With the introduction of bill S.B. 106, Alabama is set to become the 48th state to enact data breach legislation. The bill would require Alabama residents to be notified if their personal information has been compromised.
The proposed legislation has new definitions of what would be considered personal information, which sets it apart from other state’s breach legislation. In addition to traditional definitions of personal information such as name, social security number and state identification number, the Alabama legislation definitions includes:
“Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;
A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.”
Additionally, the proposed law would requires that organizations do not retain credit and debit card security code data, PINs, or the full contents of any magnetic stripe information. Businesses that do suffer a payment card data breach would be required to “reimburse the financial institution that issued any access devices affected by the breach for the costs of reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders.” More on the proposed legislation can be found here.