New regulations will govern how victims are notified.
Alabama has become the 50th and final US state to sign a data breach notification bill.
The new law, implemented by governor Kay Ivey, states that residents must be notified within 45 days if they could have been affected by a breach that causes substantial harm.
It also requires companies handling personal data to implement “reasonable security measures” and to conduct prompt investigations.
The law also requires companies to report leaks to the Alabama Attorney General and credit reporting agencies if the incident affects more than 1,000 people.
Contrary to other data protection bills already in place, the new regulations also define what “reasonable” is defined as.
Reasonable measures, it states, include identifying internal and external cyber risks and the adoption of safeguards.
This is contrary to other international bills which have been slammed for failing to clarify specific elements.
The bill comes after a number of high-profile breaches across Alabama.
In 2015, students with a scholarship to the University of South Alabama had their information leaked after a vulnerability within the institution’s systems.
Names, addresses, dates of birth and social security numbers were among the details posted onto the internet after the incident.
And in the same year, a website breach saw the personal data of health insurance customers displayed online.
A glitch in the members’ portal of the Alabama public education employee’s health insurance plan website displayed names, addresses, social security numbers and other information related to hundreds of customers.