Ala. Code § 27-62-6 (1975) Notification of Cybersecurity Event
| Library | Alabama Statutes |
| Edition | 2023 |
| Currency | Current with legislation from the 2023 Regular and Special Sessions. |
| Year | 2023 |
| Citation | Ala. Code § 27-62-6 (1975) |
(a) Each licensee shall notify the commissioner as promptly as possible, but in no event later than three business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred when either of the following criteria has been met:
(1) This state is the state of domicile of the licensee, in the case of an insurer, or this state is the home state of the licensee, in the case of a producer, as those terms are defined in Section 27-7-1, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing in this state or reasonable likelihood of materially harming any material part of the normal operation of the licensee.
(2) The licensee reasonably believes that the nonpublic information involves 250 or more consumers residing in this state and the cybersecurity event is either of the following:
a. A cybersecurity event impacting the licensee that the licensee is required to notify any government body, self-regulatory agency, or any other supervisory body about pursuant to any state or federal law.
b. A cybersecurity event that has a reasonable likelihood of materially harming either of the following:
1. Any consumer residing in this state.
2. Any material part of the normal operation of the licensee.
(b) The licensee shall provide as much of the following information as possible in electronic form as directed by the commissioner:
(1) The date of the cybersecurity event.
(2) A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of any third-party service providers.
(3) How the cybersecurity event was discovered.
(4) Whether any lost, stolen, or breached information has been recovered and if so, how this was done.
(5) The identity of the source of the cybersecurity event.
(6) Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when the notification was provided.
(7) A description of the specific types of information acquired without authorization. Specific types of information means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer.
(8) The period during which the information system was compromised by the cybersecurity event.
To continue reading
Request your trial