Alabama Data Breach Notification Act for County Governments

Morgan Arrington, General Counsel

Association of County Commissions of Alabama

•

•

–

All county governments;

–

All departments of county government;

–

All instrumentalities of the county; and

–

All third-party agents of the county…

…that maintain electronic records containing sensitive

information about Alabama residents.

While the nuances of the law are extensive, it includes

three basic requirements:

1.

2.

3.

’

“

”

–

“

”

“

”

’

•

A social security number or tax identification number;

•

A driver’s license number or any other unique, government-issued

identification number used to verify identity;

•

Any financial account number in combination with access information (i.e. a

security code, expiration date, or PIN);

“

”

•

Any information regarding a person’s medical, mental or physical history,

condition or treatment;

•

A person’s health insurance policy number or subscriber identification

number and unique identifier;

•

A username or email address, in combination with a password or security

question and answer.

“

”

•

SSN or TIN

•

DL or other gov’t ID #

•

Financial account # + security code,

expiration date, PIN, etc.

•

Medical history, mental/physical condition,

medical treatment or diagnosis

•

Health insurance policy # or subscriber

number + unique identifier

•

User name or email + password or security

question/answer

’

“

”

•

“

”

•

“

”

Counties must consider taking the following actions to

ensure their security measures meet the “reasonable”

standard in the law:

1.

Designating an employee(s) to coordinate security

measures to protect against a potential breach

2.

Identifying internal and external risks of security breach

3.

Adopting and regularly assessing information safeguards

to address identified risks of security breach

“

”

4.

Retaining any service providers that are contractually obligated to

maintain appropriate safeguards for sensitive information

5.

Evaluating and adjusting security measures to account for changes

that could affect the security of sensitive information

6.

Keeping management informed on the overall status of the entities

security measures.

However, even with consideration of these factors, what actually constitutes

“reasonable” security measures will vary from county to county.

“

”

“

”

1)

the size of the county,

2)

the amount of sensitive personally identifying information on file

with the county, and the county’s use of the information, and

3)

the cost of implementing and maintaining reasonable security

measures relative to the county’s available resources

“

”

“

”

A.

Less than 50

B.

51 to 100

C.

100 to 250

D.

More than 250*

*If more than 250, then how many?_________________

B.

          20,001 to 49,999

C.

          50,000 to 99,999

D.

          100,000 to 199,999

E.

          Over 200,000

’

B.

Rarely, once each fiscal year.

C.

Sometimes, as the need arises or upon request.

D.

Regularly, at each commission meeting.

E.

Other (please specify)

__________________________________________________

•

Even a county with the best-laid security plan could find

itself at the center of a data breach.

•

“

”

•

An assessment of the nature and scope of the breach

•

Identification of any sensitive information that may have been involved in

the breach, and the identity of the persons to whom it relates

•

A determination of whether the sensitive information has been, or is

believed to have been, acquired by an unauthorized person,  and is likely to

cause harm to the individual to whom it relates

•

Identification and implementation of measure to restore the security and

confidentiality of the compromised systems.

B.

C.

No, we do not have a designated person or department to spearhead

our response to a data breach.

D.

Other (please specify)

______________________________________________________

•

The notification component of the law is arguably the most

important, and most cumbersome part of the law.

•

–

The law leaves it up to the covered entity to make a

determination of whether notice is required.

–

•

’

–

•

The date, or estimated date of the breach

•

A description of the sensitive information that was acquired from the breach

•

A general description of the actions taken by the county to restore the

security and confidentiality of the personal information subject to the breach

•

A general description of the steps affected individuals can take to protect

themselves from identity theft

•

Contact information for the county’s point of contact related to the breach

•

The cost of providing direct notice would exceed $500,000

or is an excessive amount relative to the resources of the

covered entity;

•

There is insufficient contact information for the individuals

requiring notification; or

•

Over 100,000 people were affected by the data breach.

•

’

•

The law also provides that, with approval from the

Attorney General’s Office, alternative forms of substitute

notice may be permitted.

’

A.

U.S. Mail

B.

Email

C.

Via the county website

D.

Local newspaper

E.

Other (please specify)

________________________________________________

•

•

Any information provided to the Attorney General that is

marked as being confidential will not be subject to any

requests under the open records or freedom of

information laws.

