AG Brnovich & Rep. Shope Propose Stronger Data Breach Consumer Notification Law

PHOENIX - With data breaches at an all-time high across the country, Attorney General Mark Brnovich is partnering with State Representative T.J. Shope, R-Coolidge, to introduce legislation that would help protect Arizonans from becoming victims of identity theft after a data breach.

HB 2154 would amend the state’s outdated data breach notification law by strengthening notification requirements and increasing consumer protection after a breach. If enacted, the proposed law would make the state’s data breach notification law one of the most comprehensive and pro-consumer in the country.

“Over the past several years, millions of Arizona residents have had their personal information compromised by cybercriminals,” said Attorney General Brnovich. “A stronger data breach notification law would not only protect consumers, it would provide clarity to businesses and government agencies about their obligations after a data breach. I’m proud to be working with Rep. Shope and the Legislature to improve our data breach notification law.”

“Arizonans have a basic right to have their private information remain just that, private," said Representative T.J Shope. "It has been a pleasure to work with the Attorney General on this and I look forward to its passage this year."

HB 2154 would require organizations to notify consumers within 30 days if their personal information has been compromised due to a data breach. This will allow consumers to take prompt action to secure their accounts and limit potential harm from the exposure of their personal information.

The current law only requires consumer notification if social security numbers, driver license numbers, and financial account information are exposed. The proposed bill also expands the definition of personal information to include, among other things, biometric data (like fingerprints or facial-recognition information), electronic signatures, e-mail addresses and passwords, medical information, and tax information.

Under HB 2154, breaches must also be reported to the Attorney General’s Office and to each of the major consumer reporting agencies. Present law does not require the Attorney General’s Office to be notified of data breaches. Under the proposed bill, a violation of the notification requirements constitutes a violation of Arizona’s Consumer Fraud Act and can be investigated and prosecuted by the Attorney General’s Office as such.

The bill was drafted in consultation with the Civil Litigation Division of the Attorney General’s Office.

Full copy of the bill.