Almost all U.S states have laws about data security and what to do when there’s a data breach. Here is what’s in the Arizona law.
Who The Law Applies To. The law applies to anyone who conducts business in Arizona and who owns or licenses unencrypted data that includes personal information. It also applies to anyone who maintains unencrypted data for someone else. The law’s language uses “person” for simplicity, but its definition includes corporations and other business organizations, associations, and government agencies.
The Arizona law defines personal information as an individual’s first name or first initial and last name in combination with any of the following if unsecured:
-
Social security number; or
-
Driver’s license or state identification card; or
-
Credit card number, debit card number, or financial account number, in combination with any password, security code or access code that would allow access to the account.
What The Law Requires. The trigger is when the data owner or maintainer becomes aware of an incident of unauthorized acquisition and access to unencrypted data that includes an individual’s personal information. The data owner or maintainer must conduct a prompt investigation to determine if there has been a breach. If there has been a breach, notification is required.
What is a Breach. The term “breach” under this law means unauthorized acquisition of and access to unencrypted data that materially compromises the security or confidentiality of personal information regarding multiple individuals, and that causes or is reasonably likely to cause substantial economic loss to an individual. Hacking into a system is a one example of a breach. But breaches often happen because of more ordinary events such as an employee losing a laptop or external drive, or the company accidentally emailing personal information to a third party.
When and How To Notify. If a breach is confirmed, the data owner or maintainer must notify the individual “in the most expedient manner possible and without unreasonable delay.” Written or phone notice is permitted. Email notice is permitted if that is the primary method of communicating with the individual.
Substitute notice may be permitted if more than 100,000 people need to be notified or if the notice would exceed more than $50,000. Substitute notice includes the following: (a) email; (b) posting of notice on company’s website; and (c) notification of major statewide media.
What is Encryption. Encryption isn’t defined in the law, but it’s essential to fully understand it. Encryption is encoding data. It’s the process of obscuring information, often through the use of a cryptographic scheme, to make the data unreadable without the use of a decoding key. Encryption can be done on data “in communication” (from one computer to another) or on data “at rest” (stored locally).
What if Law Enforcement is Involved. The law provides that notification “may be delayed” if a law enforcement agency advises that notification will impede a criminal investigation. Notification “shall” be made after law enforcement determines that it will not compromise the investigation. Close cooperation to protect the interests of the business is well advised.
What are the Law’s Penalties. Penalties for failing to comply are actual damages for a willful and knowing violation, plus $10,000 per breach or series or similar breaches. Only the Arizona Attorney General has the power to enforce the law. There is no private right of action. The state law says that it preempts all municipal and county laws and rules on this topic.
The full statute is found at A.R.S. § 44-7501. The law has been in effect since 2006. In the event of a breach, a business should act immediately to secure its system, get the word out, and protect itself and its customers. It also may be appropriate to have a data breach response plan in place to prepare, and to test such a plan before a breach arises.