–

A summary of the events surrounding the breach;

–

The estimated number of Alabama residents impacted by the breach;

–

A list of any free services the entity is offering to individuals affected by

the breach along with instructions on how to use the services; and

–

The contact information of the designated employee from whom

additional information may be obtained about the breach.

•

•

–

The agent must provide any information in its possession that will aid

the county in meeting the notice requirements.

The Act prohibits the Attorney General from bringing civil

penalties against government entities for violations of the

notification provisions of this law.

•

Compel performance of his or her duties or ministerial acts under the law; or

•

Enjoin him or her from acting in bad faith or beyond his or her authority

under the law.

•

The law requires the Attorney General to submit an annual

report to the Governor, Senate Pro Tem, and Speaker of

the House describing any reported security breaches of

governmental entities or their third-party agents.

•

•

Entities that are already subject to federal or state rules,

regulations, or guidelines that maintain procedures

regarding data breach and notification pursuant to those

requirements (i.e., financial institutions and healthcare

entities) are exempt from the requirements of this Act.

•

Such entities must still provide timely notice to the Attorney

General’s Office when the breach impacts 1,000 people or

more.

Slide Note

Embed Share

Download

Alabama's Data Breach Notification Act requires all county governments and related entities to comply with specific security measures to protect sensitive information of residents. The law mandates prompt investigation and notification in case of a breach, defining what constitutes a breach and sensitive personally identifying information. This overview provides essential details and requirements for counties to understand and implement the law effectively.

cromartie_l Follow

Uploaded on Sep 14, 2024 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

Alabama Data Breach Notification Act: What County Governments Need to Know Morgan Arrington, General Counsel Association of County Commissions of Alabama www.alabamacounties.org

Overview of Law: Alabama recently became the 50th state to enact a data breach notification law. Act 2018-396 will go into effect on June 1, 2018 Includes several requirements that covered entities are expected to assess and implement in a very short time frame. www.alabamacounties.org

Overview of Law: Who needs to be in compliance with this law? All county governments; All departments of county government; All instrumentalities of the county; and All third-party agents of the county that maintain electronic records containing sensitive information about Alabama residents. www.alabamacounties.org

Overview of Law: While the nuances of the law are extensive, it includes three basic requirements: 1. Covered entities and their third-party service providers are required to implement and maintain reasonable security measures to protect sensitive information Covered entities must conduct a prompt investigation upon the discovery of a possible security breach. Covered entities must provide proper notification of a security breach to the following: a) impacted Alabama residents, b) the Alabama Attorney General s Office, and c) consumer reporting agencies. 2. 3. www.alabamacounties.org

Overview of Law: What is a breach of security ? The law defines it as the unauthorized acquisition of data in electronic form containing sensitive personally identifying information. The Act only applies to incidents involving 1) electronic records that 2) contain sensitive personally identifying information. www.alabamacounties.org

Overview of Law: What is considered sensitive personally identifying information ? Such sensitive is defined as an Alabama resident s first name or first initial and last name, in combination with any one of the following: A social security number or tax identification number; A driver s license number or any other unique, government-issued identification number used to verify identity; Any financial account number in combination with access information (i.e. a security code, expiration date, or PIN); www.alabamacounties.org

Overview of Law: Sensitive personally identifying information , continued: Any information regarding a person s medical, mental or physical history, condition or treatment; A person s health insurance policy number or subscriber identification number and unique identifier; A username or email address, in combination with a password or security question and answer. www.alabamacounties.org

QUESTION 1 DOES YOUR COUNTY HAVE ANY WRITTEN POLICIES OR PROCEDURES IN PLACE RELATED TO CYBERSECURITY? YES or NO www.alabamacounties.org

QUESTION 2 WHICH DEPARTMENT(S) MAINTAIN SENSITIVE PERSONALLY IDENTIFYING INFORMATION IN ELECTRONIC FORM? ___________________________ ______________________________________________ ______________________________________________ ______________________________________________ ______________________________________________ ______________________________________________ ______________________________________________ _____________________________________________ www.alabamacounties.org

Sensitive Personally Identifying Information SSN or TIN DL or other gov t ID # Financial account # + security code, expiration date, PIN, etc. Medical history, mental/physical condition, medical treatment or diagnosis Health insurance policy # or subscriber number + unique identifier User name or email + password or security question/answer Alabama resident s first name or first initial and last name www.alabamacounties.org

