Arizona Updates Its Data Breach Notification Law
Thursday, May 31, 2018
data breach, Arizona, legislation, notification, 45-day
Print Mail Download i

Last month, South Dakota and Alabama became the final two states to enact a data breach notification law. In addition, many other states, in response to trends, heightened public awareness, and a string of large-scale data breaches, have continued amending their existing laws. Arizona is the latest state to update its data breach notification law to reflect recent trends.

Introduced in January and signed into law recently by Arizona Governor Doug Ducey, the new law has several key updates, including:

  • Expands the definition of personal information to encompass:

    • information about an individual’s medical or mental health treatment or diagnosis by a healthcare professional;
    • a private key that is unique to an individual and is used to authenticate or sign an electronic record;
    • an individual health insurance identification number;
    • a passport number;
    • a taxpayer identification number or an identity protection personal identification number issued by the IRS;
    • unique biometric data used for online authentication purposes; or
    • an individual’s username or email address, in combination with password or security question and answer, that allows access to an online account.
  • Sets a 45-day notification requirement for consumers affected by the breach.
  • Risk of harm analysis: notification not required if a third-party forensic investigator or law enforcement agency determines that the “breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.”
  • Types of notice: notice may be accomplished via email if the entity providing notice has email addresses for individuals subject to notification.
  • Notification content requirement: notice must contain the date of the breach, a brief description of the information disclosed, and contact information for the three largest consumer credit reporting agencies, and the Federal Trade Commission.
  • If the breach affects more than 1,000 people, notice must be provided to the consumer credit reporting agencies and the state Attorney General.
  • The Attorney General can impose civil penalties on violators of $10,000 per affected individual or the total economic loss sustained by affected individuals up to a max of $500,000.

Today’s nationwide patchwork of state breach notification laws continues to evolve, and requires data holders operating in multiple states or maintaining personal information of residents of multiple states to keep up with the requirements across many jurisdictions. 

Jackson Lewis P.C. © 2024

Current Legal Analysis

More from Jackson Lewis P.C.

USCIS Removes Validity Period on Immigration Medical Exam Form I-693
by: Manda Brefo
DOL Releases Final White-Collar Exemption Rule, Sets Minimum Salary to Increase in Phases Beginning July 1, 2024
by: Jeff Barnes , Jeffrey W. Brecher
New HIPAA Final Rule Imposes Added Protections for Reproductive Health Care Privacy
by: Joseph J. Lazzarotti
Special Report: PWFA Final Regulations
by: Joseph J. Lynett , Katharine C. Weber
EEOC Issues Final Regulations to Implement the Pregnant Workers Fairness Act
by: Jenifer M. Bologna , Katharine C. Weber
Department of Education Releases Final Rule Amending Title IX Regulations
by: Susan D. Friedfel , Monica H. Khetarpal
Pregnant Workers Fairness Act Final Regulations Released
by: Joseph J. Lynett , Katharine C. Weber
USCIS Issues Employment Authorization Procedures for Palestinians on Deferred Enforced Departure
by: Forrest G. Read IV
OSHA Proposes Expansion of Workplace Protections for Emergency Responders
by: Courtney M. Malveaux , Melanie L. Paul
Ninth Circuit Holds Warehouse Worker Qualifies as Transportation Worker Under FAA Exemption
by: Scott P. Jang

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins