Understanding Alabama Data Breach Notification Act for County Governments

Slide Note
Embed
Share

Alabama's Data Breach Notification Act requires all county governments and related entities to comply with specific security measures to protect sensitive information of residents. The law mandates prompt investigation and notification in case of a breach, defining what constitutes a breach and sensitive personally identifying information. This overview provides essential details and requirements for counties to understand and implement the law effectively.

cromartie_l
cromartie_l Follow

Uploaded on Sep 14, 2024 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Alabama Data Breach Notification Act: What County Governments Need to Know Morgan Arrington, General Counsel Association of County Commissions of Alabama www.alabamacounties.org

  2. Overview of Law: Alabama recently became the 50th state to enact a data breach notification law. Act 2018-396 will go into effect on June 1, 2018 Includes several requirements that covered entities are expected to assess and implement in a very short time frame. www.alabamacounties.org

  3. Overview of Law: Who needs to be in compliance with this law? All county governments; All departments of county government; All instrumentalities of the county; and All third-party agents of the county that maintain electronic records containing sensitive information about Alabama residents. www.alabamacounties.org

  4. Overview of Law: While the nuances of the law are extensive, it includes three basic requirements: 1. Covered entities and their third-party service providers are required to implement and maintain reasonable security measures to protect sensitive information Covered entities must conduct a prompt investigation upon the discovery of a possible security breach. Covered entities must provide proper notification of a security breach to the following: a) impacted Alabama residents, b) the Alabama Attorney General s Office, and c) consumer reporting agencies. 2. 3. www.alabamacounties.org

  5. Overview of Law: What is a breach of security ? The law defines it as the unauthorized acquisition of data in electronic form containing sensitive personally identifying information. The Act only applies to incidents involving 1) electronic records that 2) contain sensitive personally identifying information. www.alabamacounties.org

  6. Overview of Law: What is considered sensitive personally identifying information ? Such sensitive is defined as an Alabama resident s first name or first initial and last name, in combination with any one of the following: A social security number or tax identification number; A driver s license number or any other unique, government-issued identification number used to verify identity; Any financial account number in combination with access information (i.e. a security code, expiration date, or PIN); www.alabamacounties.org

  7. Overview of Law: Sensitive personally identifying information , continued: Any information regarding a person s medical, mental or physical history, condition or treatment; A person s health insurance policy number or subscriber identification number and unique identifier; A username or email address, in combination with a password or security question and answer. www.alabamacounties.org

  8. QUESTION 1 DOES YOUR COUNTY HAVE ANY WRITTEN POLICIES OR PROCEDURES IN PLACE RELATED TO CYBERSECURITY? YES or NO www.alabamacounties.org

  9. QUESTION 2 WHICH DEPARTMENT(S) MAINTAIN SENSITIVE PERSONALLY IDENTIFYING INFORMATION IN ELECTRONIC FORM? ___________________________ ______________________________________________ ______________________________________________ ______________________________________________ ______________________________________________ ______________________________________________ ______________________________________________ _____________________________________________ www.alabamacounties.org

  10. Sensitive Personally Identifying Information SSN or TIN DL or other gov t ID # Financial account # + security code, expiration date, PIN, etc. Medical history, mental/physical condition, medical treatment or diagnosis Health insurance policy # or subscriber number + unique identifier User name or email + password or security question/answer Alabama resident s first name or first initial and last name www.alabamacounties.org

  11. Reasonable Security Measures All covered entities must take measured action to prevent a data breach by implementing and maintaining reasonable security measures to protect all sensitive information in their possession. The law includes a number of requirements to help covered entities identify internal and external risks to sensitive information before a data breach ever takes place. www.alabamacounties.org

  12. Reasonable Security Measures Counties must consider taking the following actions to ensure their security measures meet the reasonable standard in the law: 1. Designating an employee(s) to coordinate security measures to protect against a potential breach 2. Identifying internal and external risks of security breach 3. Adopting and regularly assessing information safeguards to address identified risks of security breach www.alabamacounties.org

