Alabama: Governor signs Data Breach Notification Act
The Alabama Attorney General ('AG'), Steve Marshall, announced, on 28 March 2018, that the Governor, Kay Ivey, had signed the Alabama Data Breach Notification Act of 2018 ('the Act'). The Act requires entities to notify Alabama residents of a breach within 45 days of its discovery, and notify the AG within 45 days if the breach affects more than 1,000 individuals, as well as all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. In addition, third party agents are required to notify the agent of a breach within ten days of its discovery.
The AG has the authority to issue penalties for violations of the Act. Covered entities or third party agents who knowingly engage in or have knowingly engaged in a violation of the notification provisions can be subject to a penalty not exceeding $500,000 per breach, and covered entities that violate the notification provisions can be liable for a civil penalty of not more than $5,000 per day for each consecutive day that the entity fails to take reasonable action to comply with the notice provisions of the Act.
Marshall said, "Alabama consumers finally join the rest of America in having the right to know if their personal information is stolen or compromised in a data breach [...] Until now, Alabama was the only state without a data breach notification law."