On April 11, 2018, the Arizona governor signed into law House Bill 2154 (HB 2154) which amends Arizona’s data breach notification laws by creating a 45 day timeline for data breach notifications and broadening the definition of “personal information.” The amendments are effective July 20, 2018.
Currently, Arizona’s data breach notification laws require that if during a reasonable investigation it is determined that a breach in a company’s security system occurred involving an individual’s personal information, the company must notify the affected individuals in the “most expedient manner possible and without unreasonable delay.” Once HB 2154 is effective, any person that owns or licenses the computerized data that is determined to be breached must notify the affected individuals within 45 days. The notification may be delayed if a law enforcement agency advises that the notification will impede a criminal investigation. However, upon being informed by the law enforcement agency that the notification will no longer compromise the criminal investigation, the person or company affected by the breach will have 45 days to notify the affected individuals.
As it is currently drafted, “personal information” means an individual’s name in addition to another data point (i.e., social security number, etc.). However, in addition to the current definition of “personal information,” the amendments will add the following data points to the definition of “personal information” and if these data points are compromised, even if the individual’s name is not compromised, it constitutes a breach: (i) an individual’s electronic signature; (ii) a physical characteristic that is attributable to an individual, including a fingerprint, eye, hand, vocal or facial characteristic or any other physical characteristic used to electronically identify that individual with a high degree of certainty; (iii) an individual’s taxpayer identification number or an identity protection personal identification number issued by the IRS; or (iv) an individual’s user name or email address, in combination with a password or security question and answer that allows access to an online account.
If an individual’s user name or email address in combination with a password or security question and answer that allows access to an online account is the only personal information compromised, the person or company suffering the breach will satisfy the data breach notification requirements by directing the individual whose personal information has been breached to promptly change the individual’s password and security question or answer, as applicable or to take other reasonable steps to protect his/her online accounts. If an individual’s email account information is breached, the person will satisfy the notification requirement by requiring the individual to reset his/her password or security question and answer for that account, if the person or company suffering the breach also notifies the individual to change the same password or security question and answer for all other online accounts.
As currently drafted, a person or company is not required to notify affected individuals if the person or company after a reasonable investigation determines that a breach has not occurred. However, once effective, a person or company will also not be required to make the required notifications if an independent third-party forensic auditor or a law enforcement agency determines after a reasonable investigation that a security system breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.
Currently, Arizona statute does not specify what must be included within a data breach notification. However, once these amendments are effective, the data breach notification must include: (i) the approximate date of the breach; (ii) a brief description of the personal information included in the breach; (iii) the toll-free phone number and address for the three largest consumer reporting agencies; and (iv) the toll-free number, address and website address for the Federal Trade Commission or any federal agency that assists consumers with identity theft matters.
Any person or company affected by a data breach will be able to provide the required notification by written notice; an email notice if the person has an email address for the individual who must receive the notice; and telephonic notice, if telephonic contact is made directly with the affected individuals and is not through a prerecorded message.
If the breach requires notification of more than one thousand individuals, the person will be required to notify both: (i) the three largest nationwide consumer reporting agencies; and (ii) the Attorney General, in writing by a form provided by the Attorney General or by providing a copy of the notification provided to the affected individuals.
Moreover, a person that maintains unencrypted and unredacted computerized personal information that the person does not own or license will be required to notify, as soon as practicable, the owner or licensee of the information on discovering any security system breach.
A knowing and willful violation of this law is an unlawful practice under the Arizona Consumer Fraud statute. The maximum civil penalty from a breach or a series of related breaches may not exceed five hundred thousand dollars.
The entire Arizona House Bill 2154 can be found here.