In recent weeks, state legislators in South Dakota have taken steps to protect their citizens in the event of a serious data breach.
Why is this news to Alabamians? Because South Dakota is the only state other than Alabama that still does not have a law requiring its citizens to be notified when a data breach occurs that could affect them. Soon Alabamians may stand alone in being without this kind of notification and I am pushing for passage of such a law in Alabama this year.
Over the last few years consumers have been shocked to learn of major data breaches in practically every sector of our national economy from health care to banking and big box stores to even the federal government. Criminals hacking into computers have recovered millions of personal records of Americans including many Alabamians.
Well over 90 percent of U.S. residents have made some purchase online. Still others use the internet and smartphones to access services which also store your personal information. Each activity potentially exposes you to a hacker. In fact, you really don’t have to be active online to be vulnerable as we witnessed with the Equifax data breach last year. You only need a credit history that is stored in a company or organization’s computer to be at risk. The impact of data breaches is enormous. The non-profit Identity Theft Resource Center recently released its tally of data breaches that took place in 2017. It reports that over 174 million records were exposed in a total of 1,339 known data breaches last year alone.
To be clear, there is little a consumer can do to prevent themselves from becoming the next victim of a data breach. That burden falls upon the government or business entity hosting your personal data. However, the sooner you find out that your social security number, bank and credit card accounts have been exposed to hackers, the better able you are to limit the potential damage from identity theft. Forty-eight states currently have laws in place requiring entities doing business within their jurisdictions to timely report a data breach that could affect their citizens. Without a similar law in Alabama, our residents could be among the last to know they may have been a victim, and that is not right.
Since becoming Alabama’s Attorney General, I have made it a priority to ensure that Alabama consumers are not left out in the cold in the event of another data breach. My office has drafted the Alabama Data Breach Notification Act of 2018 to be introduced during this session of the Alabama Legislature. The bill does not penalize an entity for being breached; rather, it requires the entity to notify consumers within a reasonable time after it has been determined that a consumer’s personal identifying information has been accessed and is likely to cause the consumer harm. If the data breach involves the information of more than 1,000 individuals, then the entity must notify the Alabama Attorney General’s Office as well.
To be sure, as the world’s economic activity and data increasingly flow through the internet, criminals will devote even more energy to capturing Americans’ sensitive data. It is, therefore, vital that Alabama consumers be notified when they may have had their personal information exposed. I look forward to working with the Alabama Legislature to provide this extra measure to help Alabamians defend themselves from theft of their personal information.
Steve Marshall is the Alabama Attorney General.