Given the nearly daily reports of data breaches, ransomware attacks and phishing exploits affecting entities of all sizes, Arizona entities should be aware that Arizona law may require them to provide notice to employees, customers and/or other third parties if the entity is the victim of a security breach. At the same time, however, entities that take the time to understand Arizona law before a breach occurs can implement measures to better protect themselves from spending thousands of dollars (if not more) responding to a cybersecurity incident.
Under Arizona's breach notification law, entities that conduct business in the state and that own or license computerized data that includes personal information (PI) are required to notify individuals if the entity is the victim of a security breach that compromises the security or confidentiality of the PI and that causes or is likely to cause substantial economic loss to an individual. The notice must be provided in the "most expedient manner possible and without unreasonable delay."
The law defines "personal information" as an individual's first name or first initial and last name combined with a social security number, driver's license number, non-operating identification license, or financial account number, credit card or debit card number in combination with any required security code, access code or password that would permit access to the individual's financial account. Consequently, any entity with employee, customer or third-party records containing these data elements may have to provide notice in the event of a security breach.
Notably, the law does not require notification if the computerized data was encrypted or redacted (i.e., altering the data element such that only the last four digits are accessible). That provision is significant because it allows entities to take steps today to store only redacted data or to encrypt it in transit (e.g, email) and at rest (e.g., as stored on a server). Considering that providing notice can easily cost tens of thousands of dollars, these steps could pay substantial dividends down the road.
Notice also is not required if the computerized data was accessed or acquired by an employee or agent of the entity for a legitimate purpose and the data was not otherwise improperly used. For example, this could apply if an employee mistakenly accesses a database containing PI.
Entities that possess or maintain unencrypted PI that they do not own (e.g., a payroll vendor or cloud service provider) are required to notify the owner of the information if they suffer a security breach and cooperate in any investigation. However, unless an agreement between the parties provides otherwise, the data owner (and not the third-party service provider that suffered the breach) must provide notice of the breach to affected individuals. Because of that, entities should consider requiring third-party service providers to indemnify them for any costs incurred in having to provide notice. Alternatively, entities could consider requiring the third-party service provider to provide the notice; however, for customer-relations purposes, it may be better for the entity to provide the notice.
Additionally, to mitigate the risk of a breach even occurring, entities should contractually require third-party service providers to implement reasonable security measures to protect the computerized data. For example, third-party service providers could be contractually required to encrypt data in transit and at rest, implement access controls, and segregate the data on their systems. Entities that frequently disclose PI to third-party service providers also should consider creating a vendor questionnaire and form of contractual terms to streamline this process and ensure that PI is adequately protected across different service providers.
The Arizona Attorney General is authorized to enforce the statute and bring an action against any entity that fails to comply. The Attorney General is permitted to seek actual damages for a willful and knowing violation and statutory damages. The law does not apply to entities regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Gramm-Leach-Bliley Act.
It is worth noting that 47 states other than Arizona have statutes that require notice to individuals if their PI is compromised. However, those statutes vary widely. For example, some states include other data elements in their definition of PI, such as biometric, health or medical information. State laws also vary on how quickly notice must be provided and what types of information the notice must include. Therefore, entities that suffer a data breach should consider retaining outside privacy/cybersecurity counsel to conduct an investigation and to navigate through the legal requirements of providing notice, if necessary.