New Arizona Law to Protect Data Breach Victims

PHOENIX - Attorney General Mark Brnovich is proud to announce Governor Ducey signed HB2154 into law, updating and strengthening Arizona’s data breach consumer protection statute. The bill, sponsored by Representative T.J. Shope and authored by the Arizona Attorney General’s Office, bolsters protections and adds notification requirements for victims of a data breach.

“I applaud Representative Shope and members of the legislature for adopting these common sense improvements to our data breach laws,” said Attorney General Brnovich. “Consumers have a right to know when their sensitive information has been breached so they can protect themselves from financial loss. A key component of the legislation was notification to the Attorney General’s Office of a breach. My office will be better positioned to investigate massive breaches in the future and assist consumers to protect their assets from theft.”

Highlights from the new state law include:

  • Expanding the definition of protected “personal information” to include online account credentials, as well as an individual’s name in combination with health insurance or other medical information, passport or taxpayer identification numbers, or certain biometric data;
  • Requiring that notice to individuals affected by a breach be provided within 45 days after determining that a breach has occurred (whereas existing law provided no definitive deadline);
  • Clarifying the necessary content and available delivery methods for notifications to consumers;
  • Requiring notification to the three largest consumer reporting agencies for any breach involving more than 1,000 individuals;
  • Increasing the maximum civil penalty for a knowing or willful violation of the statute from $10,000 per breach to $500,000 per breach; and
  • Clearly explaining the Attorney General’s powers in connection with the investigation and enforcement of data-breach matters.

Full copy of the newly signed law.