Section 8-38-9

Violations of notification requirements.

(a) A violation of the notification provisions of this chapter is an unlawful trade practice under the Alabama Deceptive Trade Practices Act, Chapter 19 of this title, but does not constitute a criminal offense under Section 8-19-12. The Attorney General shall have the exclusive authority to bring an action for civil penalties under this chapter.

(1) A violation of this chapter does not establish a private cause of action under Section 8-19-10. Nothing in this chapter may otherwise be construed to affect any right a person may have at common law, by statute, or otherwise.

(2) Any covered entity or third-party agent who is knowingly engaging in or has knowingly engaged in a violation of the notification provisions of this chapter is subject to the penalty provisions set out in Section 8-19-11. For the purposes of this chapter, knowingly shall mean willfully or with reckless disregard in failing to comply with the notice requirements of Sections 8-38-5 and 8-38-6. Civil penalties assessed under Section 8-19-11, shall not exceed five hundred thousand dollars ($500,000) per breach.

(b)(1) Notwithstanding any remedy available under subdivision (2) of subsection (a), a covered entity that violates the notification provisions of this chapter shall be liable for a civil penalty of not more than five thousand dollars ($5,000) per day for each consecutive day that the covered entity fails to take reasonable action to comply with the notice provisions of this chapter.

(2) The office of the Attorney General shall have the exclusive authority to bring an action for damages in a representative capacity on behalf of any named individual or individuals. In such an action brought by the office of the Attorney General, recovery shall be limited to actual damages suffered by the person or persons, plus reasonable attorney's fees and costs.

(3) It is not a violation of this chapter to refrain from providing any notice required under this chapter if a court of competent jurisdiction has directed otherwise.

(4) To the extent that notification is required under this chapter as the result of a breach experienced by a third-party agent, a failure to inform the covered entity of the breach shall subject the third-party agent to the fines and penalties set forth in this chapter.

(5) Government entities shall be subject to the notice requirements of this chapter. A government entity that acquires and maintains sensitive personally identifying information from a government employer, and which is required to provide notice to any individual under this chapter, must also notify the employing government entity of any individual to whom the information relates.

(6) All government entities are exempt from any civil penalty authorized by this chapter; provided, however, the Attorney General may bring an action against any state, county, or municipal official or employee, in his or her official capacity, who is subject to this chapter for any of the following:

a. To compel the performance of his or her duties under this chapter.

b. To compel the performance of his or her ministerial acts under this chapter.

c. To enjoin him or her from acting in bad faith, fraudulently, beyond his or her authority, or under mistaken interpretation of the law.

(7) By February 1 of each year, the Attorney General shall submit a report to the Governor, the President Pro Tempore of the Senate, and the Speaker of the House of Representatives describing the nature of any reported breaches of security by government entities or third-party agents of government entities in the preceding calendar year along with recommendations for security improvements. The report shall identify any government entity that has violated any of the applicable requirements in this chapter in the preceding calendar year.

(Act 2018-396, §9.)