Businesses will now have to notify consumers in all 50 U.S. states of significant data breaches, after Alabama recently joined every other state in putting on the books a relatively stringent breach reporting law that will give companies 45 days to disclose such incidents and require them to implement reasonable data security measures.

Although it is last to join the fray, the Alabama law — which passed the state's House of Representatives on March 22 by a 101-0 vote and was approved 30-0 in the state Senate on March 27 — is among the most stringent on the books to date, according to Ballard Spahr LLP privacy and security group co-chair Edward McAndrew.

"There's something to be said for being last, and that is you have the benefit of learning from everyone else's experiences," McAndrew told Law360.

With the legislation — which was spearheaded by a trio of Republicans: the attorney general, Sen. Arthur Orr and Rep. Phil Williams — Alabama joins approximately 14 other states that have created stand-alone statutory obligations to maintain reasonable cybersecurity measures in addition to setting breach notification standards, which all 50 state bills have done, McAndrew noted.

Read the full article here. Subscription may be required.

Related Practice