A Note From The Legal Helpdesk: 2018 Cyber Security Update and Alabama’s Data Breach Notification Law

A Note From The Legal Helpdesk: 2018 Cyber Security Update and Alabama’s Data Breach Notification Law

This is the 2018 Cybersecurity Article, including a detailed explanation of a new state law on data breach notifications, an overview of federal and international laws, and updated tips for preventing and handling data breaches. (The 2017 Cybersecurity Article can be found here.)


State Law on Notification

Joining the other 49 states of the Union, Alabama recently passed a law specifically on data breaches. The Alabama Data Breach Notification Act of 2018 (“the Act”)[i] places certain requirements on entities that have electronic, sensitive personal information, both before and after a data breach.

Does the Act apply to you?

The Act applies to any entity, or third-party agent (vendor), that acquires or uses “sensitive personally identifying information” (SPII). So, whether or not an entity acquires or uses SPII is the determining factor. While this article summarizes the Act, a more detailed outline of the definition of SPII and the notice requirements can be found here.

What is SPII?

Essentially, for data to be considered SPII under the Act, it must meet five characteristics: 1) Electronic data 2) for an Alabama resident 3) that includes the resident’s first name or initial, 4) last name, and 5) basically, some other piece of the resident’s information that the resident would not want in the hands of an unauthorized party.

The Act provides a laundry list of items for number 5, which can be summarized as follows (see outline link above for the full list):

  1. Id. - An entire government-issued identification number (i.e., driver’s license number, social security number, passport number, etc.)
  2. Financial - Financial information that provides access to a financial account or allows a party to conduct a transaction (i.e., bank account number and password)
  3. Medical - Medical information of almost any kind (e.g., medical history, mental/physical condition, or treatment)
  4. Health Insurance - Health insurance information that allows access to the resident’s insurance  (i.e., resident’s policy number and unique identifier)
  5. Online Accounts – Access information (user name/password) to the online account of the entity holding the information, where the online account contains SPII (e.g., access to a company’s network or database where other SPII is stored)

SPII You May Have  

Since much of today’s data is in or converted to electronic format, the fifth element above will likely be the determining factor for most entities. Here are some examples of what may be SPII specific to real estate professionals.

  • Property Managers
    • Rental applications containing medical history, social security numbers, driver’s license numbers and/or financial information
    • Background check reports
    • Tenant rent payments in the form of e-checks
    • Authorizations for direct withdrawal from a financial account
    • Reasonable accommodation requests that state a mental or physical condition
  • Sellers Agent/Buyers Agent
    • Emails from clients containing clients’ information or attachments with protected information
  • Broker/Owner
    • An agent’s social security number, driver’s license number, tax id. number, or financial account information for payment of commissions
    • Not an agent’s license number because it is already public record;
    • Client records on a transaction management service
  • Association/MLS
    • User name and password to an Association or MLS account  that provides access to SPII
    • Financial information from payments or donations by check or automatic withdrawals
  • Not covered
    • Contact Lists – Many contact lists do not contain SPII. While these lists may include email addresses or home addresses with first name and last name, this information does not fall within the Act’s definition of SPII. However, voluntary sharing of this information should only be pursuant to the entity’s information sharing policy.

What does the Act require?

So, you diligently searched your electronic records and found data that meets all five elements above. What do you do now? The Act sets both pre-breach and post-breach requirements.

  1. Pre-Breach Requirements

The Act requires those entities with SPII to implement and maintain “reasonable security measures.” Every entity must determine what is reasonable for that entity. In fact, the Act suggests that the reasonableness depends on several things, including the size of the entity, the amount of SPII the entity has, and the cost of implementing and maintaining the measures. The Act provides six security measures as potentially reasonable, summarized as follows:

    1. Designation of a specific person to coordinate security measures;
    2. Identification of the risks of security breaches, both external and internal;
    3. Adoption of information safeguards tailored to specific risks of breach;
    4. Retention of a company to maintain the information safeguards;
    5. Continual evaluation and adjustment of the safeguards based on any changed circumstances; and
    6. Providing updates to the entity’s management of the status of the security measures.
  1. Post-Breach Requirements – Investigation and Notice

If an entity with SPII believes that a breach has or may have occurred, the entity must conduct an investigation and may need to provide notice of the breach to individuals or other entities.

