The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statute
Covered Entities: Persons, businesses, government agencies, and other entities that conduct business in Arizona and own, use, or maintain personal information.
Consumer Notification: Notification must be provided to any Arizona resident whose unencrypted personal information was acquired and accessed without authorization.
Regulatory Notification: Notification must be provided to the Arizona Attorney General and the Director of the Arizona Department of Homeland Security if an entity is required to notify more than 1,000 Arizona residents.
Notification Timeline: Notification must be provided within 45 days after the determination that a breach occurred.
Data Format: Electronic.
Citations: Ariz. Rev. Stat. §§ 18-551 to 18-552.
- Breach: Unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained by an entity as part of a database of personal information regarding multiple individuals.
- Personal Information (PI):
1. An individual’s first name or first initial and last name in combination with any one or more of the following data elements:
- Social Security number;
- Number on a driver’s license issued pursuant to §28-3166 or number on a nonoperating identification license issued pursuant to §28-3165;
- Financial account number or credit number or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account;
- Private key that is unique to an individual and that is used to authenticate or sign an electronic record;
- Individual’s health insurance identification number;
- Medical information;
- Passport number;
- Individual’s taxpayer identification number or an identity protection personal identification number issued by the Internal Revenue Service; and
- Unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account.
2. An individual’s username or email address, in combination with a password or security question and answer, that allows access to an online account.
- Medical Information: Information about an individual’s medical or mental health treatment or diagnosis by a health care professional
- Health Insurance Information: N/A
- Encryption: Notification is not required where the potentially impacted PI was encrypted or redacted, such that the data is unreadable or unusable without using a confidential process/key.
- Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent of the entity for the purposes of the entity, if the PI is not used for a purpose unrelated to the entity and is not subject to further unauthorized disclosure.
- Risk of Harm: Notification is not required if an independent third-party forensic auditor or a law enforcement agency determines after a reasonable investigation that the breach has not or is not reasonably likely to result in substantial economic loss to affected Arizona residents.
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notification must be made within 45 days after the law enforcement agency determines that such notification will no longer impede the investigation.
- Timing: Notification must be provided within 45 days after the determination that there has been a breach of PI.
- Format: N/A
- Content: Notification letters must include at least the following:
- Approximate date of the breach;
- Type of PI included in the breach;
- Toll-free telephone numbers and addresses of the three largest credit reporting agencies; and
- Toll-free number, address, and website for the Federal Trade Commission or any federal agency that assists consumers with identity theft matters.
- Method: Notification must be provided by one of the following methods (1) written notice; (2) telephonic notice, if made directly with the affected individuals and not through a pre-recorded message; or (3) email notice if the entity has email addresses for the individuals subject to the notice.
An entity may provide substitute notice if it can demonstrate that the cost of providing direct notice would exceed $50,000, that the affected class of persons to be notified exceeds 100,000, or the entity does not have sufficient contact information. Substitute notice shall consist of the following: (1) a written letter to the Attorney General that demonstrates the facts necessary for substitute notice; (2) conspicuous posting of the notice on the website of the entity; and (3) notification to major statewide media.
Notification must be provided to the Arizona Attorney General and the Arizona Department of Homeland Security in writing if more than 1,000 residents require notification.
Credit Reporting Agencies Notice:
Notification must be provided to the three largest nationwide consumer reporting agencies if an entity is required to notify more than 1,000 Arizona residents.
A third-party who maintains, but does not own or license, PI shall notify the owner or licensor of the breach as soon as practicable and must cooperate with the investigation.
The provisions of the statute do not apply to an entity or business associate as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or a charitable fundraising foundation/nonprofit corporation whose primary purpose is to support a specified entity, if such organizations comply with applicable provisions of HIPAA.