How Can We Help?
Created On
byBill Haber
You are here:
< Back
Arizona, known as The Grand Canyon State, has an amazing, fast-growing business climate. Regarding Cybersecurity regulations & Data Breach Law, it still trails many state’s standards. Here’s an overview.
Arizona’s Data Breach Notification Law (A.R.S. § 18-552)
Arizona Revised Statutes 18-545
- Enacted in 2006, Arizona’s data breach notification law requires entities that conduct business in Arizona which own, maintain, or license unencrypted and unredacted computerized personal information to notify affected individuals within 45 days of determining that a breach has occurred.
- Notification is not required if an investigation determines a breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.
- Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
- Entities must notify the Attorney General in writing if the entity is required to notify more than 1,000 Arizona residents.
- Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law, if the procedures are consistent with statute and are followed in the event of a breach.
- Entities in compliance with relevant federal and state regulations, HIPAA or the GLBA are deemed to comply with this law.
- Breached third parties must notify the relevant data owners or licensees as soon as possible.
- Civil penalties of up to $10,000 to $500,000 are stipulated.
Requirements and Fines
In Arizona, any business or leaser of unencrypted computer data must comply with state mandates if a breach of personal information occurs. Affected customers must be notified by phone or written or electronic means. An alternate method of notice may be substituted if the breach affects more than 1,000 residents. Businesses may face fines up to $10,000 per breach investigation.
| Name of Law / Statute | N/A |
| Definition of Protected Information | Combination of (1) name or other identifying info, PLUS (2) one or more of these “data” elements: SSN; driver’s license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes. |
| Who Is Subject to Law? | Any business or leaser of unencrypted computer data |
| Notification of Consumers? | Yes |
| By what means? | Written, electronic, or phone |
| Substitute Notice Threshold? | >1000 residents |
| Notification of authorities / regulators required? | No |
| By what means? | N/A |
| Regulatory Fines | $10,000 per breach/investigation |
| Credit monitoring requirement? | No |
| Private lawsuits allowed? | No |
| Private damages cap? | N/A |
| Regulatory actions allowed? | N/A |
| HIPAA Compliance exemption? | N/A |
| Other (e.g., timeframe) | Law does not apply if PI was encrypted |
| Link to complete law | http://www.azleg.state.az.us/FormatDocument.asp?inDoc=/ars/44/07501.htm&Title=44 |
