By the end of this post, you’ll understand Arizona’s “data breach notification law” and what you’re legally required to do in the wake of a hack, leak, or manual data breach. Ready to speak to a lawyer about your situation? Get in touch.
Arizona businesses – and websites accessible to Arizonians – are legally required to inform users and customers of data breaches. In this blog post, we’ll review § 44-7501 of the Arizona Revised Statutes – a.k.a., the Notification of breach of security system; enforcement; civil penalty; preemption; exceptions; definitions law. For brevity’s sake, we’ll call the regulation 44-7501.
What is “personal information” under the Arizona data breach notification law?
Arizona’s data security law only applies when personal information is compromised, which raises the question: What constitutes “personal information” under Arizona State law?
Answer: Any person’s first name or first initial and last name, coupled with:
- A social security number;
- Driver’s license or official ID information; or
- Credit or debit card numbers, with password or security code data that could grant access to accounts.
Who Must follow Arizona’s Data Breach Law?
Any person, group, or business, operating within the State of Arizona, that owns, maintains or licenses unencrypted user data, must follow 44-7501. Examples include (but are not limited to):
- Companies headquartered in Arizona;
- Commercial websites that permit Arizona residents to access or interact with their sites; and
- Large companies with offices or customers in Arizona.
Uncertain if Arizona’s data breach law applies to you? Consult with an Internet law attorney to find out.
What constitutes a “breach” under Arizona’s Data Breach Law?
Not all leaked or stolen information is a notification-triggering breach. For an incident to qualify, personal data (described above) must have been compromised – or fell into unauthorized hands – and the potential exists for user / consumer economic loss. Examples of possible breaches:
- Hacking incident;
- Loss of laptop, memory stick, computer or hard drive;
- Employment misconduct with digital records and accidental emails;
The above examples aren’t the only models that require notification, but simply an overview of things that have previously been deemed breaches under Arizona law.
What is the general purpose of 44-7501 – Arizona’s Data Breach Notification Law?
Passed in 2006, 44-7501 outlines the required notification process in the event of an unauthorized data breach.
When are you required to launch a data security breach investigation?
Under Arizona’s data breach law, the moment business operators become aware of a potential security issue, they are obligated to launch a “prompt investigation.” If it’s discovered that you looked afoul when the signs pointed to a potential breach, you’ll be fined – heavily.
How long do companies have to notify the affected users / people?
If your investigation concludes that a third party could have gained access to records, you’re required, by law, to alert the affected parties:
“…in the most expedient manner possible and without unreasonable delay.”
What are allowable notification methods according to Arizona’s data breach notification rules?
If you’re responsible for alerting affected consumers about an Arizona data breach, acceptable contact methods include:
- Regular Mail;
- Email, only if the person has indicated email as their preferred contact medium.
If more than 100,000 people are affected by a breach, or if the cost of notification would exceed $50,000, businesses can use so-called “substitute notification methods,” which include:
- Email (some restrictions apply; consult with an Internet lawyer about the details of your case.)
- Conspicuous notification on company website; or
- Notification to major, statewide media outlets.
Law enforcement agencies can delay notification if the incident affects a larger investigation.
What is the penalty for breaking Arizona’s data breach law?
What happens if you don’t comply with Arizona’s data breach law? A huge fine. Violators are responsible for actual damages caused by the ignored breach, plus $10,000 per breach.
Who is allowed to sue for violations of Arizona’s Data Breach Notification Law?
Only the Arizona Attorney General can bring breach notification violation charges against a defendant. Additionally, State law supersedes municipal and county laws addressing the issue. This would not, however, preclude private citizens from bringing causes of action for other claims.
Got Arizona Data Breach Notification Questions? We’ve Got Answers.