More Breach Law Changes: Arizona Updates Notice Law
Arizona’s Governor recently signed HB2154, which expands Arizona’s data breach notice law. The law was effective upon signing, and now requires companies to notify the state attorney general when more than 1,000 individuals have been impacted. It also allows email notice if the company has the individual’s email address. This removes the need to have email be the “primary method of communication” or be consistent with the eSign Act. Timing of notice has also changed, and must occur within 45 days instead of “in the most expedient time necessary and without unreasonable delay.” Notice in Arizona now also needs to include specific information, including the date of the breach, type of information impacted, as well as consumer reporting agencies’ and FTC contact information. In another change, companies do not need to notify under the law if an independent forensic firm or law enforcement determine that there has been no risk of “substantial economic loss.”
The mechanism for providing substitute notice has also changed under the amendment. Now, if a company provides substitute notice, it only needs to post the notice on its website, and no longer needs to send an email or notify statewide media. This is different from most other states’ substitute notice provisions. Also unlike other states that allow substitute notice, the company must give a letter to the attorney general explaining why substitute notice was needed. The law now indicates that notices to the AG under the law are confidential as provided for under Arizona law.
Finally, among other changes, the definition of personal information has been expanded. Biometric information, health insurance ID number and health information, passport number, and tax ID number, and a “private key” used to authenticate an electronic signature have been added to definition of personal information. Personal information now also includes online account credentials.
Putting It into Practice: Companies with nationwide incident response plans should consider the new elements of the Arizona law the different approach to substitute notice and the independent “no economic loss” assessment exception.