Code of Alabama

Ala. Code § 8-38-3 (2026)

Reasonable Security Measures; Assessment.

✓ official Alabama Legislature (ALISON) text, current July 2026
Find cases: SyfertCases citing this section JustiaAla. Code CornellLII Search CasesGoogle Scholar

(a) Each covered entity and third-party agent shall implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security.

(b) Reasonable security measures means security measures practicable for the covered entity subject to subsection (c), to implement and maintain, including consideration of all of the following:

(1) Designation of an employee or employees to coordinate the covered entity’s security measures to protect against a breach of security. An owner or manager may designate himself or herself.

(2) Identification of internal and external risks of a breach of security.

(3) Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards.

(4) Retention of service providers, if any, that are contractually required to maintain appropriate safeguards for sensitive personally identifying information.

(5) Evaluation and adjustment of security measures to account for changes in circumstances affecting the security of sensitive personally identifying information.

(6) Keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures; provided, however, that the management of a government entity subject to this subdivision may be appropriately informed of the status of its security measures through a properly convened executive session under the Open Meetings Act pursuant to Section 36-25A-7.

(c) An assessment of a covered entity’s security shall be based upon the entity’s reasonable security measures as a whole and shall place an emphasis on data security failures that are multiple or systemic, including consideration of all the following:

(1) The size of the covered entity.

(2) The amount of sensitive personally identifying information and the type of activities for which the sensitive personally identifying information is accessed, acquired, maintained, stored, utilized, or communicated by, or on behalf of, the covered entity.

(3) The covered entity’s cost to implement and maintain the reasonable security measures to protect against a breach of security relative to its resources.

(Act 2018-396, §3.)

Notes of Decisions
Cited in 1 case (1 in the last 5 years), 2024–2024 · leading case: Shymikka Griggs v. NHS Mgmt., LLC (Appeal from Jefferson Circuit Court: CV-23-902261). (Ala. 2024).
Shymikka Griggs v. NHS Mgmt., LLC (Appeal from Jefferson Circuit Court: CV-23-902261). (Ala. 2024). “" § 8-38-3(a), Ala. Code 1975. However, as NHS points out in its motion to strike portions of Griggs's reply brief, Griggs did not rely on that statute in her response to NHS's motion to dismiss or in her opening brief on appeal.”
— Ala. Code § 8-38-3(a) — 1 case
Shymikka Griggs v. NHS Mgmt., LLC (Appeal from Jefferson Circuit Court: CV-23-902261). (Ala. 2024). “" § 8-38-3(a), Ala. Code 1975. However, as NHS points out in its motion to strike portions of Griggs's reply brief, Griggs did not rely on that statute in her response to NHS's motion to dismiss or in her opening brief on appeal.”
Annotations are extracted automatically from the opinions in the Syfert caselaw corpus and ranked by authority, recency, and treatment. Dots show Syfertize treatment of the citing case itself.