DBN Statutes – Alabama

Data Breach Notification Statutes – Alabama

Last Updated: 02/28/2024

  • Applicable Statute: Ala. Code. §§ 8-38-1 — 8-38-12
  • Attorney General Notice Required : Yes – Must notify the Attorney General if more than 1,000 residents notified.
    • Timing : As expeditiously as possible and without unreasonable delay, but in no case more than 45 days from discovery of the breach.
    • Method: See website: https://www.alabamaag.gov/
    • Content : Notice to the Attorney General must include:
      • A synopsis of events surrounding the breach;
      • The approximate number of affected state residents;
      • Information and instructions on any services the covered entity is offering to affected residents, without charge, related to the breach;
      • The contact information of the employee or agent from whom additional information may be obtained.
  • Consumer Notice Requirements:
    • Timing: Must be made as expeditiously as possible and without unreasonable delay, taking into account the time necessary to conduct an investigation, but no later than 45 days after discovery and determination breach is reasonably likely to cause substantial harm.
    • Method: By written notice or by email to the individual at the email address held by the subject entity.
    • Content: Notice must include, at a minimum:
      • The date, estimated date, or estimated date range of the breach;
      • A description of the personal information that was acquired by an unauthorized person as part of the breach;
      • A general description of actions taken to restore the security and confidentiality of personal information involved in the breach;
      • A general description of steps an affected individual can take to protect against identity theft; and Information that the individual can use to contact the subject entity about the breach.
  • Consumer Reporting Agency Obligations: If more than 1,000 residents are notified, the entity must also notify without unreasonable delay all nationwide consumer reporting agencies of the timing, distribution, and content of the notice.
Please Note: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience; Klinedinst PC and its attorneys do not recommend or endorse the contents of the third-party sites. Readers of this website should contact an attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, Klinedinst PC or its attorneys. Content included on this site is subject to change and users should note the date of last update when reviewing such contents. The content is provided "as is;" no representations are made that the content is error-free. Klinedinst PC has offices in several US states but does not practice law where its attorneys are not licensed. While this website refers to the laws of all 50 states, Klinedinst PC does not practice law in a several such states and visitors of this website are put on notice that neither Klinedinst PC, nor its attorneys, are or will provide legal advice for states where its attorneys are not licensed.

Data Breach Notification Statutes

Practice Attorneys


Related Practice Areas



Subscribe to Privacy and Data Security Newsletter

* indicates required