Alabama does not currently have a comprehensive cybersecurity law but has passed sector-specific laws on data security. Particularly in the insurance sector, Alabama enacted the Insurance Data Security Law, under Chapter 62 of Title 27 of the Alabama Code ('Ala. C.')('the Data Security Law'), modelled after the National Association of Insurance Commissioners Insurance Data Security Model Law.
In addition, §5(a) of the Alabama Data Breach Notification Act of 2018 ('the Act') provides for data breach notification requirements.
The Data Security Law affects insurance carriers, producers, and other business licensed by the Alabama Department of Insurance ('ALDOI').
In addition, the Alabama Attorney General ('AG') is responsible for enforcing the Act.
Please note that this Guidance Note refers to state-wide legislation for Alabama.
In addition to state requirements outlined here, please note that federal cybersecurity requirements may be applicable under federal laws such as the Gramm-Leach-Bliley Act of 1999 ('GLBA') and the Health Insurance Portability and Accountability Act of 1996 ('HIPAA').
For more information, please refer to the following OneTrust DataGuidance Guidance Notes:
3. GENERAL REQUIREMENTS
3.2.1. In case of a cybersecurity incident, is there an obligation to notify the regulatory authority?
There is a requirement to notify data breaches under §5(a) of the Act.
3.2.2. If yes, please describe the process, timeline, and any other formality that needs to be adhered to.
Notification to Consumers
In the event of a cybersecurity incident, the licensee must provide notice to affected individuals to whom the information relates (§5(a) of the Act).
3.2.3. In case of a cybersecurity incident, are there other subjects that need to be notified?
In addition, if a licensee discovers circumstances requiring notice of more than 1,000 individuals at a single time, the licensee must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in the Fair Credit Reporting Act 15 U.S.C. 1681a (§7 of the Act).
3.2.4. Please outline any other bodies that might be notified.
For more information, please refer to the following OneTrust DataGuidance Guidance Note Alabama - Data Breach.
Authorised individual: means an individual known to, and screened by, the licensee and determined to be necessary and appropriate to have access to the non-public information held by the licensee and its information systems (§27-62-3(1) of the Data Security Law).
Consumer: means an individual, including, but not limited to, an applicant, policyholder, insured, beneficiary, claimant, and certificate holder, who is a resident of this state and whose non-public information is in a licensee's possession, custody, or control (§27-62-3(3) of the Data Security Law).
Cybersecurity event: means an event resulting in unauthorised access to, disruption or misuse of, an information system or non-public information stored on such information system. The term shall not include the unauthorised acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorisation. A cybersecurity event shall not include an event with regard to which the licensee has determined that the non-public information accessed by an unauthorised person has not been used or released and has been returned or destroyed (§27-62-3(4) of the Data Security Law).
Information security program: means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle non-public information (§27-62-3(7) of the Data Security Law).
Information system: means a discrete set of electronic information resources organised for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic non-public information, as well as any specialised system such as an industrial or process controls system, a telephone switching and private branch exchange system, or an environmental control system (§27-62-3(8) of the Data Security Law).
Licensee: any person licensed, authorised to operate, registered, or required to be licensed, authorised, or registered pursuant to insurance laws of Alabama but do not include a purchasing group or a risk retention group chartered and licensed in a state other than Alabama or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction (§27-62-3(9) of the Data Security Law).
Non-public information: means information that is not publicly available information and is (§27-62-3(11) of the Data Security Law):
- any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify such consumer, in combination with any one or more of the following data elements:
- social security numbers;
- driver's license numbers or non-driver identification card numbers;
- financial account numbers, credit or debit card numbers;
- any security codes, access codes, or passwords that would permit access to a consumer's financial account; and
- biometric records.
Third-party service provider: refers to a person that is not a licensee and that contracts with a licensee to maintain, process, store, or otherwise is permitted access to non-public information, through its provision of services to the licensee (§27-62-3(16) of the Data Security Law).
4.2. Information security program implementation
Licensees are responsible for implementing an information security program and the implementation of the program should correspond to the size and complexity of the licensees, the nature, and scope of their activities, including its use of third-party service providers, and the sensitivity of the non-public information used by the licensee or in the licensees' possession, custody, or control.