Reasonable Security Measures All covered entities must take measured action to prevent a data breach by implementing and maintaining reasonable security measures to protect all sensitive information in their possession. The law includes a number of requirements to help covered entities identify internal and external risks to sensitive information before a data breach ever takes place. www.alabamacounties.org

Reasonable Security Measures Counties must consider taking the following actions to ensure their security measures meet the reasonable standard in the law: 1. Designating an employee(s) to coordinate security measures to protect against a potential breach 2. Identifying internal and external risks of security breach 3. Adopting and regularly assessing information safeguards to address identified risks of security breach www.alabamacounties.org

Reasonable Security Measures Continued: 4. Retaining any service providers that are contractually obligated to maintain appropriate safeguards for sensitive information 5. Evaluating and adjusting security measures to account for changes that could affect the security of sensitive information 6. Keeping management informed on the overall status of the entities security measures. However, even with consideration of these factors, what actually constitutes reasonable security measures will vary from county to county. www.alabamacounties.org

Reasonable Security Measures Whether a covered entity has instituted reasonable security measures will be assessed as follows: 1) 2) the size of the county, the amount of sensitive personally identifying information on file with the county, and the county s use of the information, and the cost of implementing and maintaining reasonable security measures relative to the county s available resources. 3) as a whole with an emphasis on data security failures that are multiple or systemic www.alabamacounties.org

QUESTION 3 DOES YOUR COUNTY RETAIN ANY SERVICE PROVIDERS OR THIRD PARTY ENTITIES THAT MAINTAIN SENSITIVE INFORMATION ON COUNTY RESIDENTS? YES or NO IF YES, DOES THEIR CONTRACT REQUIRE THEM TO MAINTAIN SAFEGUARDS TO PROTECT SUCH INFORMATION? YES or NO www.alabamacounties.org

QUESTION 4 APPROXIMATELY HOW MANY PEOPLE DOES YOUR COUNTY EMPLOY? A. Less than 50 B. 51 to 100 C. 100 to 250 D. More than 250* *If more than 250, then how many?_________________ www.alabamacounties.org

QUESTION 5 WHAT IS THE ESTIMATED POPULATION OF YOUR COUNTY? A. 20,000 or less B. 20,001 to 49,999 C. 50,000 to 99,999 D. 100,000 to 199,999 E. Over 200,000 www.alabamacounties.org

QUESTION 6 HOW OFTEN IS THE COUNTY COMMISSION UPDATED ON THE COUNTY S DATA SECURITY PLANS/PROCEDURES? A. Never. B. Rarely, once each fiscal year. C. Sometimes, as the need arises or upon request. D. Regularly, at each commission meeting. E. Other (please specify) __________________________________________________ www.alabamacounties.org

Conducting a Prompt Investigation Even a county with the best-laid security plan could find itself at the center of a data breach. If a county determines that a breach of sensitive information has occurred, or is even likely to occur, the law requires it to conduct a good faith and prompt investigation of the matter. www.alabamacounties.org

Conducting a Prompt Investigation The investigation should include the following actions: An assessment of the nature and scope of the breach Identification of any sensitive information that may have been involved in the breach, and the identity of the persons to whom it relates A determination of whether the sensitive information has been, or is believed to have been, acquired by an unauthorized person, and is likely to cause harm to the individual to whom it relates Identification and implementation of measure to restore the security and confidentiality of the compromised systems. www.alabamacounties.org

QUESTION 7 DOES YOUR COUNTY CURRENTLY HAVE A DESIGNATED EMPLOYEE(S) TO HANDLE BREACHES OF SENSITIVE DATA? A. Yes, we have a designated employee to spearhead our response to a data breach. B. Yes, we have a designated department to spearhead our response to a data breach. C. No, we do not have a designated person or department to spearhead our response to a data breach. D. Other (please specify) ______________________________________________________ www.alabamacounties.org

QUESTION 8 DOES YOUR COUNTY HAVE A PROCEDURE IN PLACE FOR THE INVESTIGATION OF AN ACTUAL OR SUSPECTED DATA BREACH? YES or NO www.alabamacounties.org

