Arizona Strengthens and Expands Data Breach Notification Law
The Arizona Legislature has significantly expanded and strengthened the state's data breach notification law. The legislation was signed by Arizona Governor Doug Ducey on April 11, 2018.
Members of Ballard Spahr's Privacy and Data Security Group will host a webinar on Wednesday, April 25, 2018, at noon PT/1 p.m. MT/3 p.m. ET to provide in-depth analysis of the new law and place it into context with similar legislation enacted by other states over the past few months. Visit www.ballardspahr.com/AZwebinar to register and for more information.
Below we discuss the most notable changes:
Expanded Definition of "Personal Information"
Arizona's prior law narrowly defined "personal information" as an individual's first name or first initial in combination with the individual's social security number; driver's license number or non-operating identification license number; or financial account or credit card number in combination with any required security code, access code, or password that would permit access to the account.
The new law significantly expands that definition to include the following data elements: a private key that is unique to an individual and is used to authenticate or sign an electronic record; an individual health insurance identification number; information about an individual's medical or mental health treatment or diagnosis by a health care professional; a passport number; a taxpayer identification number or an identity protection personal identification number issued by the IRS; or unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account.
Whereas Arizona's prior definition was one of the narrowest in the country, its new definition is one of the most expansive.
Extension to Online Account Log-In Information
The law also now requires notification if there is a breach of an individual's user name or email address, in combination with a password or security question and answer, that allows access to an online account. If the breach is limited to that information (and does not include any other data elements), notice may be provided in an electronic or other form that requires the affected individuals to change their passwords and security questions/answers and directs them to change their passwords and security questions/answers for any other online accounts that use the same information.
45-Day Deadline to Provide Notice
Arizona has joined the growing number of states that have set a specific timeframe for when notice of a data breach must be provided to affected individuals. Arizona law previously required that notice must be provided "in the most expedient manner possible and without unreasonable delay." However, the new law requires that notice be provided within 45 days after a determination that a "security system breach" has occurred. The statute defines "security system breach" as "an unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals."
Notably, the amended statute provides that notice does not need to be provided "if the person, an independent third-party forensic auditor, or law enforcement agency determines after a reasonable investigation that a security system breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals." The prior law also contained a "substantial economic loss" requirement but did not specify that a third-party forensic auditor or law enforcement agency could make that determination.
Contents of the Notice
The new law specifies that the notice must contain the approximate date of the breach, a brief description of the personal information included in the breach, and the contact information for the three largest nationwide consumer reporting agencies and the Federal Trade Commission. That change is consistent with other recently amended/enacted statutes with similar requirements.
Notice to Consumer Reporting Agencies and Attorney General
If the breach requires notification to more than 1,000 individuals, notice also now must be provided to the three largest nationwide consumer reporting agencies and the Arizona Attorney General.
Increased Civil Penalties
The Attorney General retains exclusive authority to enforce willful and knowing violations of the statute, and the new law significantly increases the potential penalty. Under prior law, the AG could seek a $10,000 civil penalty "per breach of the security system or series of breaches of a similar nature." The new law provides that the AG may seek a civil penalty "not to exceed the lesser of ten thousand dollars per affected individual or the total amount of economic loss sustained by affected individuals," with a "maximum civil penalty from a breach or series of related breaches" of $500,000.
In sum, entities that do business in Arizona and collect personal information from state residents should take note of these changes and analyze whether their existing information security controls are sufficient to protect against a data breach.
To stay up to date on the latest developments in privacy and data security, subscribe to Ballard Spahr's Privacy and Data Security blog, CyberAdviser.
Members of Ballard Spahr's Privacy and Data Security Group provide a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors and help clients around the world identify, manage, and mitigate cyber risk. Our team of more than 50 lawyers across the country includes investigators and advocates with deep experience in cyber-related internal and governmental investigations, regulatory compliance and enforcement matters, cyber-related crisis management, and civil and criminal litigation.
Copyright © 2018 by Ballard Spahr LLP.
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.