Alabama Becomes Last of the Fifty Nifty United States (and D.C., Guam, Puerto Rico, and the Virgin Islands) to Pass a Data Breach Law


By: Robyn Flegal

Alabama has officially become the last of the 50 States to pass a data breach notification statute, which will go into effect on June 1, 2018. The Alabama Data Breach Notification Act of 2018 requires that covered entities issue written notification to individuals affected by a data breach. Covered entities include any person or business entity acquiring or using sensitive personally identifying information.

Under the statute, protected information is defined as: (1) a non-truncated Social Security number or tax ID number; (2) a non-truncated driver’s license number, state-issued ID card number, passport number, military ID number, or other unique identification number issued on a government document to verify one’s identity; (3) financial account numbers, including a bank account number, credit card number, or debit card number, in combination with any security or access code, or other key necessary to access the financial account; (4) information regarding an individual’s medical history, treatment, or diagnosis by a medical professional; (5) health insurance policy number or unique identifier; and (6) username or email address combined with the password or security question/answer allowing an unauthorized user access to a private online account. Specifically excluded is information made public by lawful means or encrypted information.

Alabama will now require that covered entities employ reasonable measures to protect the above information from a breach. This will include designation of an employee to be the dedicated coordinator of security measures. It also requires identification of external and internal security risks and the evaluation/adjustment of security measures.

Covered entities in Alabama must be aware of the need to implement reasonable measures to protect sensitive information, and must also understand that expeditious written notification is required upon determining that protected information was (1) acquired by an unauthorized person and (2) the acquisition is reasonably likely to cause substantial harm to affected individuals. While the Act does not create a private cause of action, the Attorney General of Alabama may bring an action to enforce the statute.


If you believe you have experienced a data breach or if you would like more information about this statute, please contact Robyn Flegal at or contact any of FMG’s Data Security, Privacy and Technology Professionals.