June 25, 2019

June 25, 2019

Subscribe to Latest Legal News and Analysis

June 24, 2019

Subscribe to Latest Legal News and Analysis

Arizona Strengthens and Expands Data Breach Notification Law

The Arizona Legislature has significantly expanded and strengthened the state's data breach notification law. The legislation was signed by Arizona Governor Doug Ducey on April 11, 2018.

Below we discuss the most notable changes:

Expanded Definition of "Personal Information"

Arizona's prior law narrowly defined "personal information" as an individual's first name or first initial in combination with the individual's social security number; driver's license number or non-operating identification license number; or financial account or credit card number in combination with any required security code, access code, or password that would permit access to the account.

The new law significantly expands that definition to include the following data elements: a private key that is unique to an individual and is used to authenticate or sign an electronic record; an individual health insurance identification number; information about an individual's medical or mental health treatment or diagnosis by a health care professional; a passport number; a taxpayer identification number or an identity protection personal identification number issued by the IRS; or unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account.

Whereas Arizona's prior definition was one of the narrowest in the country, its new definition is one of the most expansive.

Extension to Online Account Log-In Information

The law also now requires notification if there is a breach of an individual's user name or email address, in combination with a password or security question and answer, that allows access to an online account. If the breach is limited to that information (and does not include any other data elements), notice may be provided in an electronic or other form that requires the affected individuals to change their passwords and security questions/answers and directs them to change their passwords and security questions/answers for any other online accounts that use the same information.

45-Day Deadline to Provide Notice

Arizona has joined the growing number of states that have set a specific timeframe for when notice of a data breach must be provided to affected individuals. Arizona law previously required that notice must be provided "in the most expedient manner possible and without unreasonable delay." However, the new law requires that notice be provided within 45 days after a determination that a "security system breach" has occurred. The statute defines "security system breach" as "an unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals."

Notably, the amended statute provides that notice does not need to be provided "if the person, an independent third-party forensic auditor, or law enforcement agency determines after a reasonable investigation that a security system breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals." The prior law also contained a "substantial economic loss" requirement but did not specify that a third-party forensic auditor or law enforcement agency could make that determination.

Contents of the Notice

The new law specifies that the notice must contain the approximate date of the breach, a brief description of the personal information included in the breach, and the contact information for the three largest nationwide consumer reporting agencies and the Federal Trade Commission. That change is consistent with other recently amended/enacted statutes with similar requirements.

Notice to Consumer Reporting Agencies and Attorney General

If the breach requires notification to more than 1,000 individuals, notice also now must be provided to the three largest nationwide consumer reporting agencies and the Arizona Attorney General.

Increased Civil Penalties

The Attorney General retains exclusive authority to enforce willful and knowing violations of the statute, and the new law significantly increases the potential penalty. Under prior law, the AG could seek a $10,000 civil penalty "per breach of the security system or series of breaches of a similar nature." The new law provides that the AG may seek a civil penalty "not to exceed the lesser of ten thousand dollars per affected individual or the total amount of economic loss sustained by affected individuals," with a "maximum civil penalty from a breach or series of related breaches" of $500,000.

In sum, entities that do business in Arizona and collect personal information from state residents should take note of these changes and analyze whether their existing information security controls are sufficient to protect against a data breach.

Copyright © by Ballard Spahr LLP

TRENDING LEGAL ANALYSIS


About this Author

John Kerkorian, Ballard Spahr Law Firm, Phoenix, Litigation Attorney
Partner

John G. Kerkorian is Managing Partner of the Phoenix office. He has wide-ranging civil litigation experience, with emphasis on disputes involving contract breaches, business torts, commercial acquisitions and investments, real estate and mortgages, partnership matters, trade secret misappropriation, and business terminations. In addition, John regularly handles employment-related disputes involving restrictive covenants, harassment, and discrimination.

John is also a member of the Privacy and Data Security Group, providing assistance with...

602-798-5408
David Stauss, Ballard Spahr Law Firm, Denver, Privacy and Litigation Attorney
Partner

David M. Stauss focuses on complex business and commercial litigation in state and federal courts. He handles all aspects of litigation on a wide range of substantive matters for clients, including product liability, landowner liability, and commercial lending.

Mr. Stauss is head of the Denver office's privacy and cybersecurity practice group. He advises clients on regulatory and statutory compliance issues, third-party vendor management policies and contractual provisions, cyber liability insurance retention and coverage analysis, information security controls, incident response policies and plans, and data breach response.

303-299-7363
Jeffrey H Warshafsky, Proskauer Law firm, Litigation Attorney
Associate

Jeffrey H. Warshafsky is an Associate in the Litigation Department, resident in the New York office. He is a commercial litigator with a particular emphasis on false advertising, trademark, and counterfeiting disputes. Jeff also advises clients on trademark portfolio management, anti-counterfeiting strategies, cybersquatting prevention, and other Internet-related trademark infringement matters.

212-969-3241
Gregory Szewczyk, Ballard Spahr Law Firm, Denver, Privacy and Litigation Attorney
Associate

Greg Szewczyk is a litigator with experience serving as a member of several trial and arbitration teams. His responsibilities include examining witnesses at trial; drafting opening and closing presentations; drafting dispositive, discovery and pretrial motions, as well as appellate briefs; taking and defending depositions; arguing evidentiary and procedural issues; preparing witnesses for testimony; and drafting scripts for direct and cross-examinations. He is also a member of the Denver office’s cybersecurity practice group.

303-299-7382