Burr Alert: Alabama Has Joined the Party - What Your Business Needs to Know about Alabama's New Data Privacy Law
On March 28, 2018, Alabama adopted a data privacy law, the Alabama Data Breach Notification Act of 2018 (SB318). While Alabama is one of the last states to adopt such an act, the Act is notable in its requirements, and applies to any "person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity" that acquires, has possession of, or uses Sensitive Personally Identifying Information. The stated objective of the breach is protecting the data of Alabama residents, and it defines a breach as the "unauthorized acquisition of data in electronic form containing sensitive personally identifying information."
While data privacy laws certainly are not new at this point, there are likely many businesses in Alabama who have thus far not had to focus on compliance with requirements as strict as those set forth in the Act, including how the business stores, manages, uses, and destroys its data and how the business responds to a security incident. With the June 1st effective date quickly approaching, businesses who have not previously taken steps to assess their data security plans need to do so now. Given the scope of the Act, except for those excepted businesses, almost all businesses in Alabama will be impacted by at least part of this Act.
The first step is to understand the data that a company brings in from all data sources (employees, customers, vendors and others), where that data is stored, how it is stored, how it is used, who has access, why it is collected and how long it is retained. Once a business has that information it can begin developing plans and implementing processes to ensure compliance with this Act.
The key objective to minimize liability under this Act, or others like it, is not to store information that is not needed for the business purpose. If a business currently retains information that is not part of the business process, identify that data now and take steps to remove it from the records using proper methods. Then focus on the remaining data, its sensitivity and what needs to be done to protect it. This will vary for every business, and most businesses with limited in-house IT and legal assistance will need the assistance of consultants to help with expediting this process. If information must be stored, proper consideration for encryption, truncation or other means to prevent the data from being used if it is acquired by an unauthorized user may be effective security measures for some businesses, but those measures should be carefully evaluated to ensure they are sufficient because other measures may be needed as well.
Download the full article,ALERT_What-Your-Business-Needs-to-Know-about-Alabamas-New-Data-Privacy-Law_IV written by India E. Vincent.