The Alabama Breach Notification Act was approved by the Alabama Legislature last month, making Alabama the final state to enact a breach notification law in the U.S.
It imposes new notification requirements on businesses and government agencies when they determine there has been a breach of security that exposes consumers' personal identification information.
Notification should take place about 10 days after discovery. Notification is not required if a good faith investigation determines the breach is not likely to harm people whose data was compromised.
The law also contains a data disposal provision requiring sensitive personal information to be destroyed when no longer needed.
Steve Hines is president of ThreatAdvice, a Birmingham-based cyber security firm. It provides the service for law and accounting firms, health care companies and cities.
He said there are several reasons why high-profile data breaches seem to be occurring more frequently. For starters, laws like the notification act are requiring entities to report them. Just in the last month, hacks have made the news, involving Saks Fifth Avenue, UnderArmor and Facebook, for starters.
Also, more people are committing cyber crimes, he said.
"It's becoming a lot easier for non-technical bad guys to launch these attacks," Hines said. "They can hire somebody and split the profit with them. It's only going to get more random, and it's a pretty hard crime to defend against. What's more, you can't catch the bad guys usually because they're hiding behind several IP addresses."
Atlanta has reportedly spent $2.7 million in response to a ransomware cyber attack that crippled some city services, where attackers demanded a $50,000 ransom. Most city workers were told not to turn on their computers.
Hines said recent political history should be enough to convince people of the necessity of cyber security. The hacking of emails within the Clinton campaign in 2016 was one factor that may have influenced the outcome of the presidential election.
What's the answer? Hines said his firm concentrates on educating its clients' employees in non-technical ways to stay safe. Ninety percent of data breaches, Hines said, don't come through a firewall, but because an untrained employee clicks on an attachment.
"They're giving up their credentials, giving up their passwords, if you look at all the breaches, they are coming through the backdoor," he said. "It's also coming through third-party vendors, or 'Internet of Things' devices. The Internet connects security cameras, vending machines, thermostats, medical devices, copiers. There are so many ways organizations can be attacked, and it's only going to increase."
Hines' background was in mortgage and banking, he said. Then his work with financial technology began to show him the potential threats posed by cyber security breaches.
One way his firm tests a client's susceptibility to hacks is to conduct "phishing tests" - see if employees will unsuspectingly take the bait in a fake phishing campaign.
"The whole purpose is to make people cyber aware and be wary of the tricks," he said. "The cost of a breach is astronomical. It's way more than companies expect. It's important to do your best to keep from getting breached."
©2018 Alabama Media Group, Birmingham Distributed by Tribune Content Agency, LLC.