  • Investigation

The Act sets specific criteria for the investigation.

  • Timing of Investigation - As to timing, the investigation must be prompt, which is commonly defined as “performed readily or immediately”[ii]. Thus, the investigation should begin immediately after the entity learns of a breach or possible breach. Thus, it is important to have a standard operating procedure for data breaches in place so that the investigation can begin promptly.
  • Manner of Investigation - The investigation must be conducted in good faith, a legal term for honesty and fairness. 
  • Content of Investigation – The investigation must include several specific actions.
    1. Assess the nature and scope of the breach
    2. Identify any SPII that may be involved in the breach and the individuals to whom the SPII belongs
    3. Determine:
      • whether an unauthorized person has or likely has acquired SPII, and
      • whether the unauthorized acquisition is reasonably likely to cause substantial harm
    4. Identify and Implement security restoration measures of the system(s) compromised
  • Notice

Not all data incidents require notice to external parties. Notice is required when two determinations are made after or during an investigation.

1) SPII acquired - SPII has been or is reasonably believed to have been acquired by an unauthorized person, whether discovered internally or after notice by a third-party vendor, and

2) Likelihood of Harm - This unauthorized acquisition is reasonably likely to cause substantial harm to those individuals to whom the SPII relates.

If the entity decides no notice is required because these findings are not present, the entity must document this decision in writing and keep the records for five years.

When an entity makes the two determinations, the Act requires notice of the breach to be sent to the individual to whom the information relates and, in some situations, to law enforcement and the consumer financing entities. Here are the parameters for this notice.                                   

- To the Individual

Timing - An entity must send notice to the individuals affected “expeditiously and without unreasonable delay taking into account the time necessary for an investigation.” Regardless, notice must be sent within 45 days of discovery of the breach, whether discovered internally or after notice by a third-party vendor. (Third-party agents have 10 days after discovery to notify an entity of a breach or potential breach.)

Contents - Notice can be mailed or emailed directly, or substitute notice is allowed in certain situations. The notice should contain the date or estimated date(s) of the breach; a description of the data taken, actions taken to date, and steps to take to protect from identity theft; as well as contact information for the individual to contact the entity. Of course, notice should not be sent if law enforcement requests a delay in writing.

- To the Attorney General

This notice is required when the entity must send notice to over 1000 individuals and should be sent quickly. In general, the notice must contain a summary of events, the estimated number of affected individuals, what free services are being offered, and a designated contact at the entity for the AG.

- To Consumer Reporting Agencies

Notice to all consumer reporting agencies compiling files on consumers nationwide should be sent if notice is sent to the Attorney General. The notice should contain information on the timing, distribution and content of the other notices.

Takeaways on Notice

  • Not all breaches require notice  – Data incidents may not result in the actually acquiring of data or in a likelihood of harm, both of which are required for notice. For example, certain types of ransomware encrypt your data and demand a ransom for an encryption key but the actual data is not acquired.
  • 45-day period begins at discovery of breach – The period to notify individuals begins before notice is actually required. Let me explain. The 45-day period to send notice starts upon the discovery of a breach, whether internally or by notice from a third-party vendor. However, notice is only required when a breach occurs that is reasonably likely to cause substantial harm. So, once a breach is discovered, a company essentially has 45 days to determine likelihood of harm.
  • Companies Have Discretion: SPII, Reasonably Likely and Substantial Harm – The Act leaves certain things ambiguous to allow for flexibility. For example, even though SPII is defined, the list is not exhaustive, and companies must determine whether their information falls within the definition. A similar determination must be made for the terms “reasonably likely” and “substantial harm”. However, the penalties mentioned below hinge upon purposeful disregard for the individuals’ information. While some may say to provide notice when in doubt, this paints with too broad of a brush and disregards some very valid reasons not to provide notice. The best thing is to clearly document the rationale for whatever decision is made (hopefully, made in conjunction with counsel).
  • Notice to the AG – The Attorney General’s Office now has an online portal through which companies can satisfy the notice requirement to the AG. You can access that portal here.

