SB318 - Alabama Data Breach Notification Act of 2018

• Requires covered entities to implement and maintain reasonable security measures to protect sensitive personally identifying information against breaches of security.

• Mandates covered entities conduct a good faith investigation upon discovering or suspecting a breach and notify affected Alabama residents within 45 days if personal data was acquired by unauthorized persons and is reasonably likely to cause substantial harm.

• Requires notification to the Alabama Attorney General when a breach affects more than 1,000 individuals, and notification to nationwide consumer reporting agencies when more than 1,000 individuals are affected at one time.

• Establishes penalties for violations including civil penalties up to $5,000 per day for failure to comply with notice requirements and up to $500,000 per breach, with exclusive enforcement authority vested in the Attorney General.

• Exempts entities already subject to federal or state data breach notification laws that are at least as thorough as this act's requirements.