In addition, the licensee is responsible for developing and maintaining a comprehensive written information security program that contains administrative, technical, and physical safeguards for the protection of non-public information and the licensee's information system (§27-62-4(a) of the Data Security Law).
Furthermore, the information security program of a licensee shall be designed to do all of the following (§27-62-4(b) of the Data Security Law):
- protect the security and confidentiality of non-public information and the security of the information system;
- protect against any threats or hazards to the security or integrity of non-public information and the information system;
- protect against unauthorised access to, or use of, non-public information, and minimise the likelihood of harm to any consumer; and
- define and periodically re-evaluate a schedule for retention of non-public information and a mechanism for its destruction when no longer needed.
Based on its risk assessment, a licensee shall do all of the following (§27-62-4(d) of the Data Security Law):
- design its information security program to mitigate the identified risks, commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of third-party service providers, and the sensitivity of the non-public information used by the licensee or in the licensee’s possession, custody, or control; and
- determine which of the following security measures are appropriate and implement those appropriate security measures:
- placing access controls on information systems, including controls to authenticate and permit access only to authorised individuals to protect against the unauthorised acquisition of non-public information;
- identifying and managing the data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes in accordance with their relative importance to business objectives and the organisation’s risk strategy;
- restricting physical access to non-public information to authorised individuals only;
- protecting by encryption or other appropriate means all non-public information while being transmitted over an external network and all non-public information stored on a laptop computer or other portable computing or storage device or media;
- adopting secure development practices for in-house developed applications utilised by the licensee;
- adding procedures for evaluating, assessing, or testing the security of externally developed applications used by the licensee;
- modifying the information system in accordance with the licensee's information security program;
- using effective controls, which may include multi-factor authentication procedures for employees accessing non-public information;
- regularly testing and monitoring systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems;
- including audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee;
- implementing measures to protect against destruction, loss, or damage of non-public information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures; and
- developing, implementing, and maintaining procedures for the secure disposal of non-public information in any format.
- include cybersecurity risks in the licensee’s enterprise risk management process;
- stay informed regarding emerging threats or vulnerabilities and utilise reasonable security measures when sharing information relative to the character of the sharing and the type of information shared; and
- provide its personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee in the risk assessment.
A licensee shall monitor, evaluate, and adjust, as appropriate, the information security program consistent with any relevant changes in technology, the sensitivity of its non-public information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems (§27-62-4(g) of the Data Security Law).
4.3. Cybersecurity incidents
Investigation of a cybersecurity event
If the licensee learns that a cybersecurity event has or may have occurred, the licensee or an outside vendor or service provider, or both, designated to act on behalf of the licensee, shall conduct a prompt investigation (§27-62-5(a) of the Data Security Law).
During such investigation, the licensee, or an outside vendor or service provider, or both, designated to act on behalf of the licensee, shall, at a minimum, do as much of the following as possible (§27-62-5(b) of the Data Security Law):
- determine whether a cybersecurity event has occurred;
- assess the nature and scope of the cybersecurity event;
- identify any non-public information that may have been involved in the cybersecurity event; and
Moreover, the licensee shall perform or oversee reasonable measures to restore the security of the information systems compromised in the cybersecurity event to prevent further unauthorised acquisition, release, or use of non-public information in the licensee's possession, custody, or control (§27-62-5(c) of the Data Security Law).
The licensee shall maintain records concerning all cybersecurity events for at least five years from the date of the cybersecurity event and shall produce those records on demand of the Commissioner of Insurance ('the Commissioner') ( §27-62-5(e) of the Data Security Law).
Notification to the Commissioner
Each licensee shall notify the Commissioner as promptly as possible, but not later than three business days after a determination that a cybersecurity event involving non-public information in the possession of a licensee has occurred, when either of the following has been met (§27-62-6(a) of the Data Security Law):
- Alabama is the licensee's state of domicile, for an insurer, or the licensee's home state, for an insurance producer as that term is defined in Property, Casualty, and Surety Insurance Representatives, under Chapter 7 of Title 27 of the Ala. C., and the cybersecurity event has a reasonable likelihood of materially harming either of the following:
- a consumer residing in the State of the Alabama; or
- any material part of a normal operation of the licensee;
- the licensee reasonably believes that the non-public information involved 250 or more consumers residing in Alabama and is either of the following:
- a cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or other supervisory body under any state or federal law; or
- a cybersecurity event that has a reasonable likelihood of materially harming either of the following:
- any consumer residing in this state; or
- any material part of the normal operation of the licensee.