  13. Reasonable Security Measures Continued: 4. Retaining any service providers that are contractually obligated to maintain appropriate safeguards for sensitive information 5. Evaluating and adjusting security measures to account for changes that could affect the security of sensitive information 6. Keeping management informed on the overall status of the entities security measures. However, even with consideration of these factors, what actually constitutes reasonable security measures will vary from county to county. www.alabamacounties.org

  14. Reasonable Security Measures Whether a covered entity has instituted reasonable security measures will be assessed as follows: 1) 2) the size of the county, the amount of sensitive personally identifying information on file with the county, and the county s use of the information, and the cost of implementing and maintaining reasonable security measures relative to the county s available resources. 3) as a whole with an emphasis on data security failures that are multiple or systemic www.alabamacounties.org

  15. QUESTION 3 DOES YOUR COUNTY RETAIN ANY SERVICE PROVIDERS OR THIRD PARTY ENTITIES THAT MAINTAIN SENSITIVE INFORMATION ON COUNTY RESIDENTS? YES or NO IF YES, DOES THEIR CONTRACT REQUIRE THEM TO MAINTAIN SAFEGUARDS TO PROTECT SUCH INFORMATION? YES or NO www.alabamacounties.org

  16. QUESTION 4 APPROXIMATELY HOW MANY PEOPLE DOES YOUR COUNTY EMPLOY? A. Less than 50 B. 51 to 100 C. 100 to 250 D. More than 250* *If more than 250, then how many?_________________ www.alabamacounties.org

  17. QUESTION 5 WHAT IS THE ESTIMATED POPULATION OF YOUR COUNTY? A. 20,000 or less B. 20,001 to 49,999 C. 50,000 to 99,999 D. 100,000 to 199,999 E. Over 200,000 www.alabamacounties.org

  18. QUESTION 6 HOW OFTEN IS THE COUNTY COMMISSION UPDATED ON THE COUNTY S DATA SECURITY PLANS/PROCEDURES? A. Never. B. Rarely, once each fiscal year. C. Sometimes, as the need arises or upon request. D. Regularly, at each commission meeting. E. Other (please specify) __________________________________________________ www.alabamacounties.org

  19. Conducting a Prompt Investigation Even a county with the best-laid security plan could find itself at the center of a data breach. If a county determines that a breach of sensitive information has occurred, or is even likely to occur, the law requires it to conduct a good faith and prompt investigation of the matter. www.alabamacounties.org

  20. Conducting a Prompt Investigation The investigation should include the following actions: An assessment of the nature and scope of the breach Identification of any sensitive information that may have been involved in the breach, and the identity of the persons to whom it relates A determination of whether the sensitive information has been, or is believed to have been, acquired by an unauthorized person, and is likely to cause harm to the individual to whom it relates Identification and implementation of measure to restore the security and confidentiality of the compromised systems. www.alabamacounties.org

  21. QUESTION 7 DOES YOUR COUNTY CURRENTLY HAVE A DESIGNATED EMPLOYEE(S) TO HANDLE BREACHES OF SENSITIVE DATA? A. Yes, we have a designated employee to spearhead our response to a data breach. B. Yes, we have a designated department to spearhead our response to a data breach. C. No, we do not have a designated person or department to spearhead our response to a data breach. D. Other (please specify) ______________________________________________________ www.alabamacounties.org

  22. QUESTION 8 DOES YOUR COUNTY HAVE A PROCEDURE IN PLACE FOR THE INVESTIGATION OF AN ACTUAL OR SUSPECTED DATA BREACH? YES or NO www.alabamacounties.org

  23. Notification Requirements The notification component of the law is arguably the most important, and most cumbersome part of the law. The notification obligations under the law are triggered only when the investigation indicates that sensitive information has been (or is believed to have been) acquired by an unauthorized person and is likely to cause substantial harm to the individuals who the subject of the information. www.alabamacounties.org

