top of page

Alabama Breach Notification Law

Last Updated:

October 23, 2023

Alabama Data Breach Notification Act of 2018, Ala.Code § 8-38-1, et seq.

  • Summary of Notifications and Deadlines

  • Exceptions and Safe Harbors

    • Encryption

    • Not Reasonably Likely to Cause Substantial Harm

  • Notices from Third Party Agents to Covered Entities

  • Notice to Alabama Residents

    • Substitute Notice

  • Notice to Attorney General

  • Notice to Nationwide Credit Reporting Agencies

  • Other Affirmative Obligations

    • Reasonable Security Measures

    • Duty to Investigate

    • 5-Year Record Retention

  • Definitions

    • Breach

    • Covered Entity

    • Individual

    • Sensitive Personally Identifying Information

    • Third-Party Agent

Contents

Summary of Notifications and Deadlines

Introduction placeholder

Notifications From

Notifications To

Conditions for Notice

Deadline/ Timing

Third Party Agent

Covered Entity

--unauthorized acquisition of sensitive personally identifying information of Alabama resident

10 days

Covered Entity

Alabama Resident

-- sensitive personally identifying information of Alabama resident has been acquired or is reasonably believed to have been acquired and

-- reasonably likely to cause substantial harm

45 days

Covered Entity

Alabama Attorney General

--“exceeds 1000” affected Alabama residents; and either

--receipt of notice from third party that breach has occurred; or

-- determination that breach has occurred and

---reasonably likely to cause substantial harm

45 days

Covered Entity

Nationwide Credit Reporting Agencies

--“more than 1000” affected Alabama residents; and

-- sensitive personally identifying information of Alabama resident has been acquired or is reasonably believed to have been acquired and

-- reasonably likely to cause substantial harm

“without unreasonable delay”


  • Encryption. Sensitive Personally Identifying Information does not include “Information that is truncated, encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable, including encryption of the data, document, or device containing the sensitive personally identifying information, unless the covered entity knows or has reason to know that the encryption key or security credential that could render the personally identifying information readable or useable has been breached together with the information.” Ala. Code § 8-38-2(6)(b)(2).


  • Not Reasonably Likely to Cause Substantial Harm. The statute requires covered entities to notify Alabama residents when the covered entity determines that their sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person and is reasonably likely to cause substantial harm to such individuals.

Exceptions and Safe Harbors

  • If a third-party agent experiences a breach – i.e., “unauthorized acquisition of data in electronic form containing sensitive personally identifying information” -- the agent must notify the covered entity “as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination of the breach or reason to believe the breach occurred.”

  • The third-party agent must provide to the covered entity “information in the possession of the third-party agent” so that the covered entity can comply with its notice requirements.  

  • A covered entity may contract with a third-party agent to handle notifications required under the statute.

Notice from Third Party Agents to Covered Entities

  • Notices may be sent via mailed letter or email

  • Notices must include:

    • Date of breach

    • Description of sensitive personally identifying information acquired without authorization

    • General description of covered entity’s actions to restore security and confidentiality of personal information

    • General description of how individuals can protect against identity theft

    • Covered entity contact information

  • Substitute Notice

    • Allowed when direct notice is not feasible due to:

      • Insufficient contact information;

      • Cost exceeds $500,000 or excessive cost “relative to the resources of the covered entity”; or

      • More than 100,000 persons affected.

    • Notice must be made by both:

      • Print and broadcast media where affected Alabama residents reside

      • If covered entity has a website, then posted to such website for 30 days

    • Alternative forms of substitute notice may be approved by the Attorney General

Notice to Alabama Residents

  • If the statute requires the covered entity to notify “more than 1000” Alabama residents, then it must notify the Alabama Attorney General as “expeditiously as possible and without unreasonable delay” and within 45 days of either receiving notice from a third party agent that a breach has occurred or the date that the entity determined that a breach occurred and is reasonably likely to cause substantial harm.

  • Alabama Attorney General accepts notifications via online form.

  • Notices must include:

    • Synopsis of events surrounding the breach

    • Approximate number of affected Alabama residents

    • Description of no-cost services offered to affected individuals and instructions on how to use them

    • Covered entity contact information

Notice to Attorney General