*** This page refers to a DRAFT policy that is no longer available for download. ***

Policy 621: Data Breach Notification defines the requirements and responsibilities for providing notifications when a breach of personal information has occurred. The Alabama Data Breach Notification Act of 2018 (Acts 2018-396) requires certain entities to provide notice to certain persons upon a breach of security that results in the unauthorized acquisition of sensitive personally identifying information (PII). The primary objectives of this policy were to:

  1. Define the term breach to include unauthorized acquisition of PII, unauthorized use or disclosure of PII, and information spillage instances (as defined in IRS Publication 1075, IR-9)
  2. Define PII to include identifying elements stated in the Alabama Consumer Identity Protection Act (Acts 2001-312) as well as Acts 2018-396.
  3. Define the notification-related responsibilities of data owners and data custodians (without restating the requirements of state or federal law or of other governance (e.g., HIPAA)).
  4. Require that the Office of Information Technology be notified upon discovery of any data breach.


Policy 621 addresses NIST SP800-53R4 security control IR-9 (Information Spillage) which is required by IRS publication 1075 and is a control that should be broadly applied whenever PII or other sensitive data types are being handled (i.e., not limited to tax information).


Risks that are addressed in this policy:

  • Exposure of PII or of other sensitive data
  • Understanding what constitutes PII
  • Understanding what constitutes a data breach


View or Download:  DRAFT Policy 621: Data Breach Notification, is no longer available for download.