The Arizona Legislature has significantly expanded and strengthened the state's data breach notification law. The legislation was signed by Arizona Governor Doug Ducey on April 11, 2018.
Below we discuss the most notable changes:
Expanded Definition of "Personal Information"
Arizona's prior law narrowly defined "personal information" as an individual's first name or first initial in combination with the individual's social security number; driver's license number or non-operating identification license number; or financial account or credit card number in combination with any required security code, access code, or password that would permit access to the account.
The new law significantly expands that definition to include the following data elements: a private key that is unique to an individual and is used to authenticate or sign an electronic record; an individual health insurance identification number; information about an individual's medical or mental health treatment or diagnosis by a health care professional; a passport number; a taxpayer identification number or an identity protection personal identification number issued by the IRS; or unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account.
Whereas Arizona's prior definition was one of the narrowest in the country, its new definition is one of the most expansive.
Extension to Online Account Log-In Information
The law also now requires notification if there is a breach of an individual's user name or email address, in combination with a password or security question and answer, that allows access to an online account. If the breach is limited to that information (and does not include any other data elements), notice may be provided in an electronic or other form that requires the affected individuals to change their passwords and security questions/answers and directs them to change their passwords and security questions/answers for any other online accounts that use the same information.
45-Day Deadline to Provide Notice
Arizona has joined the growing number of states that have set a specific timeframe for when notice of a data breach must be provided to affected individuals. Arizona law previously required that notice must be provided "in the most expedient manner possible and without unreasonable delay." However, the new law requires that notice be provided within 45 days after a determination that a "security system breach" has occurred. The statute defines "security system breach" as "an unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals."
Notably, the amended statute provides that notice does not need to be provided "if the person, an independent third-party forensic auditor, or law enforcement agency determines after a reasonable investigation that a security system breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals." The prior law also contained a "substantial economic loss" requirement but did not specify that a third-party forensic auditor or law enforcement agency could make that determination.
Contents of the Notice
The new law specifies that the notice must contain the approximate date of the breach, a brief description of the personal information included in the breach, and the contact information for the three largest nationwide consumer reporting agencies and the Federal Trade Commission. That change is consistent with other recently amended/enacted statutes with similar requirements.
Notice to Consumer Reporting Agencies and Attorney General
If the breach requires notification to more than 1,000 individuals, notice also now must be provided to the three largest nationwide consumer reporting agencies and the Arizona Attorney General.
Increased Civil Penalties
The Attorney General retains exclusive authority to enforce willful and knowing violations of the statute, and the new law significantly increases the potential penalty. Under prior law, the AG could seek a $10,000 civil penalty "per breach of the security system or series of breaches of a similar nature." The new law provides that the AG may seek a civil penalty "not to exceed the lesser of ten thousand dollars per affected individual or the total amount of economic loss sustained by affected individuals," with a "maximum civil penalty from a breach or series of related breaches" of $500,000.
In sum, entities that do business in Arizona and collect personal information from state residents should take note of these changes and analyze whether their existing information security controls are sufficient to protect against a data breach.