Ala. Code § 8-38-4 (2026)
(a) If a covered entity determines that a breach of security has or may have occurred in relation to sensitive personally identifying information that is accessed, acquired, maintained, stored, utilized, or communicated by, or on behalf of, the covered entity, the covered entity shall conduct a good faith and prompt investigation that includes all of the following:
(b) In determining whether sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person without valid authorization, the following factors may be considered:
(Act 2018-396, §4.)