The Arizona State Legislature is considering proposed legislation that, if enacted, would significantly change the requirements for how Arizona entities respond to data breaches.
Under Arizona's existing breach notification law, entities that conduct business in the state and own or license computerized data that includes personal information (PI) are required to notify individuals if the entity is the victim of a security breach that compromises the security or confidentiality of the PI and that causes or is likely to cause substantial economic loss to an individual. The proposed legislation would remove the "substantial economic loss" requirement, thereby lowering the threshold for when notice is required.
The proposed legislation also would significantly expand the definition of PI. The law currently defines PI as an individual's first name or first initial and last name combined with a social security number, driver's license number, non-operating identification license, or financial account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual's financial account.
The proposed legislation would end the requirement that a security code, access code or password must be compromised with the financial account number or credit/debit card number. It also would add the following data elements to the definition of PI:
A physical characteristic that is attributable to an individual, including a fingerprint, eye, hand, vocal, or facial characteristic or any other physical characteristic used to electronically identify that individual with a high degree of certainty;
An individual's protected health information, such as a health insurance ID number, medical history, mental or physical condition, and medical treatment or diagnosis by a health care professional;
A taxpayer identification number or identity protection personal identification number issued by the IRS;
A user name or email address, in combination with a password or security question and answer, that allows access to an online account; and
Student personally identifiable data, defined as a minor student’s name, address, date of birth, SSN, email or social media address, credit, debit, or other financial services account number, or parent’s name, or any other information that would link a specific minor student to a specific school community.
Additionally, the proposed legislation would change the timing requirements for providing notice to affected individuals. Under existing law, notice needs to be provided in the "most expedient manner possible and without unreasonable delay." The proposed law would impose a more stringent 30-day deadline and also would require entities to notify the Attorney General.
Finally, the proposed legislation would require the notice to affected individuals to state:
The approximate date of the breach;
A brief description of the personal information included in the breach;
The toll-free numbers and addresses for the three largest consumer reporting agencies; and
The toll-free number, address, and website address for the Federal Trade Commission or any federal agency that assists consumers with matters of identity theft.
Notably, the proposed legislation retains the current law's provision that notice does not need to be provided if the information was encrypted or redacted. Therefore, entities can take reasonable steps today to mitigate their risk of having to provide notice if they suffer a data breach.
If enacted, this proposed legislation will substantially change the manner in which entities that conduct business in Arizona and own, license, or maintain personal information must respond to security breaches of such information. Such entities should closely monitor this proposed legislation and carefully consider how these proposed revisions may apply to their specific business.
Members of Ballard Spahr's Privacy and Data Security Group provide a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors and help clients around the world identify, manage, and mitigate cyber risk. Our team of nearly 50 lawyers across the country includes investigators and advocates with deep experience in cyber-related internal and governmental investigations, regulatory compliance and enforcement matters, cyber-related crisis management, and civil and criminal litigation.
Copyright © 2018 by Ballard Spahr LLP.
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.