  24. Notification Requirements There is no standard in the law for determining if a breach is likely to cause substantial harm to the individuals who are the subject of the information. The law leaves it up to the covered entity to make a determination of whether notice is required. If a county determines that the notice requirement is not triggered, then it must document that determination in writing and maintain records related to the decision for at least five years. www.alabamacounties.org

  25. Notification Requirements If the county s investigation indicates that that the notice requirements have been met, then all individuals affected by a data breach must be directly notified in writing as quickly as possible but no later than 45 days after making the determination that notice is required or receiving notice of from a third-party agent that a breach has occurred. www.alabamacounties.org

  26. Notification Requirement The law requires the notification be sent to mailing address or email address the county has on file for the individual, and to include the following information: The date, or estimated date of the breach A description of the sensitive information that was acquired from the breach A general description of the actions taken by the county to restore the security and confidentiality of the personal information subject to the breach A general description of the steps affected individuals can take to protect themselves from identity theft Contact information for the county s point of contact related to the breach www.alabamacounties.org

  27. Notification Requirement The law permits covered entities to give substitute notice in lieu of direct notice if at least one of the following circumstances are met: The cost of providing direct notice would exceed $500,000 or is an excessive amount relative to the resources of the covered entity; There is insufficient contact information for the individuals requiring notification; or Over 100,000 people were affected by the data breach. www.alabamacounties.org

  28. Notification Requirement Substitute notice, when allowable,can be satisfied by placing it in a conspicuous location on county s website, if available, for 30 days or through print and broadcast media outlets. The law also provides that, with approval from the Attorney General s Office, alternative forms of substitute notice may be permitted. www.alabamacounties.org

  29. QUESTION 9 BASED ON YOUR COUNTY S CURRENT RESOURCES, WHAT WOULD BE THE MOST EFFICIENT WAY TO NOTIFY RESIDENTS, IN THE EVENT OF AN ACTUAL OR SUSPECTED DATA BREACH? A. U.S. Mail B. Email C. Via the county website D. Local newspaper E. Other (please specify) ________________________________________________ www.alabamacounties.org

  30. Notification Requirement If a data breach impacts more than 1,000 people, the law requires the county to notify the Attorney General no later than 45 days after making the determination that notice is required or receiving notice of from a third-party agent that a breach has occurred. Any information provided to the Attorney General that is marked as being confidential will not be subject to any requests under the open records or freedom of information laws. www.alabamacounties.org

  31. Notification Requirement The law requires covered entities to provide the Attorney General with: A summary of the events surrounding the breach; The estimated number of Alabama residents impacted by the breach; A list of any free services the entity is offering to individuals affected by the breach along with instructions on how to use the services; and The contact information of the designated employee from whom additional information may be obtained about the breach. www.alabamacounties.org

  32. Notification Requirement If a third-party agent experiences a security breach in its system, the agent must notify the county about the breach no later than 10 days following the determination or reasonable belief that a security breach has occurred. After receiving such notice from the third-party, the county (not the agent) is required to meet all of the notice requirements under the law; The agent must provide any information in its possession that will aid the county in meeting the notice requirements. www.alabamacounties.org

  33. Violation of Notice Requirements The Act prohibits the Attorney General from bringing civil penalties against government entities for violations of the notification provisions of this law. The law does authorize the Attorney General to bring an action against any state, county or city official or employee in his or her official capacity to accomplish any of the following: Compel performance of his or her duties or ministerial acts under the law; or Enjoin him or her from acting in bad faith or beyond his or her authority under the law. www.alabamacounties.org

  34. Violation of Notice Requirements The law requires the Attorney General to submit an annual report to the Governor, Senate Pro Tem, and Speaker of the House describing any reported security breaches of governmental entities or their third-party agents. The report must identify any government entity that violated ANY of the requirements in this law in the preceding year. www.alabamacounties.org

