Arizona Legislature Considers Strengthening Data Breach Notification Law

Ballard Spahr LLP
Contact

Ballard Spahr LLP

The Arizona State Legislature is considering proposed legislation that, if enacted, would significantly change the requirements for how Arizona entities respond to data breaches.

Under Arizona's existing breach notification law, entities that conduct business in the state and own or license computerized data that includes personal information (PI) are required to notify individuals if the entity is the victim of a security breach that compromises the security or confidentiality of the PI and that causes or is likely to cause substantial economic loss to an individual. The proposed legislation would remove the "substantial economic loss" requirement, thereby lowering the threshold for when notice is required.

The proposed legislation also would significantly expand the definition of PI. The law currently defines PI as an individual's first name or first initial and last name combined with a social security number, driver's license number, non-operating identification license, or financial account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual's financial account.

The proposed legislation would end the requirement that a security code, access code or password must be compromised with the financial account number or credit/debit card number. It also would add the following data elements to the definition of PI:

  • A physical characteristic that is attributable to an individual, including a fingerprint, eye, hand, vocal, or facial characteristic or any other physical characteristic used to electronically identify that individual with a high degree of certainty;

  • An individual's protected health information, such as a health insurance ID number, medical history, mental or physical condition, and medical treatment or diagnosis by a health care professional;

  • A taxpayer identification number or identity protection personal identification number issued by the IRS;

  • A user name or email address, in combination with a password or security question and answer, that allows access to an online account; and

  • Student personally identifiable data, defined as a minor student’s name, address, date of birth, SSN, email or social media address, credit, debit, or other financial services account number, or parent’s name, or any other information that would link a specific minor student to a specific school community.

Additionally, the proposed legislation would change the timing requirements for providing notice to affected individuals. Under existing law, notice needs to be provided in the "most expedient manner possible and without unreasonable delay." The proposed law would impose a more stringent 30-day deadline and also would require entities to notify the Attorney General.

Finally, the proposed legislation would require the notice to affected individuals to state:

  • The approximate date of the breach;

  • A brief description of the personal information included in the breach;

  • The toll-free numbers and addresses for the three largest consumer reporting agencies; and

  • The toll-free number, address, and website address for the Federal Trade Commission or any federal agency that assists consumers with matters of identity theft.

Notably, the proposed legislation retains the current law's provision that notice does not need to be provided if the information was encrypted or redacted. Therefore, entities can take reasonable steps today to mitigate their risk of having to provide notice if they suffer a data breach.

If enacted, this proposed legislation will substantially change the manner in which entities that conduct business in Arizona and own, license, or maintain personal information must respond to security breaches of such information. Such entities should closely monitor this proposed legislation and carefully consider how these proposed revisions may apply to their specific business.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Contact
more
less

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.