With Alabama’s recent enactment of the Alabama Data Breach Notification Act of 2018 (“Act”), all 50 states now have their own data breach reporting statutes. Given the complexity of the current U.S. data breach reporting regime, which also includes statutory reporting obligations in jurisdictions like Puerto Rico and the District of Columbia, businesses with customers in more than one state must coordinate with advisors who have experience navigating this patchwork quilt of statutes.
On March 28, 2018, Alabama became the 50th (and final) state to enact a data breach notification law. The Act requires notification where a “good faith and prompt investigation” results in a determination that “sensitive personally identifying information” (“SPII”) of an Alabama resident has been acquired or is reasonably believed to have been acquired by an unauthorized person, “and is reasonably likely to cause substantial harm to the individuals to whom the information relates.” The Act defines SPII as an Alabama resident’s first name or first initial and last name in combination with one or more pieces of information, including (among others) a Social Security or tax ID number, financial account number or information regarding an individual’s medical history. The Act specifically excludes from the definition of SPII public information and information that is “truncated, encrypted, secured, or modified by any other method or technology” that renders the information unusable. The Act requires that residents be notified “as expeditiously as possible and without unreasonable delay,” but in any case, notification must be provided within 45 days of the discovery of a data breach or the determination that a breach is reasonably likely to cause substantial harm. The Act also requires all covered entities to “implement and maintain reasonable security measures” to protect SPII.
Despite recent federal legislative efforts like the Data Acquisition and Technology Accountability and Security Act, which was introduced in the House of Representatives in February 2018, there remains no national general data breach notification law, so state-by-state analysis is still required after a data security incident. A short time ago, 32 state attorneys general sent a letter to federal legislators urging them to retain this multijurisdictional approach and not to preempt state data breach notification laws, and cautioning that the proposed national legislation “will result in less transparency to consumers.” At least for now, the 50-state regime remains the status quo. Until the national legislature enacts a general national data breach reporting statute, companies that do business in multiple U.S. jurisdictions must carefully consider whether the various statutes impose different reporting obligations depending on a company’s unique circumstances.