – of any size – can face a data security breach.
- According to the new Alabama law, it is not enough to simply fix the breach.
How Small Businesses Can Manage Data Security Risks
In addition to knowing the details of the new law, the best way to stay on the right side of the law is to avoid a breach altogether. Easier said than done, right?
Here are some tips:
- Don’t keep highly sensitive data on your databases.
- Encrypt everything.
- Enact companywide data handling procedures.
The new law means every business owner should now have cybersecurity on the top of their priority list and our team here at BIS is here to make sure your business is secure. Call us for a free consultation and to answer questions you might have about this new law which takes effect on May 1, 2018.
Phillip Long – CISSP, CEO of BIS Technology Group, along with his team of marketing and information technology experts, will walk you through an overview of what your business should be doing to protect your data and plan your digital marketing strategies.
About BIS Technology Group
BIS Technology Group is the technology leader on the Gulf Coast and is comprised of four divisions: Information Technology, Web Design & Digital Marketing, Office Equipment and Business Consulting. Together these divisions help local businesses exceed expectations and allow them to group to their full potential while minimizing risks. To learn more about BIS Technology Group, visit bistechnologygroup.com.
You may reach out to us at: