Burr Alert: Alabama Has Joined the Party - What Your Business Needs to Know about Alabama's New Data Privacy Law

Articles / Publications

On March 28, 2018, Alabama adopted a data privacy law, the Alabama Data Breach Notification Act of 2018 (SB318). While Alabama is one of the last states to adopt such an act, the Act is notable in its requirements, and applies to any "person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity" that acquires, has possession of, or uses Sensitive Personally Identifying Information. The stated objective of the breach is protecting the data of Alabama residents, and it defines a breach as the "unauthorized acquisition of data in electronic form containing sensitive personally identifying information."

While data privacy laws certainly are not new at this point, there are likely many businesses in Alabama who have thus far not had to focus on compliance with requirements as strict as those set forth in the Act, including how the business stores, manages, uses, and destroys its data and how the business responds to a security incident. With the June 1st effective date quickly approaching, businesses who have not previously taken steps to assess their data security plans need to do so now. Given the scope of the Act, except for those excepted businesses, almost all businesses in Alabama will be impacted by at least part of this Act.

The first step is to understand the data that a company brings in from all data sources (employees, customers, vendors and others), where that data is stored, how it is stored, how it is used, who has access, why it is collected and how long it is retained. Once a business has that information it can begin developing plans and implementing processes to ensure compliance with this Act.

The key objective to minimize liability under this Act, or others like it, is not to store information that is not needed for the business purpose. If a business currently retains information that is not part of the business process, identify that data now and take steps to remove it from the records using proper methods. Then focus on the remaining data, its sensitivity and what needs to be done to protect it. This will vary for every business, and most businesses with limited in-house IT and legal assistance will need the assistance of consultants to help with expediting this process. If information must be stored, proper consideration for encryption, truncation or other means to prevent the data from being used if it is acquired by an unauthorized user may be effective security measures for some businesses, but those measures should be carefully evaluated to ensure they are sufficient because other measures may be needed as well.

Download the full article,ALERT_What-Your-Business-Needs-to-Know-about-Alabamas-New-Data-Privacy-Law_IV written by India E. Vincent.

Jump to Page

Contact Us

About Burr & Forman Cybersecurity & Data Privacy Law

Burr & Forman's experienced team helps clients navigate the complex cybersecurity and data privacy landscape with strategies designed to assess current risks, develop a corrective action plan, implement best practices, and provide immediate and appropriate responses to a cybersecurity breach.

We use cookies to improve your website experience, provide additional security, and remember you when you return to the website. This website does not respond to "Do Not Track" signals. By clicking "Accept," you agree to our use of cookies. To learn more about how we use cookies, please see our Privacy Policy.

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.