July 15, 2019

July 15, 2019

Subscribe to Latest Legal News and Analysis

Arizona Legislature Considers Strengthening Data Breach Notification Law

The Arizona State Legislature is considering proposed legislation that, if enacted, would significantly change the requirements for how Arizona entities respond to data breaches.

Under Arizona's existing breach notification law, entities that conduct business in the state and own or license computerized data that includes personal information (PI) are required to notify individuals if the entity is the victim of a security breach that compromises the security or confidentiality of the PI and that causes or is likely to cause substantial economic loss to an individual. The proposed legislation would remove the "substantial economic loss" requirement, thereby lowering the threshold for when notice is required.

The proposed legislation also would significantly expand the definition of PI. The law currently defines PI as an individual's first name or first initial and last name combined with a social security number, driver's license number, non-operating identification license, or financial account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual's financial account.

The proposed legislation would end the requirement that a security code, access code or password must be compromised with the financial account number or credit/debit card number. It also would add the following data elements to the definition of PI:

  • A physical characteristic that is attributable to an individual, including a fingerprint, eye, hand, vocal, or facial characteristic or any other physical characteristic used to electronically identify that individual with a high degree of certainty;

  • An individual's protected health information, such as a health insurance ID number, medical history, mental or physical condition, and medical treatment or diagnosis by a health care professional;

  • A taxpayer identification number or identity protection personal identification number issued by the IRS;

  • A user name or email address, in combination with a password or security question and answer, that allows access to an online account; and

  • Student personally identifiable data, defined as a minor student’s name, address, date of birth, SSN, email or social media address, credit, debit, or other financial services account number, or parent’s name, or any other information that would link a specific minor student to a specific school community.

Additionally, the proposed legislation would change the timing requirements for providing notice to affected individuals. Under existing law, notice needs to be provided in the "most expedient manner possible and without unreasonable delay." The proposed law would impose a more stringent 30-day deadline and also would require entities to notify the Attorney General.

Finally, the proposed legislation would require the notice to affected individuals to state:

  • The approximate date of the breach;

  • A brief description of the personal information included in the breach;

  • The toll-free numbers and addresses for the three largest consumer reporting agencies; and

  • The toll-free number, address, and website address for the Federal Trade Commission or any federal agency that assists consumers with matters of identity theft.

Notably, the proposed legislation retains the current law's provision that notice does not need to be provided if the information was encrypted or redacted. Therefore, entities can take reasonable steps today to mitigate their risk of having to provide notice if they suffer a data breach.

If enacted, this proposed legislation will substantially change the manner in which entities that conduct business in Arizona and own, license, or maintain personal information must respond to security breaches of such information. Such entities should closely monitor this proposed legislation and carefully consider how these proposed revisions may apply to their specific business.

Copyright © by Ballard Spahr LLP


About this Author

David Stauss, Ballard Spahr Law Firm, Denver, Privacy and Litigation Attorney

David M. Stauss focuses on complex business and commercial litigation in state and federal courts. He handles all aspects of litigation on a wide range of substantive matters for clients, including product liability, landowner liability, and commercial lending.

Mr. Stauss is head of the Denver office's privacy and cybersecurity practice group. He advises clients on regulatory and statutory compliance issues, third-party vendor management policies and contractual provisions, cyber liability insurance retention and coverage analysis, information...

John Kerkorian, Ballard Spahr Law Firm, Phoenix, Litigation Attorney

John G. Kerkorian is Managing Partner of the Phoenix office. He has wide-ranging civil litigation experience, with emphasis on disputes involving contract breaches, business torts, commercial acquisitions and investments, real estate and mortgages, partnership matters, trade secret misappropriation, and business terminations. In addition, John regularly handles employment-related disputes involving restrictive covenants, harassment, and discrimination.

John is also a member of the Privacy and Data Security Group, providing assistance with investigations and litigation, as well as pre-litigation planning, E-Discovery, and contract analysis.

John is a member of Ballard Spahr's Elected Board.

Kimberly Warshawsky, Ballard Spahr Law Firm, Phoenix, Intellectual Property Attorney

Kimberly A. Warshawsky is the Practice Leader of the Trademarks and Copyrights Groups, and a member of the Intellectual Property Litigation Group. Kim represents clients on transactional matters, particularly with respect to trademark counseling and prosecution, licensing intellectual property and software, and conducting pre-merger and pre-acquisition IP due diligence. She represents trademark and copyright owners for claims of infringement of federal and common-law trademarks and copyrights. She has filed and defended against cybersquatting claims and Uniform Domain-...

Gregory Szewczyk, Ballard Spahr Law Firm, Denver, Privacy and Litigation Attorney

Greg Szewczyk is a litigator with experience serving as a member of several trial and arbitration teams. His responsibilities include examining witnesses at trial; drafting opening and closing presentations; drafting dispositive, discovery and pretrial motions, as well as appellate briefs; taking and defending depositions; arguing evidentiary and procedural issues; preparing witnesses for testimony; and drafting scripts for direct and cross-examinations. He is also a member of the Denver office’s cybersecurity practice group.