The licensee shall provide the information under this subsection in electronic form as directed by the Commissioner (§27-62-6(b) of the Data Security Law).
The licensee has a continuing obligation to update the Commissioner regarding any subsequent material changes to the previously provided notice relating to the cybersecurity event (Section 6(c) of the Data Security Act). The licensee shall provide as much of the following information as possible (§27-62-6(b) of the Data Security Law):
- the date of the cybersecurity event;
- a description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any;
- how the cybersecurity event was discovered;
- whether any lost, stolen, or breached information has been recovered and, if so, how this was done;
- the identity of the source of the cybersecurity event;
- whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when the notification was provided;
- a description of the specific types of information acquired without authorisation. As used in this subdivision, 'specific types of information' means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer;
- the period during which the information system was compromised by the cybersecurity event;
- the number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the Commissioner and update this estimate with each subsequent report to the Commissioner under this section;
- the results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed;
- a description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur;
- the name of a contact person who is both familiar with the cybersecurity event and authorised to act for the licensee.
If the licensee becomes aware of a cybersecurity event in a system maintained by a third-party service provider, the licensee shall treat the event in the same manner as provided unless the third-party service provider provides the notice to the Commissioner (§27-62-6(e)(1) of the Data Security Law). Furthermore, nothing shall prevent or abrogate an agreement between a licensee and another licensee, a third-party service provider, or any other party to fulfil any of the investigation requirements or the notice requirements (§27-62-6(e)(3) of the Data Security Law).
Where the cybersecurity event involves non-public information that is used by the licensee when acting as an assuming insurer or in the possession, custody, or control of a licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with the affected consumers, the assuming insurer shall notify its affected ceding insurers and the Commissioner of its state of domicile within three business days after making the determination that a cybersecurity event has occurred (§27-62-6(f)(a) of the Data Security Law).
Where the cybersecurity event involves non-public information that is in the possession, custody, or control of a licensee that is an insurer or its third-party service provider for which a consumer accessed the insurer's services through an independent insurance producer, and for which consumer notice is required, the insurer shall notify the producers of record of all affected consumers of the cybersecurity event not later than the time at which notice is provided to the affected consumers. The insurer is excused from this obligation for any producer who is not authorised by law or contract to sell, solicit, or negotiate on behalf of the insurer, and in those instances in which the insurer does not have the current producer of record information for any individual consumer (§27-62-6(g) of the Data Security Law).
4.4. Powers / penalties
5.2. Security program / framework
A licensee that is subject to and complies with HIPAA, and with regulations promulgated under HIPAA Privacy and Security Rules is considered to be in compliance with the Data Security Law (§27-62-9(a)(2) of the Data Security Law).
For more information on federal cybersecurity obligations in the health sector please refer to the following OneTrust DataGuidance Guidance Note USA - HIPAA - Cybersecurity.
6.2. Security program / framework
A licensee affiliated with a depository institution that maintains an information security program in compliance with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information as set forth pursuant to Sections 501 and 505 of the GLBA shall be considered to meet the requirements of §27-62-4 of the Data Security Law provided that the licensee produces, upon request, documentation satisfactory to the commissioner that independently validates the affiliated depository institution's adoption of an Information Security Program that satisfies the Interagency Guidelines (§27-62-9(a)(4) of the Data Security Law).
For more information on federal cybersecurity obligations in the final sector please refer to the following OneTrust DataGuidance Guidance Note USA - GLBA Safeguards Rule – Cybersecurity.
Any violation of the provisions of the Data Security Law by an insurance provider will be subject to the penalties established by Chapter 7 Title 27 of the Ala. C. (§27-62-10(a) of the Data Security Law).
In addition, the licensee may be subject to the suspension or revocation of the license or certificate of authority of the licensee or, in lieu thereof and at the sole discretion of the Commissioner, to a fine in an amount not exceeding $10,000 per violation (§27-62-10(b) of the Data Security Law).
8. OTHER AREAS OF INTEREST
Authored by OneTrust DataGuidance
DataGuidance's Privacy Analysts carry out research regarding global privacy
developments, and liaise with a network of lawyers, authorities and professionals to gain
insight into current trends. The Analyst Team work