SB238 - Alabama Information Protection Act of 2016

• Creates the Alabama Information Protection Act requiring covered entities and governmental entities to use reasonable security measures to protect sensitive personally identifying information in electronic form.

• Requires covered entities to notify the Attorney General within 60 days of any verified data breach affecting 1,000 or more Alabama residents, with optional 15-day extension for good cause.

• Mandates notification to affected residents within 60 days of breach discovery by mail or email, unless law enforcement requests delay or entity determines no substantial financial harm will result.

• Requires notification to nationwide consumer reporting agencies when breaches affect more than 1,000 residents and requires third-party agents to notify covered entities of breaches within 10 days of discovery.

• Establishes civil penalties up to $50,000 per breach for violations of notification requirements, applies per breach rather than per individual, and exempts financial institutions, insurers, and healthcare providers subject to existing federal privacy regulations.