Breach Notice Deadlines — Alabama: The 45-Day Rule, AG Triggers, and Vendor 10-Day Hand-Off
What this covers
Alabama’s breach-notification regime applies to any covered entity (business or government entity) that acquires or uses Alabama residents’ sensitive personally identifying information (SPII) in electronic form, and to any third-party agent that maintains SPII for a covered entity. A “breach of security” is an unauthorized acquisition of electronic data containing SPII. SPII generally means a person’s name together with specific identifiers (for example, non-truncated SSN; driver’s license or passport number; financial account number with any required access credential; medical or health insurance identifiers; or a username/email with password or security Q&A). Information that is encrypted, truncated, or otherwise rendered unusable is not SPII unless the encryption key or credential was also compromised. Government entities are subject to the notice rules (with special penalty handling described below).
When notification is required
After a prompt, good-faith investigation, notification is required if SPII was acquired (or is reasonably believed to have been acquired) by an unauthorized person and is reasonably likely to cause substantial harm to affected individuals. Alabama’s statute expressly lists factors entities may use to decide whether acquisition likely occurred (e.g., indications of possession, downloading, use like fraudulent accounts, or public disclosure).
Deadlines at a glance
| Notifier | Recipient | Trigger | Deadline |
|---|---|---|---|
| Covered entity | Impacted individuals (Alabama residents) | Breach likely to cause substantial harm | As expeditiously as possible and without unreasonable delay, and in all cases within 45 days after determination (or after receipt of notice from a third-party agent). |
| Covered entity | Alabama Attorney General | Notice to more than 1,000 Alabama residents | As expeditiously as possible and without unreasonable delay, and in all cases within 45 days after determination (or after third-party notice). |
| Covered entity | Consumer reporting agencies (CRAs) | Notice to more than 1,000 individuals at a single time | Without unreasonable delay (the statute does not set a fixed-day cap) and should include the timing, distribution, and content of the notices. |
| Third-party agent | Covered entity (data owner) | Third-party agent experiences a breach | As expeditiously as possible and without unreasonable delay, but no later than 10 days after determining a breach or having reason to believe one occurred. |
| Covered entity (recordkeeping duty) | Internal file (no external notice) | Decision that notice is not required | Document the determination in writing and retain for at least 5 years. |
| Covered entity (law-enforcement delay) | Individuals/AG/CRAs | Written request from law enforcement that notice would impede investigation or national security | Delay permitted for the time period stated by law enforcement; resume once delay lifted. |
How to count the clock
The 45-day outside limit starts when the covered entity determines a breach meeting the harm threshold has occurred (or when it receives notice from a breached third-party agent). Alabama also requires that notices be sent “as expeditiously as possible and without unreasonable delay,” which means you should not wait until day 45 if you can reasonably notify earlier. When a law-enforcement delay applies, the deadline clock is effectively paused until the written delay ends.
Content and method of individual notices
Individual notices must be written and sent to the person’s last known mailing address, or by email if that is the normal way you communicate with the individual or if the person has agreed to email notices. Telephone notice may be used in narrow circumstances. Alabama also prescribes what the notice should include, such as:
- The date of the notice, and the date or estimated date of the breach.
- A description of the SPII involved in general terms.
- A description of how the covered entity is addressing the breach.
- Advice for the individual on how to protect themselves (e.g., monitoring accounts, credit reports).
- Contact methods for the individual to obtain more information.
If direct notice is not feasible, substitute notice is permitted if: (i) the cost is excessive (including when cost exceeds $500,000 or is excessive relative to the entity’s resources), (ii) contact information is insufficient, or (iii) affected persons exceed 100,000. Substitute notice must include a conspicuous website posting for 30 days and notice in print and broadcast media in areas where affected persons reside (or an alternative method approved by the Attorney General).
What the Attorney General notice must include
If more than 1,000 Alabama residents require notice, the AG notice must be sent within the same timing window and must include: (1) the timing, distribution, and content of the consumer notices; (2) the number of Alabama residents affected; and (3) the name, address, and contact details for a person who can answer questions about the incident. Covered entities may provide supplemental or updated information later if details change.
