The Arizona State Legislature is considering proposed legislation that, if enacted, would significantly change the requirements for how Arizona entities respond to data breaches.

Under Arizona's existing breach notification law, entities that conduct business in the state and own or license computerized data that includes personal information (PI) are required to notify individuals if the entity is the victim of a security breach that compromises the security or confidentiality of the PI and that causes or is likely to cause substantial economic loss to an individual. The proposed legislation would remove the "substantial economic loss" requirement, thereby lowering the threshold for when notice is required.

The proposed legislation also would significantly expand the definition of PI. The law currently defines PI as an individual's first name or first initial and last name combined with a social security number, driver's license number, non-operating identification license, or financial account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual's financial account.

The proposed legislation would end the requirement that a security code, access code or password must be compromised with the financial account number or credit/debit card number. It also would add the following data elements to the definition of PI:

• A physical characteristic that is attributable to an individual, including a fingerprint, eye, hand, vocal, or facial characteristic or any other physical characteristic used to electronically identify that individual with a high degree of certainty;

• An individual's protected health information, such as a health insurance ID number, medical history, mental or physical condition, and medical treatment or diagnosis by a health care professional;

• A taxpayer identification number or identity protection personal identification number issued by the IRS;

• A user name or email address, in combination with a password or security question and answer, that allows access to an online account; and

• Student personally identifiable data, defined as a minor student’s name, address, date of birth, SSN, email or social media address, credit, debit, or other financial services account number, or parent’s name, or any other information that would link a specific minor student to a specific school community.

Additionally, the proposed legislation would change the timing requirements for providing notice to affected individuals. Under existing law, notice needs to be provided in the "most expedient manner possible and without unreasonable delay." The proposed law would impose a more stringent 30-day deadline and also would require entities to notify the Attorney General.

Finally, the proposed legislation would require the notice to affected individuals to state:

• The approximate date of the breach;

• A brief description of the personal information included in the breach;

• The toll-free numbers and addresses for the three largest consumer reporting agencies; and

• The toll-free number, address, and website address for the Federal Trade Commission or any federal agency that assists consumers with matters of identity theft.

Notably, the proposed legislation retains the current law's provision that notice does not need to be provided if the information was encrypted or redacted. Therefore, entities can take reasonable steps today to mitigate their risk of having to provide notice if they suffer a data breach.

If enacted, this proposed legislation will substantially change the manner in which entities that conduct business in Arizona and own, license, or maintain personal information must respond to security breaches of such information. Such entities should closely monitor this proposed legislation and carefully consider how these proposed revisions may apply to their specific business.