HB291 Summary

• Creates the Alabama Information Protection Act of 2016 requiring covered entities and governmental entities to implement reasonable security measures to protect electronic data containing sensitive personally identifying information.

• Mandates notification to the Attorney General within 60 days (extendable by 15 days for good cause) for data breaches affecting 1,000 or more Alabama residents, with written notice including breach synopsis, number of affected residents, and contact information.

• Requires affected individuals to be notified within 60 days of breach determination through written notice, email, or substitute notice (website and media) if direct notice exceeds $250,000 or affects more than 500,000 persons.

• Imposes civil penalties up to $50,000 per breach for violations of notification requirements, with penalties deposited to the State General Fund (excluding Attorney General recovery costs).

• Exempts financial institutions subject to Gramm-Leach-Bliley Act, federal banking guidance, and healthcare providers governed by HIPAA, with governmental entities limited from liability subject to sovereign immunity provisions.