Arizona Data Security Breaches
AZ Rev Stat § 18-551 - § 18-552
SUMMARY:
EFFECTIVE. December 31, 2006
WHO DOES THIS LAW APPLY TO. Any person or entity that conducts business in Arizona and owns, licenses, or maintains unencrypted and unredacted computerized data that includes Personal Information. Any entity that maintains information on residents, even if the entity does not conduct business in the state.
WHAT IS A BREACH. Unauthorized acquisition of computerized data that compromises the security, integrity, or confidentiality of Personal Information maintained by a, entity as part of a database which likely will result in substantial economic loss to an individual.
WHAT IS PERSONAL INFORMATION. A resident’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted or otherwise secured by any other method rendering the element unusable, or it was secured and the encryption key or password was also acquired:
-
Social Security Number.
-
Driver’s license number or Arizona identification card number (Pursuant to §§ 28-3166, 28-3165).
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
-
A private key unique used to authenticate or sign an electronic record.
-
Health insurance identification number.
-
Medical or mental health treatment or diagnosis.
-
Passport number.
-
Taxpayer identification number or PIN issued by the IRS.
-
Unique biometric data from measurement, analysis or characteristics used to authenticate a resident when accessing an online account.
-
User name or email address in combination with a password, security question and answer.
Personal Information does not include publicly available information that is lawfully available from Federal, State, local government records, or widely distributed media.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the Arizona residents affected. No notification is required if the person or business determines that a security breach is not reasonably likely to subject consumers to risk of criminal activity.
If entity is required to notify more than 1,000 residents, the entity shall notify:
-
The Attorney General in writing in a form prescribed by rule or order of the Attorney General or providing a copy of the individual notification.
-
The three largest nationwide consumer reporting agencies.
EXCEPTION. This Section does not apply to the following:
-
A good faith acquisition of Personal Information by an employee or agent of the owner for internal purposes only is not a breach, if it is not used or subject to further unauthorized disclosure.
-
If the entity, an independent third-party forensic auditor, or law enforcement agency has determined after an investigation that a breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected residents.
-
An entity which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of the statute, is considered in compliance with the notification requirements if the affected residents are notified by the person or business in accordance with its policies.
-
Gramm-Leach-Bliley Act exception. An Entity that is subject to, and in compliance with, the privacy and security requirements of Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et.al., or a person that has a contractual obligation to such a person or government entity, if the person or government entity has in effect a policy concerning breaches of information security shall be deemed to be in compliance.
-
HIPAA-Covered Entity exception. A health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form, if the Entity complies with the requirements of 45 C.F.R. 164(a) shall be deemed to be in compliance.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent following discovery of the breach within 45 days. The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with the needs of law enforcement, or any measures necessary to determine the scope of the breach, to identify the individual affected and to restore the reasonable integrity of the data system. Notification may be delayed to a specific date if a law enforcement agency determines it will impede a criminal investigation. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic email message, if entity has email addresses for the residents affected.
-
Telephonic notice, directly only and not through a pre-recorded message.
-
Substitute notice as provided below.
The notification shall include at least the following:
-
The approximate date of the breach.
-
A brief description of the personal information included in the breach.
-
The toll-free numbers and addresses for the three largest nationwide consumer reporting agencies.
-
The toll-free number, address, and website address for the federal trade commission or any federal agency that assists consumers with identity theft matters.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice would exceed $50,000, the affected class of persons to be notified exceeds $100,000, or the entity does not have sufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Written letter to the Attorney General that demonstrates the facts necessary for substitute notice.
-
Email notice if the entity has an email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the entity, if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person or business maintains data that includes Personal Information that it does not own, then the person or business shall notify the owner or licensee of the breach as soon as practicable upon discovery. The person or business that owns or licenses the data shall provide notice to the affected individual(s). The person who maintained the data under an agreement with owner/licensee is not required to provide notice to the individual pursuant to this section unless said agreement stipulates otherwise.
CONSEQUENCES FOR FAILING TO NOTIFY. Only the state Attorney General shall enforce violations to this Section. The Attorney General may bring an action to obtain: (1) actual damages for a willful and knowing violation of this section; and (2) a civil penalty not to exceed the lesser of $10,000 per affected individual or the total amount of economic loss sustained by affected individuals, but the maximum civil penalty from a breach or series of related breaches may not exceed $500,000 in addition to any restitution that may be owed to the affected individuals.
PRIVATE RIGHT OF ACTION. None is provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES. The law generally requires covered persons to act only if and when a “security incident” has already occurred. However, if a covered person has security and privacy policies in place that include notification procedures in the event of a breach, the person’s compliance with those policies is deemed compliant with the law. Thus, the law encourages companies to adopt data-privacy and security policies with consumer-notification provisions in advance of any potential breach.
DATA DISPOSAL PROVISIONS. Ariz. Rev. Stat. § 44-7601. An entity shall not knowingly discard or dispose of records or documents (paper records and paper documents) without redacting the information or destroying the records or documents if the records or documents contain an individual's first and last name or first initial and last name in combination with a corresponding complete: 1. Social security number; 2. Credit card, charge card or debit card number; 3. Retirement account number; 4. Savings, checking or securities entitlement account number; and 5. Driver license number or nonoperating identification license number.
LEGISLATIVE UPDATES.
S.B. 1338 – Signed into law on 4/26/2006, Effective 12/31/2006.
H.B. 2363 – Signed into law on 4/5/2016.
H.B. 2666 – Signed into law on 5/19/2016.
H.B. 2154 – Signed into law on 4/11/2018, Effective 8/3/2018.
For more information, see here: https://www.azleg.gov/ars/18/00551.htm
AND
https://www.azleg.gov/ars/18/00552.htm
AND
https://www.azag.gov/consumer/data-breach/faq
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.