SB91 Summary

• Creates the Alabama Information Protection Act of 2017 requiring covered entities and governmental entities to take reasonable security measures to protect sensitive personally identifying information in electronic form.

• Mandates notification to the Attorney General within 60 days of any data security breach affecting 1,000 or more Alabama residents, with required information about the breach and available consumer services.

• Requires entities to notify affected individuals within 60 days of breach discovery through written or email notice, with exceptions for law enforcement delays or if breach causes no substantial financial harm.

• Mandates notification to nationwide consumer reporting agencies when breaches affect more than 1,000 residents and requires third-party agents to notify covered entities of breaches within 10 days of discovery.

• Establishes civil penalties up to $50,000 per breach for violations, designates violations as deceptive trade practices, and exempts financial institutions, insurers, and health care providers subject to federal privacy regulations; governmental entities have damage immunity.