Alabama Senate Passes Data Breach Notification Bill

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Chris Marr

Alabama companies hit with a data breach must notify impacted consumers within 45 days but would escape private lawsuits under a bill approved by the state Senate.

The bill permits only the state attorney general to sue companies related to notification requirements, and caps civil penalties at $500,000 for violations.

The bill, S.B. 318, won unanimous Senate approval March 1 and heads to the state House for consideration. A similar bill, H.B. 410, is pending in the Alabama House.

Senate passage clears a big hurdle for Alabamian lawmakers looking to remove the state from the short list of those without a data breach notification law. South Dakota is the only other state without one, but data breach legislation is also being considered by that state’s lawmakers.

The Alabama legislature could enact the bill this year, since it has mostly addressed businesses’ concerns about prior bills, Edward “Ted” Hosp, an attorney and lobbyist for Maynard Cooper & Gale in Birmingham, Ala., told Bloomberg Law. “I’m not sensing a lot of opposition, which is different from years past,” he said.

Alabama Attorney General Steve Marshall (R) also supports the bill, citing the massive 2017 Equifax Inc. breach as an impetus.

“Equifax was a wakeup call for all of us—the legitimate need for increased consumer protections was put on display and should propel the passage of this Act. It is long overdue,” Marshall said in a Feb. 14 statement announcing the bill’s introduction.

The Senate and House bills provide guidelines for companies to investigate suspected data breaches and directly notify affected people and the attorney general’s office. Companies can post notices on their websites, use media outlets, or just notify the state attorney general in certain cases, such as a breach affecting more than 100,000 people.

The U.S. doesn’t have a federal breach notification law. But some industries, such as health care, operate under federal industry laws that contain breach notification requirements.

Companies following such requirements would typically satisfy state rules as long as they notify the attorney general’s office of any breach affecting more than 1,000 people. The exemption relieved concerns some companies had about previous proposals, Hosp said.

To contact the reporter on this story: Chris Marr in Atlanta at

To contact the editor responsible for this story: Barbara Yuill at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security