Other Important Provisions in the Act

  • Third-Party Notice – If a third-party agent manages a company’s data, the Act requires the third-party agent to send notice of the breach to the company quickly but no less than 10 days after the agent determines a breach occurred or may have occurred.       
  • Hire out notifications - An entity may hire a third-party to handle notifications.
  • Violations – Failure to abide by the notice provisions may subject the offending entity to a civil penalty in a civil suit by the Alabama Attorney General, but is not a criminal offense or subject to claims by individuals. The civil penalty is limited to $500,000 per breach for willful or reckless disregard of the Act, and $5000 a day for failure to take reasonable action to comply with the notice provisions of the Act. Also, the Attorney General can bring a lawsuit on behalf of damaged individuals and recover actual damages plus costs including attorney’s fees.
  • Compliance with Court Order – Failure to send notice because a court orders an entity to refrain from sending notice is not considered a violation. 

Records Disposal Policy

Real estate companies with SPII may need to revisit their document retention and destruction policies. Under real estate license law, real estate professionals are required to maintain certain records for up to three years, regardless of whether the records are electronic or paper. Some entities may keep these records for years. However, for electronic records containing SPII, the Data Breach Act now requires reasonable disposal after the record retention period is met.[iii]

How do you know if a Data Breach has occurred?

The Act provides several factors to consider.

  • An unauthorized person may have physical possession and control of equipment with SPII (i.e., a computer or hardware is lost or stolen)
  • Indications that the SPII was downloaded or copied (i.e., unauthorized access or a change in the metadata)
  • Looks like SPII was used by an unauthorized user (i.e., fraudulent accounts set up, identity theft reported)
  • The information is now on the public domain

International/Federal Laws

One possible question is whether any other laws (international or federal) on data breaches/security apply to real estate professionals. The answer is maybe, depending on several things.

  • International laws
    • EU - Effective May 25, 2018, the EU now requires notification of data breaches to regulatory authorities within 72 hours under the General Data Protection Regulation (GDPR). The GDPR applies broadly to entities with regular activity in the EU and/or interaction with citizens of the EU. Real estate professionals may be subject to the law if they have clients (foreign investors) located in the EU. 
    • Canada – For those with Canadian clients, Canada’s Digital Privacy Act will require breach notification starting November 1, 2018.
  •  Federal Laws – While no comprehensive federal data security bill exists, numerous agencies have enacted regulations under various federal laws that deal with data security. The most common is the Federal Trade Commission (FTC) mentioned below.
    • The FTC enforces data security through the “unfair business practice” provision of the FTC Act (Section 5, if you were wondering). Enforcement lawsuits are brought against companies when the FTC believes the companies lack adequate data security measures, usually following a data breach. However, a recent 11th Circuit Court of Appeals decision overturned an FTC decision in this arena, requiring the FTC to be specific in what data security measures it orders a company to take and potentially limiting future FTC investigations. See LabMD vs. Federal Trade Commission.

Notes and Tips on Cyber-security

  1. Common Attacks

The cyber world is continually adapting and developing new technologies. Correspondingly, cyber criminals are continually adjusting and finding new methods of stealing confidential information and money. Most cyber-attacks come from emails—a couple examples below:

  1. Fishing emails from a similar email address. For example, a hacker may send your client an email from harn.jones@realtor4ever.com instead of ham.jones@realtor4ever.com (r and n together look like an m), in which the hacker requests money to be wired and provides specific instructions.

            ii. Emails from a hacked account. If your email is hacked, clients can receive emails directly from
                 your email account requesting money to be wired to the criminal’s account.

2. Awareness and Training

Real estate transactions are prime targets for cyber criminals. Providing training to your agents and employees is imperative in order to decrease the risk from cyber fraud in your office. While statistics show that individuals open suspicious emails despite training, awareness does lessen the risk. Each office needs specific policies on cyber security—not only what employees or agents should avoid, but also what to do when fraud occurs. Due to the ever-changing world of technology, these policies should be reviewed periodically for updates. Employees and/or agents need training on your policies, and consider setting a schedule for ongoing training and education.