Consumer reporting agency notifications
When you notify more than 1,000 individuals at a single time, Alabama requires notice to all CRAs that compile nationwide consumer files (as defined by the Fair Credit Reporting Act). This CRA notice should cover the timing, distribution, and content of the individual notices and must be delivered without unreasonable delay. There is no fixed number of days in the statute, so build this into your day-one workplan to avoid a foot-fault while racing to meet the 45-day consumer and AG clocks.
Third-party agents: the 10-day handoff
If a service provider or other third-party agent experiences a breach in systems it maintains for you, it must tell you “as expeditiously as possible and without unreasonable delay,” but in any case no later than 10 days after the agent determines a breach occurred or has reason to believe one occurred. After you receive the agent’s notice, your own 45-day window to notify individuals (and, if applicable, the AG and CRAs) applies. A third-party agent that fails to inform the covered entity can face fines under the statute.
Decision not to notify: mandatory documentation
If your investigation concludes that notice is not required (for example, because the information was encrypted and the key was not compromised, or because there is no reasonable likelihood of substantial harm), Alabama requires you to document that determination in writing and to keep the record for at least five years. Maintain contemporaneous notes describing the factors considered (possession, downloading, evidence of use, public disclosure) and the rationale.
Special situations and exemptions
Encryption and truncation
If SPII is encrypted, truncated, or otherwise rendered unusable, it is generally excluded from the definition of SPII—and thus typically does not trigger notice—unless the encryption key or credential was also breached. This is a practical safe harbor: strong cryptography and good key management reduce your chances of needing to notify.
Entities governed by other breach laws
Alabama exempts entities that are already subject to federal or state breach-notification regimes (for example, HIPAA or GLBA frameworks), provided the entity (i) maintains procedures under those regimes, (ii) provides notice to affected individuals under those regimes, and (iii) sends a copy of the consumer notice to the Alabama Attorney General when the number of notified individuals exceeds 1,000. In other words, if you follow HIPAA or GLBA, you generally meet Alabama’s requirements—but still copy the AG when the 1,000-resident threshold is met.
Government entities
State and local government entities must provide notices like private entities, but they are exempt from civil monetary penalties. The Attorney General may still seek relief to compel performance, stop bad-faith actions, or address mistaken interpretations of the law. The AG must also file an annual report to state leadership summarizing breaches by government entities and compliance status.
Enforcement and penalties
Alabama’s Attorney General has exclusive authority to enforce the notification provisions. Civil penalties for violations of the notification rules may not exceed $500,000 per breach. Separately, a covered entity that violates the notification provisions can be liable for up to $5,000 per day for each consecutive day it fails to take reasonable action to comply. The statute does not create a private right of action, and government entities are exempt from civil penalties (subject to the AG’s non-monetary relief powers described above).
Putting the deadlines into practice
- Day 0–5 (Discovery & Scoping): Launch the investigation. Identify what SPII was involved, which residents are affected, whether the data was acquired, and whether the incident is reasonably likely to cause substantial harm. If a third-party agent is involved, ensure it notifies you within 10 days.
- Day 5–20 (Decision & Drafting): If the harm threshold is met, begin drafting notices for residents and prepare AG and CRA packages (if thresholds are met). If you conclude no notice is required, create and save your written determination (retain for 5 years).
- Day 20–35 (Finalization): Validate mailing/email lists and substitute-notice triggers (>$500k cost, insufficient contact data, >100,000 affected). Coordinate timelines with any law-enforcement written delay.
- By Day 45 (Drop-dead date): Send resident notices (and AG notice if >1,000 residents). Send CRA notice “without unreasonable delay” whenever the >1,000-individual trigger at a single time is met.
- Afterward: Keep records of notices sent and, if you chose not to notify, your written no-notice determination. Consider disposal duties for records no longer needed and update security controls to address root causes.
