MONTGOMERY, AL (WSFA) - Alabama business owners are now responsible for notifying clients and employees if their “sensitive personally identifying information” was breached.
Alabama joins 49 other states after lawmakers passed the Alabama Data Breach Notification Act that went into effect June 1.
Businesses will need to notify Alabama residents of a breach of security if two conditions are met:
- Sensitive personally identifying information is believed to have been acquired by an unauthorized individual.
- Is reasonably likely to cause substantial harm to the individuals.
The business must tell Alabamians affected no later than 45 days after determining that a breach has occurred. If the breach involves more than 1,000 individuals, then the business must notify the Alabama Attorney General.
Sensitive personally identifying information includes:
- A non-truncated Social Security number or tax identification number
- A non-truncated driver’s license number, state-issued identification card number, passport number, military identification number issued on a government document used to verify the identity of a specific individual
- A financial account number, bank account number, credit card number
- Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
- An individual’s health insurance policy number
- A user name or email address, in combination with a password or security question and answer that would allow access to it
The National Retail Federation shared where breaches happen.
There are many small business owners who might not need to worry as much because they do not carry all of that personal information. Instead, they hire other businesses to handle payroll and other procedures that may use that personal information.
“You don’t want somebody’s information if it’s not yours, even though they are an employee,” said Jimmy Watson, the owner of Sanitech Janitorial Services.
Watson allows another company called Lotus HR to help with payroll and that company keeps his employee’s private information secure.
“It may be employee background checks. It could be employee hiring. It could be employee benefits. What can they put less on their plate to run their business every day?" said Alabama NFIB Director Rosemary Elebash. “Many of them have outsourced those types of procedures that they use in their business."
This allows the business owner to focus on their job.
“I go out and visit customers. I go out and do sales," Watson said. “I do what I do and let them do what they do.”
“Small business owners just want to operate their business and look for new customers and look for new products. So that was one of those areas of the business that they could actually outsource."
If a business knowingly does violates this act, there could be civil penalties that will not exceed $500,000 per breach. The business could also be liable for a civil penalty of no more than $5,000 per day for each consecutive day that they did not let someone know.