Policy 621: Data Breach Notification defines the requirements and responsibilities for providing notifications when a breach of personal information has occurred. The Alabama Data Breach Notification Act of 2018 (Acts 2018-396) requires certain entities to provide notice to certain persons upon a breach of security that results in the unauthorized acquisition of sensitive personally identifying information (PII). The primary objectives of this policy were to:

  1. Define the term breach to include unauthorized acquisition of PII, unauthorized use or disclosure of PII, and information spillage instances (as defined in IRS Publication 1075, IR-9)
  2. Define PII to include identifying elements stated in the Alabama Consumer Identity Protection Act (Acts 2001-312) as well as Acts 2018-396.
  3. Define the notification-related responsibilities of data owners and data custodians (without restating the requirements of state or federal law or of other governance (e.g., HIPAA)).
  4. Require that the Office of Information Technology be notified upon discovery of any data breach.


Policy 621 addresses NIST SP800-53R4 security control IR-9 (Information Spillage) which is required by IRS publication 1075 and is a control that should be broadly applied whenever PII or other sensitive data types are being handled (i.e., not limited to tax information).


Policy 621 replaces legacy Policy 685: Data Breach Notification. Policy 685 was rescinded in 2018, after the Alabama Data Breach Notification Act became law.


Risks that are addressed in this policy:

  • Exposure of PII or of other sensitive data
  • Understanding what constitutes PII
  • Understanding what constitutes a data breach


View or Download:

DRAFT Policy 621: Breach Notification