Policy 621: Data Breach Notification defines the requirements and responsibilities for providing notifications when a breach of personal information has occurred. The Alabama Data Breach Notification Act of 2018 (Acts 2018-396) requires certain entities to provide notice to certain persons upon a breach of security that results in the unauthorized acquisition of sensitive personally identifying information (PII). The primary objectives of this policy were to:
- Define the term breach to include unauthorized acquisition of PII, unauthorized use or disclosure of PII, and information spillage instances (as defined in IRS Publication 1075, IR-9)
- Define PII to include identifying elements stated in the Alabama Consumer Identity Protection Act (Acts 2001-312) as well as Acts 2018-396.
- Define the notification-related responsibilities of data owners and data custodians (without restating the requirements of state or federal law or of other governance (e.g., HIPAA)).
- Require that the Office of Information Technology be notified upon discovery of any data breach.
Policy 621 addresses NIST SP800-53R4 security control IR-9 (Information Spillage) which is required by IRS publication 1075 and is a control that should be broadly applied whenever PII or other sensitive data types are being handled (i.e., not limited to tax information).
Policy 621 replaces legacy Policy 685: Data Breach Notification. Policy 685 was rescinded in 2018, after the Alabama Data Breach Notification Act became law.
Risks that are addressed in this policy:
- Exposure of PII or of other sensitive data
- Understanding what constitutes PII
- Understanding what constitutes a data breach
View or Download: