HB 410 Summary

• Creates the Alabama Data Breach Notification Act of 2018 requiring covered entities to notify individuals and the Attorney General when a breach of security results in unauthorized acquisition of sensitive personally identifying information.

• Mandates covered entities implement and maintain reasonable security measures to protect sensitive personally identifying information, with assessment based on entity size, resources, and type of data handled.

• Requires notification to affected individuals within 45 days of determining a breach has occurred and is reasonably likely to cause substantial harm, with notice by mail or email unless substitute notice is used for excessive cost, insufficient contact information, or when affected individuals exceed 500,000.

• Requires notification to the Attorney General if breach affects more than 1,000 individuals, and mandates third-party agents notify covered entities of breaches within 10 days.

• Establishes violations as unlawful trade practices under the Alabama Deceptive Trade Practices Act with civil penalties up to $5,000 per day for non-compliance with notice requirements and up to $500,000 per breach; exempts entities subject to federal data breach notification requirements if they comply with federal standards.