Learn About Data Breach Notification Law in Arizona
Statute Codes for Data Breach Notification in Arizona
Breach laws in Arizona are under Ariz. Rev. Stat. § 44-7501, including S.B. 1338 (Chapter 232), and H.B. 2154 (Chapter 177). S.B. 1338 was signed into law on April 26, 2006, and became effective in December of that year. H.B. 2154 was signed into law on April 11, 2018, and became effective as of August 3, 2018.
This law applies to an entity either individual or plural conducting Arizona business which maintains or licenses PI in computerized form. PI covered must either be unencrypted, unredacted, or both to be regulated under these laws. Entities that aren’t local, but have PI on state residents, are subject to this statute.
PI is defined as the first name and last name, or a first initial associated with the last name, that is attached to other critical information. Critical information includes SSNs, driver’s license or state ID numbers (pursuant to § 28-3166 and § 28-3165), financial information (credit/debit cards, account numbers, access codes, passwords, etc.), private authentication keys, health insurance numbers, medical or mental health data, passport information, tax IDs or EINs, or any unique data of a biometric kind. Additionally, usernames and email addresses coupled with passwords or security questions are PI.
Timeframes for Reporting a Data Breach in Arizona
Arizona law requires an entity managing PI to notify affected individuals no later than 45 days from the time it’s determined a breach has occurred. Notification may be delayed for prompt investigation of the breach cause, and what that investigation uncovers. If no PI is affected, or only encrypted PI has been affected, or the investigation determines no damages can be reasonably expected, notification isn’t needed.
Should post-investigative determination identify 1,000 or more individuals who must be notified, then the AG must also be given written notification. There may be a form as prescribed by the AG to fill out. Also, a copy of notifications sent to individuals affected can be used. Consumer reporting agencies must also be reported for breaches involving more than 1,000 residents.
Notice can be provided in written form, by telephone including actual contact of affected parties, or email address if it’s available. The notification should include when the breach happened, what PI was affected, and contact information including phone numbers and addresses of the big three credit reporting agencies. Should the breach merely involve online credentials and nothing else, entities presiding over the information can contact affected parties via email and prompt them to change login information or take other applicable measures.
If entity-furnished login information is affected, the entity must contact affected individuals as deemed appropriate, and require login data reset that is appropriately comprehensive (including security questions, passwords, or whatever else is necessary). If notification will cost the entity $50,000 or more, or over 100,000 individuals in AZ have been affected, or there isn’t enough contact information for notification, substitute contact methods include written letters to the AG demonstrating these facts, a conspicuous post on the entity’s site, and statewide media notification.
Exemptions in Arizona
Compliance with state regulatory guidelines is sufficient. Compliance with the Gramm-Leach-Bliley Act makes it so entities so-covered aren’t required to concern themselves with the previously explored statutes. Entities covered under HIPAA are not required to follow these statute’s provisions, provided HIPAA compliance is maintained.
Contact Security Compliance Associates to Learn More About Breach Notification Law in Arizona</h3.
SCA has years of experience helping organizations across the United States to prevent and manage potential data breaches. Contact us today at 727-571-1141 to schedule a no-cost consultation. You can also download our free Data Breach Response Guide to learn more about breach notification law in your state.