Five Things You Should Know About Arizona’s Data Breach Notification Statute

On August 1, 2018, Governor Doug Ducey signed a bill that amended Arizona’s data breach notification statute.  Here are the answers to five FAQ’s  about the effect of the revised statute. 

What Constitutes a Data Breach Under the Statute?

The statute defines a “breach or security system breach” as:

an unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals. A.R.S. § 18-551 (1)(a).

This definition excludes the “good faith acquisition of personal information” by your employee or agent for your purposes if the personal information is not used for a purpose unrelated to you and is not subject to further unauthorized disclosure. A.R.S. § 18-551 (1)(b).

For purposes of the statute, an “individual” is defined as:

a resident of Arizona who has a principal mailing address in Arizona as reflected in the records of the person conducting business in the state at the time of the breach. A.R.S. § 18-551 (4).

As used in the statute, “personal information” means any of the following:

  • An individual’s first name or first initial and last name in combination with one or more specified data elements. R.S. § 18-551 (a)(i). 
  • An individual’s user name or email address, in combination with a password or security question and answer that allows access to an online account. R.S. § 18-551 (a)(ii).

As used in the statute, “specified data elements” are:         

  • an individual’s SSN;
  • an individual’s driver’s license number;
  • a private key unique to an individual that is used to authenticate or sign an electronic record;
  • an individual’s financial account number or credit or debit card number in combination with any required security code, access code or password that allows access to the individual’s financial, credit or debit card account;
  • an individual’s health insurance identification number;
  • information about an individual’s medical or mental health treatment or diagnosis by a health care professional
  • an individual’s passport number;
  • an individual’s taxpayer identification number or an identity protection personal identification number issued by the IRS; and/or
  • unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account.

A.R.S. § 18-551 (11)(a)-(i).

The statute’s definition of “personal information” specifically excludes publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.  A.R.S. § 18-551 (b).

What Does the Statute Require You to Do in the Event of a Data Breach?

If you a) conduct business in Arizona; b) own, maintain or license unencrypted and unredacted computerized personal information; and c) become aware of a security incident, you are required to investigate and determine whether there has been a security system breach.A.R.S. § 18-552 (A).

As used in this provision a “security incident” is an event that creates reasonable suspicion that a person’s information systems or computerized data may have been compromised or that measures put in place to protect the person’s information systems or computerized data may have failed.  A.R.S. § 18-551 (10).

If your investigation results in a determination that there has been a security system breach and you own or license the computerized data, within 45 days after the determination is made, you must notify:

  • the individuals affected subject to the needs of law enforcement. R.S. § 18-552 (B)(1).
  • and, if the breach requires notification of more than 1000 individuals, the three largest nationwide credit reporting agencies and the Arizona Attorney General.R.S. § 18-552 (B)(2)(a) & (b).

If you maintain unencrypted and unredacted computerized personal information that you do not own or license, you are required to, as soon as practicable, notify the owner or licensee of the information on discovering any security system breach and cooperate with said owner or licensee. Cooperation includes sharing information relevant to the breach with the owner or licensee.  However, you are not required to provide notice unless your agreement with the owner or licensee stipulates otherwise. A.R.S. § 18-552 (C).

What Type of Notice is Required?

The notice that you provide must include:

  • the approximate date of the breach;
  • a brief description of the personal information included in the breach;
  • the toll-free numbers and addresses for the three largest nationwide consumer reporting agencies; and
  • the toll-free number, address and website address for the FTC or any federal agency that assists consumers with identity theft matters.

A.R.S. § 18-552 (E)(1)-(4).

Your notice must be given by one of the following methods:

  • Written notice
  • Email notice, if you have an email address for the individuals entitled to receive notice.
  • Telephonic notice, if telephonic contact is made directly with the affected individuals and is not through a prerecorded message.
  • Substitute notice, if you demonstrate that the cost of providing notice in any of the above three manners would exceed $50,000, that the affected class of subject individuals to be notified exceeds 100,000 individuals or that you do not have sufficient contact information for the individuals entitled to receive notice.

   Substitute notice consists of:

  • A written letter to the Arizona Attorney General that demonstrates the facts necessary for substitute notice; and
  • Conspicuous posting of the notice for at least 45 days on your website, if the person maintains one.

A.R.S. § 18-552 (F)(1)-(4).

If a breach involves only an individual’s user name or email address, in combination with a password or security question and answer that allows access to an online account, you may provide notice in an electronic or other form that directs the individual whose personal information has been breached to promptly change the his or her password and security question or answer, as applicable, or to take other steps that are appropriate to protect the online account and all other online accounts for which the individual whose personal information has been breached uses the same user name and email address and password or security question and answer. A.R.S. § 18-552 (G).

If you maintain your own notification procedures as part of an information security policy for the treatment of personal information and those procedures are otherwise consistent with the statute, including the 45-day notice provision, you will be deemed to comply if you notify subject individuals in accordance with your policies and procedures at the time the breach occurs. A.R.S. § 18-552 (H).

If you comply with the notification requirements or security system breach procedures pursuant to the rules, regulations, procedures, guidance or guidelines established by your primary or functional federal regulator, you will be deemed to comply with the statute. A.R.S. § 18-552 (I).

Are There Exceptions to the Notice Requirement?

You are not required to give notice if you, an independent forensic auditor or a law enforcement agency determine, after reasonable investigation, that a security system breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals. A.R.S. § 18-552 (J).

What Are the Penalties for Non-Compliance?

 A knowing and willful violation of the statute is considered to be an unlawful practice that the Arizona Attorney General may enforce by investigating and taking appropriate action. Such action may include the imposition of a civil penalty not to exceed $10,000 per affected individual or the total amount of economic loss sustained by affected individuals, whichever is less. In any event, the maximum civil penalty that the Attorney General may impose for a breach or series of related breaches may not exceed $500,000.00. A.R.S. § 18-552 (L).

The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.

 

 

Connect

FacebookLinkedIn
Back To Top