Civil penalties as high as $500,000 per breach are stipulated.They must still provide written notice to the Alabama Attorney General when the number of individuals the entity notified exceeds 1,000. Entities in compliance with relevant federal and state regulations, HIPAA or the GLBA are deemed to comply with this law.Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.If more than 1,000 individuals must be notified of a breach, breached entities must also notify the Attorney General, and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C.Breached third parties must notify the relevant data owners or licensees within 10 days.Notification is not required if it is determined the breach is not reasonably likely to cause substantial harm to affected individuals. Notification in writing must be made as expeditiously as possible and without unreasonable delay, and no later than 45 days of receipt of notice of the breach.Enacted in 2018, Alabama’s data breach notification legislation requires entities that acquire or use “sensate personally identifying information” of Alabama residents to notify affected individuals of any unauthorized acquisition of data.