  35. Violation of Notice Requirements Entities that are already subject to federal or state rules, regulations, or guidelines that maintain procedures regarding data breach and notification pursuant to those requirements (i.e., financial institutions and healthcare entities) are exempt from the requirements of this Act. Such entities must still provide timely notice to the Attorney General s Office when the breach impacts 1,000 people or more. www.alabamacounties.org

  36. Alabama Data Breach Notification Act of 2018: QUESTIONS QUESTIONS www.alabamacounties.org

Related


Data Breach Occurrence at Illinois Department of Transportation

Data Breach Occurrence at Illinois Department of Transportation

dayn_766
Connect Alabama: Helping Hands in Addressing Behavioral Health Crisis

Connect Alabama: Helping Hands in Addressing Behavioral Health Crisis

sedgwick_d
Effective Method to Protect Web Servers Against Breach Attacks

Effective Method to Protect Web Servers Against Breach Attacks

birr_tt
Overview of Local Governments in Georgia

Overview of Local Governments in Georgia

gloom
Legal Update on Statutory Cap for Cities and Counties in Alabama

Legal Update on Statutory Cap for Cities and Counties in Alabama

polinski_m
Privacy Breach Response and Reporting under the Health Information Act

Privacy Breach Response and Reporting under the Health Information Act

renn_yl
Contamination Notification Training: Florida Department of Environmental Protection

Contamination Notification Training: Florida Department of Environmental Protection

ives
Alabama Capital Projects Fund Program Announcements - February 27, 2024

Alabama Capital Projects Fund Program Announcements - February 27, 2024

valerius
Exploring Early Alabama: Europeans, Trade, and Native American Relations

Exploring Early Alabama: Europeans, Trade, and Native American Relations

ge_nte
Alabama State Emergency Response Commission (SERC) and Local Emergency Planning Committee (LEPC)

Alabama State Emergency Response Commission (SERC) and Local Emergency Planning Committee (LEPC)

moehring_m
Data Breach Exercise: Responding to a School District Breach

Data Breach Exercise: Responding to a School District Breach

owais
Postsecondary Data Breach Exercise: Prepare for the Unexpected!

Postsecondary Data Breach Exercise: Prepare for the Unexpected!

althea
Essential Steps for Personal Data Breach Management

Essential Steps for Personal Data Breach Management

alayah
Alabama County Constitutional Amendments and Administrative Decision-Making Overview

Alabama County Constitutional Amendments and Administrative Decision-Making Overview

meki_11
State of Idaho Data Breach & Credit Monitoring Services Overview

State of Idaho Data Breach & Credit Monitoring Services Overview

mckinlay_g
Understanding Breach of Confidence and Privacy Rights in English Law

Understanding Breach of Confidence and Privacy Rights in English Law

teodor
Understanding Breach of Confidence and Privacy Rights in Legal Context

Understanding Breach of Confidence and Privacy Rights in Legal Context

harmo
Legal Case Study: Compensation for Breach of Promise

Legal Case Study: Compensation for Breach of Promise

crumbley_y
Legal Dispute Between Walker & Co. and Harrison: Contract Breach Analysis

Legal Dispute Between Walker & Co. and Harrison: Contract Breach Analysis

saor_844
Privacy Breach Management Guide by Health PEI

Privacy Breach Management Guide by Health PEI

zack
Understanding the European Union General Data Protection Regulation (GDPR)

Understanding the European Union General Data Protection Regulation (GDPR)

itrel
Understanding the County Court Expedited Civil Actions Act

Understanding the County Court Expedited Civil Actions Act

alleigh
Understanding the Domino's Data Breach Incident and Its Implications

Understanding the Domino's Data Breach Incident and Its Implications

yasmine
Strengthening TB Notification Through Chemists: A Public-Private Partnership Approach

Strengthening TB Notification Through Chemists: A Public-Private Partnership Approach

amon

More Related Content