Alabama recently introduced a bill (S.B. 106) which would require notification in the event of a breach affecting the personal information of an Alabama resident.  While 47 states currently have laws requiring breach notification — most recently joined by Kentucky — New Mexico, South Dakota, and Alabama are the only states that do not.

Notably, the proposed legislation includes a number of novel provisions.  Specifically, the bill includes an expansive definition of “personal information” including some data elements which many other jurisdictions do not currently define as “personal information.”  In particular (and in additional to more traditional data elements such as name, social security number and state identification number) the bill’s definition of “personal information” includes:

  • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;
  • A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.

Further, if enacted the law would: apply to paper and/or unencrypted electronic personal information; require notification to affected individuals within 30 days after a breach determination; and include a risk of harm trigger providing that notice need not be provided if “the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.”  If notice is not provided however, the decision must be documented in writing and maintained for 5 years.  Oddly, a copy of the determination not to provide notice would still need to be provided to the Attorney General notwithstanding the fact the bill only calls for Attorney General notification in the event of a breach affecting 500 or more residents of Alabama.

Lastly, and to address the growing number of payment card industry breaches, the proposed law requires businesses to not retain credit and debit card security code data, PIN verification numbers, or the full contents of any magnetic stripe data.  Entities who do experience a payment card data breach would be required to “reimburse the financial institution that issued any access devices affected by the breach for the costs of reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders.”

The bill was sent to the Alabama Senate’s Judiciary Committee for consideration.