Greg Price recently submitted an article to the Troy Messenger, Alabama’s new breach law:
Starting June 1, 2018, private and public entities must establish reasonable data security measures and notify those affected negatively when personal data has been compromised. Despite Alabama being last to the data breach notification parade, our law has been described among the most stringent in the nation. From my personal experiences, I agree, Alabama’s law takes into consideration third-party service providers which many states neglect. Alabama’s inclusion of “third-party agents,” that is to say, entities contracted to maintain, store, process, or otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity, is outstanding for Alabama’s citizens – there is no hiding, passing of the proverbial buck: if you collect electronic information from your customers, you are responsible for it.