Notification Requirements The notification component of the law is arguably the most important, and most cumbersome part of the law. The notification obligations under the law are triggered only when the investigation indicates that sensitive information has been (or is believed to have been) acquired by an unauthorized person and is likely to cause substantial harm to the individuals who the subject of the information. www.alabamacounties.org

Notification Requirements There is no standard in the law for determining if a breach is likely to cause substantial harm to the individuals who are the subject of the information. The law leaves it up to the covered entity to make a determination of whether notice is required. If a county determines that the notice requirement is not triggered, then it must document that determination in writing and maintain records related to the decision for at least five years. www.alabamacounties.org

Notification Requirements If the county s investigation indicates that that the notice requirements have been met, then all individuals affected by a data breach must be directly notified in writing as quickly as possible but no later than 45 days after making the determination that notice is required or receiving notice of from a third-party agent that a breach has occurred. www.alabamacounties.org

Notification Requirement The law requires the notification be sent to mailing address or email address the county has on file for the individual, and to include the following information: The date, or estimated date of the breach A description of the sensitive information that was acquired from the breach A general description of the actions taken by the county to restore the security and confidentiality of the personal information subject to the breach A general description of the steps affected individuals can take to protect themselves from identity theft Contact information for the county s point of contact related to the breach www.alabamacounties.org

Notification Requirement The law permits covered entities to give substitute notice in lieu of direct notice if at least one of the following circumstances are met: The cost of providing direct notice would exceed $500,000 or is an excessive amount relative to the resources of the covered entity; There is insufficient contact information for the individuals requiring notification; or Over 100,000 people were affected by the data breach. www.alabamacounties.org

Notification Requirement Substitute notice, when allowable,can be satisfied by placing it in a conspicuous location on county s website, if available, for 30 days or through print and broadcast media outlets. The law also provides that, with approval from the Attorney General s Office, alternative forms of substitute notice may be permitted. www.alabamacounties.org

QUESTION 9 BASED ON YOUR COUNTY S CURRENT RESOURCES, WHAT WOULD BE THE MOST EFFICIENT WAY TO NOTIFY RESIDENTS, IN THE EVENT OF AN ACTUAL OR SUSPECTED DATA BREACH? A. U.S. Mail B. Email C. Via the county website D. Local newspaper E. Other (please specify) ________________________________________________ www.alabamacounties.org

Notification Requirement If a data breach impacts more than 1,000 people, the law requires the county to notify the Attorney General no later than 45 days after making the determination that notice is required or receiving notice of from a third-party agent that a breach has occurred. Any information provided to the Attorney General that is marked as being confidential will not be subject to any requests under the open records or freedom of information laws. www.alabamacounties.org

Notification Requirement The law requires covered entities to provide the Attorney General with: A summary of the events surrounding the breach; The estimated number of Alabama residents impacted by the breach; A list of any free services the entity is offering to individuals affected by the breach along with instructions on how to use the services; and The contact information of the designated employee from whom additional information may be obtained about the breach. www.alabamacounties.org

Notification Requirement If a third-party agent experiences a security breach in its system, the agent must notify the county about the breach no later than 10 days following the determination or reasonable belief that a security breach has occurred. After receiving such notice from the third-party, the county (not the agent) is required to meet all of the notice requirements under the law; The agent must provide any information in its possession that will aid the county in meeting the notice requirements. www.alabamacounties.org

Violation of Notice Requirements The Act prohibits the Attorney General from bringing civil penalties against government entities for violations of the notification provisions of this law. The law does authorize the Attorney General to bring an action against any state, county or city official or employee in his or her official capacity to accomplish any of the following: Compel performance of his or her duties or ministerial acts under the law; or Enjoin him or her from acting in bad faith or beyond his or her authority under the law. www.alabamacounties.org

Violation of Notice Requirements The law requires the Attorney General to submit an annual report to the Governor, Senate Pro Tem, and Speaker of the House describing any reported security breaches of governmental entities or their third-party agents. The report must identify any government entity that violated ANY of the requirements in this law in the preceding year. www.alabamacounties.org

Violation of Notice Requirements Entities that are already subject to federal or state rules, regulations, or guidelines that maintain procedures regarding data breach and notification pursuant to those requirements (i.e., financial institutions and healthcare entities) are exempt from the requirements of this Act. Such entities must still provide timely notice to the Attorney General s Office when the breach impacts 1,000 people or more. www.alabamacounties.org