Alabama Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Alabama was the last state in the country to enact a data breach notification law. Governor Kay Ivey signed the Data Breach Notification Act of 2018 (Act 2018-396) on March 28, 2018, with an effective date of June 1, 2018. The law is codified at Ala. Code 8-38-1 through 8-38-12.

For a broader overview of the state's privacy framework, see the parent guide to [Alabama Data Privacy Laws](/us-laws/data-privacy-laws/alabama-data-privacy-laws).

The act requires businesses, government agencies, and other entities that handle sensitive personal information of Alabama residents to investigate potential breaches, notify affected individuals, and report large-scale incidents to the Attorney General.

Who Must Comply With the Alabama Data Breach Notification Act

The law applies to any "covered entity," which Ala. Code 8-38-2 defines broadly. It includes any person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information.

Third-party agents, meaning entities that have been contracted to maintain, store, or process data on behalf of a covered entity, are also subject to the law. They must notify the covered entity within 10 days of discovering a breach, per Ala. Code 8-38-8.

What Information Triggers Notification

Alabama's law protects "sensitive personally identifying information" (SPII). Under Ala. Code 8-38-2, SPII means an Alabama resident's first name or first initial and last name combined with one or more of the following data elements:

• Non-truncated Social Security number or tax identification number
• Non-truncated driver's license number, state-issued ID number, passport number, military ID number, or other unique government-issued identification number
• Financial account number, credit card number, or debit card number combined with any security code, access code, password, expiration date, or PIN needed to access the account
• Medical information, defined as any information about an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
• Health insurance policy number or subscriber identification number, along with any unique identifier used by a health insurer to identify the individual
• Username or email address combined with a password or security question and answer that would allow access to an online account reasonably likely to contain SPII

The law only applies to data in electronic form. Paper records are not covered by the notification requirements.

How Alabama Defines a Data Breach

Under Ala. Code 8-38-2, a "breach of security" means the unauthorized acquisition of data in electronic form containing SPII. Multiple unauthorized acquisitions by the same entity over a period of time count as a single breach.

The definition excludes three categories of events:

• Good faith acquisition of data by an employee or agent of a covered entity, as long as the information is not used for an unrelated purpose or subject to further unauthorized disclosure
• Release of public records not otherwise subject to confidentiality requirements
• Lawful investigative, protective, or intelligence activity by law enforcement or intelligence agencies

The Substantial Harm Threshold

Alabama's notification requirement includes a threshold that many other states lack. Under Ala. Code 8-38-4, notification is only required when the covered entity determines, after a good-faith and prompt investigation, that the breach is "reasonably likely to cause substantial harm" to affected individuals.

This means not every technical breach triggers a notification obligation. The covered entity must assess factors including:

• Whether the information is in the physical possession and control of an unauthorized person (for example, a lost or stolen device)
• Whether the information has been downloaded or copied
• Whether the information was used by an unauthorized person, such as through fraudulent accounts or reported identity theft

If the entity concludes after a good-faith investigation that substantial harm is unlikely, it may choose not to notify. However, the entity must document this determination in writing and keep the documentation for at least five years.

Investigation Requirements Before Notification

When a covered entity determines that a breach has or may have occurred, Ala. Code 8-38-4 requires a good-faith and prompt investigation that covers four areas:

• Assessing the nature and scope of the breach
• Identifying the SPII involved and the individuals to whom it relates
• Determining whether the data was acquired or is reasonably believed to have been acquired by an unauthorized person and is reasonably likely to cause substantial harm
• Implementing measures to restore the security and confidentiality of the compromised systems

Notification Timeline and Methods

Once a covered entity determines that notification is required, Ala. Code 8-38-5 mandates that notice be provided "as expeditiously as possible and without unreasonable delay," but no later than 45 days after the entity's determination or receipt of notice from a third-party agent.

Notification may be delivered through:

• Written notice sent to the individual's mailing address on file
• Email notice sent to the individual's email address on file

What Must Be Included in the Notice

Every breach notification letter must contain, at minimum:

• The date, estimated date, or estimated date range of the breach
• A description of the types of SPII acquired by the unauthorized person
• A general description of the actions the covered entity has taken to restore security and confidentiality
• A general description of steps the affected individual can take to protect themselves from identity theft
• Contact information (including a way to reach the covered entity for additional questions about the breach)

Substitute Notice

A covered entity may use substitute notice instead of direct notification when any of the following conditions apply, per Ala. Code 8-38-5:

• The cost of direct notice exceeds $500,000
• The affected class exceeds 100,000 individuals
• The entity lacks sufficient contact information for the individuals

Substitute notice requires posting a conspicuous notice on the entity's website for at least 30 days and providing notice through print and broadcast media in both urban and rural areas where affected individuals reside.

Law Enforcement Delay

Notification may be delayed if a law enforcement agency determines in writing that notice would impede a criminal investigation or jeopardize national security. Once the agency lifts the written request, the 45-day notification clock resumes.

