MONTH-IN-BRIEF (Jun 2019)
Alabama Law Increases Cybersecurity Requirements for Insurance Entities
By Kacey Jennings, Villanova University Charles Widger School of Law
New Alabama law, S.B. 54, requires entities licensed by the Alabama Department of Insurance to develop and implement cybersecurity programs, and subjects those companies to civil penalties for noncompliance. Companies must maintain written information security programs including an incident response plan, and they must notify the Commissioner of Insurance of cybersecurity incidents no later than three business days after the determination the incident occurred. Businesses that have fewer than twenty-five employees, gross less than $5 million annually, or can provide a statement proving they are HIPAA compliant are exempt from this new law. This law is significant because it protects nonpublic personal information that could be used to identify consumers. Businesses in Alabama should review their policies to ensure they are compliant with this heightened standard, which goes into effect May 1, 2020.