Alabama Is Final State to Enact Data Breach Notice Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Chris Marr and Sara Merken

Alabama will require companies hit with a data breach to notify impacted state residents, subject to civil penalties of no more than $500,000, under a state law that takes effect May 1.

Gov. Kay Ivey (R) signed S.B. 318 on March 28, making Alabama the last state to enact a data breach notification law. South Dakota’s governor signed a similar bill a week earlier.

In general, S.B. 318, enacted as Act No. 2018-396, would require companies that experience a data breach to notify affected state residents within 45 days, with some exceptions. The state attorney general and consumer credit reporting agencies would have to be notified if more than 1,000 individuals are impacted.

Personal information, the breach of which can trigger the duty to notify, includes an Alabama resident’s first name or first initial and last name, in combination with one other identifier, such as his or her Social Security number, tax identification number, driver’s license number, financial account number, or physical or mental health history, Personal information does not include data that is encrypted.

The law requires companies and third party agents with access to sensitive information to implement and maintain reasonable security to protect the information. Companies must provide direct notice by mail or email to affected consumers.

The new law bars private lawsuits for failure to give notice but authorizes the state attorney general to seek civil penalties, capped at $500,000, under the Alabama Deceptive Trade Practices Act.

Notification may be delayed if a federal or state law enforcement agency decides that it would interfere with a criminal investigation or national security.

Companies that follow the notice requirements under federal data breach laws or regulations would be exempt from the Alabama law, but would have to inform the state attorney general about notifications to more than 1,000 people. Companies would also be exempt if they follow another state’s breach notification law, as long as the other state’s notice requirements are “at least as thorough” as the Alabama law.

To contact the reporter on this story: Chris Marr in Atlanta at and Sara Merken in Washington at contact the editor responsible for this story: Barbara Yuill at

For More Information

S.B. 318 / Act No. 2018-396 is available at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security