Attorney General Notification Requirements

Under Ala. Code 8-38-6, if a breach affects more than 1,000 Alabama residents, the covered entity must also provide written notice to the Alabama Attorney General within the same 45-day window.

The AG notification must include:

• A synopsis of the events surrounding the breach at the time notice is given
• The approximate number of affected Alabama residents
• Any free services the entity is offering to affected individuals, along with instructions for using those services
• The name, address, telephone number, and email address of a contact person at the covered entity

The entity may submit supplemental or updated information to the AG at any time. Information marked as confidential that is submitted to the AG is not subject to Alabama's open records laws.

The AG's office provides a Data Breach Notification Form online. Supplemental documentation for previously reported breaches can be sent to ConsumerInterest@AlabamaAG.gov.

Consumer Reporting Agency Notification

When a breach affects more than 1,000 individuals, Ala. Code 8-38-7 also requires the covered entity to notify consumer reporting agencies. The entity must provide notice of the timing, distribution, and content of the notifications sent to affected individuals.

Required Security Measures

Alabama's law goes beyond notification. Ala. Code 8-38-3 requires every covered entity and third-party agent to implement and maintain "reasonable security measures" to protect SPII. These measures must be practicable given the entity's resources and must include:

• Designating an employee or employees to coordinate security measures (an owner or manager may serve in this role)
• Identifying internal and external risks of a breach and adopting appropriate safeguards
• Retaining service providers that are contractually required to maintain appropriate safeguards
• Evaluating and adjusting security measures as circumstances change

The law does not prescribe specific technical controls. Instead, it uses a reasonableness standard that accounts for the entity's cost of implementation relative to its available resources.

Record Disposal Requirements

Ala. Code 8-38-10 requires covered entities and third-party agents to take reasonable measures to dispose of records containing SPII when those records are no longer needed for business or legal purposes. Acceptable disposal methods include shredding, erasing, or otherwise modifying the information to make it unreadable through any reasonable means consistent with industry standards.

Encryption Safe Harbor

Alabama's law includes an encryption safe harbor. If SPII was encrypted, secured, or otherwise rendered unreadable or unusable, no notification is required. However, this protection does not apply if the covered entity knows or has reason to know that the encryption key or security credential was compromised along with the protected data.

Penalties for Noncompliance

Violations of Alabama's breach notification law are treated as unlawful trade practices under the Alabama Deceptive Trade Practices Act (Ala. Code Chapter 19), per Ala. Code 8-38-9. This means:

• Civil penalties of up to $5,000 per day for each consecutive day a covered entity fails to take reasonable action to comply with notification requirements
• A maximum cap of $500,000 per breach
• The Attorney General has exclusive authority to bring enforcement actions for civil penalties
• The AG may also bring actions for actual damages on behalf of affected individuals, plus reasonable attorney's fees and costs

Violations do not constitute criminal offenses under the Deceptive Trade Practices Act, and there is no private right of action. Alabama residents cannot individually sue for breach notification failures.

Federal and State Exemptions

HIPAA-Covered Entities

Under Ala. Code 8-38-11, entities regulated by federal data breach notification laws (including HIPAA) are exempt from the Alabama statute, provided they maintain procedures under the applicable federal authority, provide notice as required by federal law, and timely notify the Alabama AG when more than 1,000 residents are affected.

State-Regulated Entities

Ala. Code 8-38-12 provides a similar exemption for entities subject to state laws with breach notification requirements that are at least as thorough as the Alabama act. These entities must comply with the applicable state requirements and notify the AG when breaches exceed the 1,000-resident threshold.

Financial Institutions

Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) are also exempt if they comply with applicable federal breach notification requirements and meet the AG notification threshold.

AG Enforcement in Practice

Alabama has participated in multistate data breach enforcement actions since the law took effect. In October 2023, Attorney General Steve Marshall announced a $49.5 million settlement with Blackbaud, a cloud software company whose 2020 data breach exposed sensitive information from more than 13,000 customers nationwide, including nonprofits, schools, and healthcare entities. Alabama received $1.6 million from the settlement. The action alleged that Blackbaud failed to implement reasonable security measures, delayed notification, and misrepresented the scope of the breach to affected customers.

More Alabama Laws

• Alabama Data Privacy Laws
• Alabama Recording Laws
• Alabama Recording Laws
• Alabama Recording Laws
• Alabama Recording Laws
• Alabama Recording Laws
• Alabama Whistleblower Laws
• Alabama Child Support Laws

Sources and References

This article references the Alabama Data Breach Notification Act of 2018 (Ala. Code 8-38-1 through 8-38-12). For the full statutory text, visit the Alabama Legislature website. For information about filing a breach notification or a consumer complaint, visit the Alabama Attorney General's Data Breach Notification page.

This article provides general legal information about Alabama's data breach notification requirements. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Alabama government sources.