Conclusion
In Alabama, your breach-notice program should be designed around three clocks: the 45-day outside limit for notifying residents (and the Attorney General when more than 1,000 residents are affected), the “without unreasonable delay” obligation that compels earlier delivery when feasible, and the 10-day handoff from third-party agents to data owners. Layer in CRA notification “without unreasonable delay” when your mailing to individuals hits the 1,000-person threshold at a single time, and maintain thorough written records if you reasonably conclude that notice is not required. If you already operate under HIPAA or GLBA breach rules, following those procedures will generally satisfy Alabama—just remember to copy the AG when you notify more than 1,000 people. Executing to these timelines not only keeps you compliant, it also reduces legal exposure under Alabama’s penalty framework and, more importantly, helps affected people protect themselves quickly.
Quick Guide — Alabama Breach Notice Deadlines (Plain English)
Alabama’s Data Breach Notification Act of 2018 applies to any “covered entity” (businesses, nonprofits, and government entities) that acquires or uses Alabama residents’ sensitive personally identifying information (SPII). If SPII in electronic form is acquired by an unauthorized person and the breach is reasonably likely to cause substantial harm, you must notify affected Alabama residents and, in large events, regulators and consumer reporting agencies. Below is a practical, deadline-first playbook you can run.
- Third-party agent → covered entity (vendor notice): If your vendor experiences the breach, the vendor must notify you as expeditiously as possible and no later than 10 days after determining (or having reason to believe) the breach occurred. Build this into contracts and monitor SLAs.
- Covered entity → affected individuals: Provide notice as expeditiously as possible and without unreasonable delay, and in all cases within 45 days of either (i) your determination that a notifiable breach occurred, or (ii) your receipt of your vendor’s breach notice. The 45-day clock is hard unless law enforcement puts the notice on hold in writing.
- Covered entity → Alabama Attorney General (AG): If you must notify more than 1,000 Alabama residents, send written notice to the AG on the same timeline—within 45 days—including a brief synopsis, estimated victim count, services offered (e.g., credit monitoring), and a contact person.
- Covered entity → nationwide Consumer Reporting Agencies (CRAs): If more than 1,000 people are notified at one time, you must also notify all nationwide CRAs without unreasonable delay of the timing, distribution, and content of your consumer notices.
- Law-enforcement delay: If a state or federal agency says your notices would interfere with an investigation or national security, you must delay until the agency lifts or revises the request (in writing).
- Notice content (to individuals): Include (1) breach date or date range; (2) the categories of SPII acquired; (3) steps you took to secure systems/data; (4) steps consumers can take to protect themselves; and (5) how to contact you.
- How to send notice: Written letter or email using addresses in your records. Substitute notice is allowed if direct notice is not feasible because (a) cost exceeds $500,000, (b) contact data is insufficient, or (c) affected persons exceed 100,000. Substitute notice means a 30-day conspicuous website posting and notice via major print and broadcast media; alternative methods require AG approval.
- No-notice decision: If you conclude no consumer notice is required (e.g., encrypted data with no compromised key), you must document that determination and keep the record for 5 years.
- Penalties: Knowingly violating notice duties can trigger civil penalties under the Alabama Deceptive Trade Practices Act up to $500,000 per breach, plus up to $5,000 per day for each consecutive day you fail to take reasonable action to comply. The AG has exclusive authority to bring actions for damages on behalf of individuals (no private right of action in the statute).
- Exemptions / harmonization: Entities already subject to substantially similar federal (e.g., GLBA, HIPAA) or state breach-notice regimes are exempt if they follow those rules and provide a copy of their consumer notice to the Alabama AG when notifying more than 1,000 individuals.
- Scope & “safe harbor” basics: SPII includes name + one of: SSN/Tax ID, government ID, financial account + auth data, medical or health insurance data, or username/email + password/security answers. Encrypted or otherwise rendered unusable data is generally outside notice unless the encryption key/credential was also compromised.
| Who → Who | Trigger | Deadline | Notes |
|---|---|---|---|
| Third-party agent → Covered entity | Agent determines or reasonably believes breach occurred | No later than 10 days (and expeditiously) | Contract for this; provide details enabling the covered entity to notify |
| Covered entity → Individuals | Breach likely to cause substantial harm | Within 45 days (unless LE delay in writing) | Written or email; include all required content |
| Covered entity → Alabama AG | Consumer notices to 1,000+ Alabama residents | Within 45 days | Include synopsis, counts, services, contact |
| Covered entity → Nationwide CRAs | Consumer notices to 1,000+ at one time | Without unreasonable delay | Provide timing, distribution, and content of consumer notices |
| Covered entity internal record | You decide no notice is required | Retain 5 years | Document your risk assessment and basis |
FAQ — Alabama Breach Notices
- Does the 45-day clock start when we discover the incident or when we confirm a notifiable breach?
