When it comes to record management and customer notifications, the legal requirements for businesses are vastly different from state-to-state. Take for example California, where businesses are required by law to immediately notify a state resident if his or her personal information has been acquired by an unauthorized user. Most states have similar laws. In Alabama, however, there is no state law requiring a business to notify customers of a data breach.
But only doing the bare minimum of what is legally required can still leave your business vulnerable to reputational harm, loss of customers and disruption of business processes that may prove catastrophic in the long run. Ask yourself this: If it were your data stolen, would you want or even expect to be notified?