Arizona State Data Breach Notification Laws Overview
The document provided is an overview of the State Data Breach Law. It is not a substitute for advice from an attorney, but meant to be used as a business tool to help educate and start conversations between business, IT and council. I hope you find it helpful. Please let me know if you have any questions or comments.
Who must comply?
Pretty much everyone…
Natural person, corporation, business trust, estate, trust, partnership, association, joint venture, government or governmental subdivision or agency or any other legal or commercial entity.
What Data is Covered?
Personal Information
First initial or name with last name combined with any one of the following:
An individual's electronic signature.
A physical characteristic that is attributable to an individual, including a fingerprint, eye, hand, vocal or facial characteristic or any other physical characteristic used to electronically identify that individual.
An individual's protected health information, such as health insurance ID number, medical history, mental or physical condition, medical treatment or diagnosis by a health care professional.
An individual's taxpayer ID number or an identity protection personal ID number issued by the IRS.
An individual's username or e-mail address, in combination with a password or security question and answer, that allows access to an online account.
Student personally identifiable data -a minor student's name, address, date of birth, social security number, e‑mail or social media address, credit, debit or other financial services account number or parent's name or any other information that would link a specific minor student to a specific school community.
***An individual's username or e-mail address, in combination with a password or security question and answer, that allows access to an online account. This type of information has separate notification considerations not listed on this overview.
Exclusions
Public, Encrypted or Redacted PI
Publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
Personal Information that is encrypted or redacted.
If a third-party forensic auditor or law enforcement agency determines after a reasonable investigation that a breach has not occurred or is not likely to occur.
What is a Security Incident?
If a “person” (natural or business, government, or other legal entity*) owning, maintaining or licensing unencrypted or unredacted computerized PI data becomes aware of an event that indicates PI systems or data may have been compromised or security/protection measures have failed.
What is a Breach?
Unauthorized access to or acquisition of PI that materially compromises the security or confidentiality of PI maintained as part of a database of PI regarding multiple individuals.
Does not include a good faith acquisition of PI by a person's employee or agent for the purposes of the person if the PI is not used for a purpose unrelated to the person and is not subject to further willful unauthorized disclosure.
How to Comply
Post Security Incident Compliance
Promptly conduct a reasonable investigation to determine whether there has been a security system breach.
Owners and entities who licenses the data are to notify the affected individuals (subject to the needs of law enforcement) within 45 days.
A person that maintains PI shall notify the owner or licensee of the information as soon as practicable on discovering a breach and cooperate with the owner or the licensee of the PI.
o The person that owns or licenses the computerized data shall provide notice to the individual and consumer reporting agencies as required.
o The person that maintains the data shall notify the attorney general in writing within thirty days after discovering the breach
o Unless the agreement stipulates otherwise.
Notice Requirements
Notice shall include at least the following:
The approximate date of the breach.
A brief description of the personal information included in the breach.
The toll-free numbers and addresses for the three largest consumer reporting agencies.
The toll-free number, address and website address for the federal trade commission or any federal agency that assists consumers with identity theft matters.
Notice shall be provided by one of the following methods:
Written notice.
Electronic notice if the person's primary method of communication with the individual is by electronic means or is consistent federal electronic records legal requirements.
Telephonic notice, if telephonic contact is made directly with the affected individuals and is not through a prerecorded message.
If the breach requires notification of more than 1,000 individuals
o Notify three largest nationwide consumer reporting agencies
o Notify the Attorney General in writing within thirty days after the determination of a breach.
Substitute Notice
If the cost of providing notice above would
o exceed $50,000
o the affected class exceeds 100,000
o there is insufficient contact information.
Substitute notice shall consist consists of ALL of the following:
o A written notice to the attorney general demonstrating the facts necessary for substitute notice.
o Conspicuous posting of the notice on the website of the person, if the person maintains one for at least 45 days.
Sanctions and Remedies
The attorney general may impose a civil penalty for a violation of this article not to exceed the lesser of $10,000 per affected individual or the total amount of economic loss sustained by affected individuals, but the maximum civil penalty from a breach or series of related breaches may not exceed $500,000.
This section does not prevent the attorney general from recovering restitution for affected individuals.