On March 28, Alabama became the last U.S. state to sign into law a measure requiring notification of data breaches. The statute is similar to the 49 others, yet with its own wrinkles. Data breaches — corporate and otherwise — continue to be a major form of crisis, and it’s important for communicators to understand these notification laws.

As with many such laws, the Alabama statute requires “covered entities” to notify individuals within 45 days of determining that a breach has happened or of being notified of one by a vendor. The company or organization must also determine that it’s likely the breach will bring substantial harm to individuals.

The notification can be by email or snail mail, but must include certain information such as when the breach occurred, a description of the data compromised, remedial measures taken, protective measures the individual can take, and the company or organization’s contact information.

“Alabama consumers finally join the rest of America in having the right to know if their personal information is stolen or compromised in a data breach,” Alabama Attorney General Steve Marshall said in a statement when the bill was signed. “There is no national law requiring companies to notify affected consumers after a data breach, so it is up to each state to ensure that its citizens are protected.”

These data-breach laws are important to crisis communications in that the mandated notification is a form of communication, although it’s pretty strictly defined. Communicators need to be concerned because statements given to the media about a data intrusion must be consistent with those given to consumers. Companies sometimes use an anonymous version of their notification letter as their press or public statement (and of course the letters sometimes leak).

Attorney General

The Alabama law, which takes effect May 1, has neither criminal provisions nor a private right of action. If the breach involves more than 1,000 individuals, the state attorney general must be notified. And only the attorney general can bring an action for penalties, which max out at $5,000 a day for failure to notify, with a cap of $500,000 per breach. (Law firm Ballard Spahr notes that South Dakota recently passed the second-to-last data-breach notification law, which does include criminal penalties.)

One Alabama innovation, according to Ballard Spahr, is that the statute lays out what it means by “reasonableness” in requiring reasonable cybersecurity measures (as 14 states now do). Those factors include having an employee oversee the  cybersecurity (akin to a Chief Crisis Officer, if you will), identification of data-breach risks, and adopting safeguards, among other measures.

Alabama’s law pertains only to electronic data; some other states have laws that also cover so-called tangible data. To give you an idea of how these laws can differ, Alabama’s fellow slowpoke in this area, South Dakota, gives companies, organizations, and agencies 60 days, rather than Alabama’s 45, to provide notification. The data covered by the Alabama law is fairly typical and includes “non-truncated” Social Security and passport numbers, user name and password, and medical data.

So now all 50 states (plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands) have laws covering notification of data breaches. It’s a good idea to keep an eye on those laws, as they are constantly being updated.

Image Credit: Alexander Alexanderov/Shutterstock

This is an abridged version of an article that appeared today on the CrisisResponsePro paid subscription portal. (CrisisResponsePro subscribers can access the full version by clicking here. ID and password are required.) To take advantage of all of the content, data, and collaborative resources CrisisResponsePro has to offer, contact us at info@crisisresponsepro.com.