1. Fraud and Scams
  2. Data Privacy & Data Breach Reporting
  3. Notification of Data Breach

Notification of Data Breach

Pursuant to A.R.S. § 18-552(B)(2)(b), a person that owns or licenses computerized data that experiences a system security breach may provide notice of the data breach to the Arizona Attorney General using this form. Defined terms (e.g., Person, Breach, Security Incident, Personal Information, Nationwide Consumer Reporting Agency, etc.) that are used below shall have the meanings set forth in A.R.S. § 18-551.

Notifications provided to the Attorney General using this form are confidential pursuant to A.R.S. § 44-1525 and are exempt from disclosure under A.R.S. § 39-101 et seq., but may be used by the Attorney General to investigate the data breach or any related incidents or conduct.

To provide notice of a data breach, please fill out the online form below.

If you would like to send your notification via mail or email, please complete the Data Breach Notification Form in a Fillable PDF, then save and email the completed form to [email protected] or print and mail it to the Arizona Attorney General’s Office, Consumer Protection & Advocacy Section, 2005 North Central Avenue, Phoenix, AZ 85004.

  • Data Breach Notification Checklist
  • Data Breach Notification Form
  • Complete

Step 1: Do you need to report?

Answer these questions to determine if you need to report. If you are uncertain, you may still report.

Disclaimer: This checklist is provided for informational purposes only and does not constitute legal advice. You are responsible for ensuring compliance with Arizona's Data Breach Reporting law. If you have any questions about these forms, consult with an attorney.

This form is intended for businesses that own or license computerized data that experience a system security breach. It may be used by the Attorney General to investigate the data breach and any related incidents or conduct. Except for substitute notices provided pursuant to A.R.S. 18-552(F), notifications provided to the Attorney General using this form are confidential pursuant to A.R.S. § 44-1525 and are exempt from disclosure under A.R.S. § 39-101 et seq. 

If you are an individual and believe your information was compromised in a data breach, do not use this form. Instead, see the Attorney General's website for more information on what you can do to avoid becoming a victim of identity theft.

Have you experienced a security incident?
Have you completed a prompt investigation of the security incident?
Have you determined the full scope of the security incident including the dates of any unauthorized access?
Have you determined the security incident involved computerized personal information maintained or licensed in an unencrypted or unredacted format?
Did that security incident result in a security system breach of personal information?
Did the breach of personal information involve the personal information of more than 1000 residents of Arizona?

If you answered "Yes" to all of Step 1 continue to Step 2: Exemptions. If you answered "No" to any question in Step 1 consult with a professional to determine if you are ready to report.

Step 2: Do any exemptions apply to you?(A.R.S. § 18-552(N))

The law exempts certain businesses. Check to see if these apply. If you are uncertain you may still report.

Are you a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA)?
Are you subject to Title V of the Gramm-Leach-Bliley Act (GLBA)?

If you answered "Yes" on either question in Step 2 you may not need to report. Consult with a professional to determine reporting obligations. If you answered "No" or remain unsure, please continue with the remainder of the form.