September 21, 2020

Volume X, Number 265

September 18, 2020

Subscribe to Latest Legal News and Analysis

More Breach Law Changes: Arizona Updates Notice Law

Arizona’s Governor recently signed HB2154, which expands Arizona’s data breach notice law. The law was effective upon signing, and now requires companies to notify the state attorney general when more than 1,000 individuals have been impacted. It also allows email notice if the company has the individual’s email address.  This removes the need to have email be the “primary method of communication” or be consistent with the eSign Act. Timing of notice has also changed, and must occur within 45 days instead of “in the most expedient time necessary and without unreasonable delay.” Notice in Arizona now also needs to include specific information, including the date of the breach, type of information impacted, as well as consumer reporting agencies’ and FTC contact information.  In another change, companies do not need to notify under the law if an independent forensic firm or law enforcement determine that there has been no risk of “substantial economic loss.”

The mechanism for providing substitute notice has also changed under the amendment. Now, if a company provides substitute notice, it only needs to post the notice on its website, and no longer needs to send an email or notify statewide media. This is different from most other states’ substitute notice provisions. Also unlike other states that allow substitute notice, the company must give a letter to the attorney general explaining why substitute notice was needed. The law now indicates that notices to the AG under the law are confidential as provided for under Arizona law.

Finally, among other changes, the definition of personal information has been expanded. Biometric information, health insurance ID number and health information, passport number, and tax ID number, and a “private key” used to authenticate an electronic signature have been added to definition of personal information. Personal information now also includes online account credentials.

Putting It into Practice: Companies with nationwide incident response plans should consider the new elements of the Arizona law the different approach to substitute notice and the independent “no economic loss” assessment exception.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume VIII, Number 116


About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

Amber Thomson, Sheppard Mullin Law Firm, Litigation Attorney

Amber C. Thomson is an associate in the Business Trial Practice Group in the firm's Washington, D.C. office.