It starts when you determine a notifiable breach occurred or when you receive notice from a third-party agent that a breach occurred—whichever comes first. Law-enforcement can pause this by written request. - What if data was encrypted?
If SPII was encrypted or otherwise rendered unusable and the encryption keys or credentials were not compromised, notice is generally not required. Document your analysis. - What counts as “substantial harm”?
The statute doesn’t exhaustively define it, but indicators include risk of identity theft, fraud, financial loss, medical identity misuse, or account compromise. Use a documented risk-based assessment. - Can email notice alone satisfy Alabama?
Yes, Alabama expressly allows notice by email (if you maintain an email address for the individual). Keep deliverability evidence. Substitute notice is allowed in limited, defined scenarios. - Do we have to offer credit monitoring?
Not mandated, but if you offer services, you must describe them in the AG notice. Offering protective services is common when SSNs or account authentication data were involved. - When do we notify the Alabama AG?
When you notify more than 1,000 residents. Provide the notice within the 45-day window with required elements (synopsis, estimated count, services, contact person). - Do we have to notify the nationwide CRAs?
Yes, if you notify more than 1,000 individuals at one time. Notify CRAs without unreasonable delay about the timing, distribution, and content of the consumer notices. - What if our vendor was breached?
The vendor must notify you within 10 days of determining the breach (and expeditiously). You, as the covered entity, still have the duty to make the consumer/AG/CRA notices. - Is there a private right of action?
The statute does not create a private right of action. The Alabama Attorney General has exclusive authority to seek penalties and representative damages. - What are the penalties for missing deadlines?
Up to $500,000 per breach under the ADTPA cap for knowing violations, plus up to $5,000 per day for each day you fail to take reasonable action to comply. Timely, well-documented response matters.
Legal Basis & Technical Sources (Alabama)
- Definitions, SPII, and encryption safe harbor: Ala. Code § 8-38-2 — https://law.justia.com/codes/alabama/title-8/chapter-38/section-8-38-2/
- Consumer notice deadline (45 days), content, substitute notice, and 5-year retention: Ala. Code § 8-38-5 — https://law.justia.com/codes/alabama/title-8/chapter-38/section-8-38-5/
- AG notice threshold (1,000+) and 45-day deadline: Ala. Code § 8-38-6 — https://law.justia.com/codes/alabama/title-8/chapter-38/section-8-38-6/
- CRA notice (1,000+ at one time): Ala. Code § 8-38-7 — https://law.justia.com/codes/alabama/title-8/chapter-38/section-8-38-7/
- Third-party agent (vendor) 10-day notice to covered entity: Ala. Code § 8-38-8 — https://law.justia.com/codes/alabama/title-8/chapter-38/section-8-38-8/
- Penalties and AG enforcement (no private right of action): Ala. Code § 8-38-9 — https://law.justia.com/codes/alabama/title-8/chapter-38/section-8-38-9/
- Federal and state law exemptions (e.g., GLBA/HIPAA harmonization): Ala. Code §§ 8-38-11, 8-38-12 — https://law.justia.com/codes/alabama/title-8/chapter-38/section-8-38-11/ and https://law.justia.com/codes/alabama/title-8/chapter-38/section-8-38-12/
- Session Law (enrolled Act for penalties and structure): Act 2018-396 (SB 318) — https://www.alabamaag.gov/wp-content/uploads/2023/08/Act-2018-396.pdf
Disclaimer: This information is for general educational purposes and does not constitute legal advice. It does not create an attorney-client relationship, and it is not a substitute for advice from a licensed attorney who can assess your specific facts.