Steps to Take Before a Cyber Attack Occurs

Whether or not federal or state data breach laws apply to you, it is very important to take steps to to prepare for a cyber-attack. Here are a few pro-active steps that may help minimize the damage in the event of a cyber-attack or data breach: (some may be required if the Alabama Data Breach Act applies)

  • Only keep information that you need - If you are not required to retain information, disposing of it after legal time periods are satisfied may prevent a hacker from accessing sensitive client data.
  • Create a data breach response plan - While a plan is not specifically required, taking steps to write a response plan for a data breach may save you crucial time in responding effectively and lawfully to a data breach. An effective data breach response plan should be tailored to your needs and may involve your IT company, employees, and your legal counsel.
  • Keep your databases safe - Much of the sensitive personally identifying information may reside in your database(s). Keeping your databases safe includes safety measures like creating a firewall separating your publicly shared information from your private data. Additionally, a simple way to increase the safety of your databases is to avoid using common passwords. Instead, create complex passwords and change them often.
  • Conduct periodic data protection audits - A data security company can audit and assess your data security system. Conducting periodic audits may help draw attention to vulnerabilities in your databases, allowing you the opportunity to remedy the vulnerability prior to a data breach.
  • Purchase cyber-liability insurance - In the event you or your company becomes victim to a cyber-attack or data breach, having cyber-liability insurance may help cover some of the costs associated with responding to the breach and may help cover litigation expenses from any resulting lawsuits.
  • Update Credentials and Passwords – Updating and/or terminating credentials as people change employment and altering passwords may help decrease continued vulnerability.

Additional articles and resources on avoiding a data breach:
REALTOR® Mag, "Don't get 'Pwned': Keep Your Data Secure"
REALTOR® Mag, "Balancing Safety and Your Online Presence"
NAR Data Security and Privacy Toolkit

Responding to a Cyber Attack/Data Breach

In the event you become victim to a cyber-attack or data breach, here a few tips on responding: (some may be required if the Alabama Data Breach Act applies)

  • Call your IT professional - In an effort to mitigate further damage, contact your IT professional as soon as you discover the breach. Your IT professional should be able to help stop the breach and analyze the damage. This may involve taking all machines offline. However, it is important to not turn your machines off until forensic analysis can be done, ideally by your IT professional.
  • Retain outside legal counsel - If not already done as part of your data breach response plan, consider hiring an attorney with cyber security and data breach experience. An attorney should advise you on federal and state laws that may impact you, including the new Alabama Data Breach Notification Act. 
  • Contact your insurance broker - If you maintain cyber-liability insurance, your policy may help cover the costs you will likely incur in responding to the data breach and potential litigation resulting from the breach. Also, your insurance policy agreement likely requires notice to the insurer within a certain timeframe.

Additional resources on responding to a data breach:
Federal Trade Commission, "Responding to a Data Breach"

Other Articles:
The Evolution of Cybercrime - Five Key Predictions for 2018 (Business Chief)
Cyber Breaches have Doubled in Five Years - Zurich Report (Business Chief)


[i] All references to the Act are to Act No. 2018-396 (click here to view the bill).
[ii] Prompt. (n.d.). Retrieved June 4, 2018, from https://www.merriam-webster.com/dictionary/prompt
[iii] Section 10 of Act 2018-396.


Disclaimer: This article provides general information only and does not constitute legal advice. No attorney-client relationship is created by reading, viewing, opening, or other action related to this article. If legal advice or other expert assistance is required, the services of a competent professional should be sought. Specific circumstances may change the applicable law or advice a competent individual would provide. In addition, this information is not meant to supplant or in any way replace Errors and Omissions Insurance or other insurance coverage. Mistakes may occasionally be made. Once notified, we will work diligently to correct the issue in a timely manner and mark any updated or changed articles accordingly.