Arizona’s Data-Breach Notification Law FAQ

 

 

Where can I find Arizona’s Data-Breach Notification Law?

The Notification Law can be found at A.R.S. §§ 18-551 and 18-552.

What does the Notification Law do?

The law is intended to provide Arizona residents with information about data breaches involving their personal information.

What qualifies as “personal information”?

The Notification Law defines “personal information” to include an individual’s first name or first initial and last name in combination with at least one “specified data element,” such as a Social Security or driver’s license number; taxpayer ID; medical or mental-health information; or biometric data.  (For a full list of specified data elements, see A.R.S. § 18-551(11).)  “Personal information” also includes an individual’s user name or e-mail address, in combination with a password or security question and answer, that allows access to an online account.  “Personal information,” however, does not include information publicly available from government records or widely distributed media.

To whom does the law apply?

The law imposes requirements on any “person” who conducts business in Arizona and owns, maintains, or licenses unencrypted and unredacted computerized personal information.  “Person” is defined to include any natural person, corporation, business trust, estate, trust, partnership, association, joint venture, government or governmental subdivision or agency, or any other legal or commercial entity.  But the term does not include the department of public safety, a county sheriff’s department, a municipal police department, a prosecution agency or a court.  In addition, entities covered by the federal Health Insurance Portability and Accountability Act (“HIPAA”) or Gramm-Leach-Bliley Act are exempt.

What does the law require?

If a covered person discovers a “security incident,” as defined by the law, the person is required to investigate to determine if a “breach” has occurred.  If a breach has occurred, the owner or licensee of the breached personal information is required to notify affected individuals, unless the person, a law-enforcement agency, or an independent forensic auditor determines that the breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.  Generally, the notification must be provided within 45 days and must be made using one of the methods specified by the law.  See A.R.S. § 18-552, subsections (E) through (I).  For breaches involving more than 1,000 Arizona residents, notification must also be provided to the three largest nationwide consumer reporting agencies and to the Arizona Attorney General’s Office.

Does the law require a business to implement security or privacy policies to prevent data breaches?

No, the law generally requires covered persons to act only if and when a “security incident” has already occurred.  However, if a covered person has security and privacy policies in place that include notification procedures in the event of a breach, the person’s compliance with those policies is deemed compliant with the law.  Thus, the law encourages companies to adopt data-privacy and security policies with consumer-notification provisions in advance of any potential breach. 

What are the consequences of a violation?

A knowing and willful violation of the law constitutes a violation of the Arizona Consumer Fraud Act, A.R.S. § 44-1521 et seq.  Only the Attorney General may enforce such a violation.  In doing so, the Attorney General may seek up to $500,000 in civil penalties, in addition to any restitution that may be owed to the affected individuals.

What should I do if I receive a data-breach notification?

If your personal information has been involved in a data breach, you might want to take steps to protect yourself from identity theft and other forms of fraud.  For example, you might consider placing a free “fraud alert” or “security freeze” on your credit reports with consumer reporting agencies, and you can request one free credit report from those agencies each year to monitor any potentially fraudulent activity.  For more information, you can visit the “Identity Theft” section of this website, and additional resources are available at https://www.consumer.ftc.gov/ and https://www.identitytheft.gov/.