All U.S states have laws about data security and what to do when there’s a data breach. Here is what’s in the Arizona law.
Who The Law Applies To. The law applies to anyone who conducts business in Arizona and who owns or licenses unencrypted data that includes personal information. It also applies to anyone who maintains unencrypted data for someone else. The law’s language uses “person” for simplicity, but its definition includes corporations and other business organizations, associations, and government agencies. The Arizona law defines personal information as an individual’s first name or first initial and last name in combination with any of the following if unsecured:
- Social security number;
- Driver’s license or state identification card;
- Private key unique to an individual and used to authenticate or sign an electronic record;
- Financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to account;
- Health insurance identification number;
- Information about individual’s medical or mental health treatment or diagnosis by health care professional;
- Passport number;
- Taxpayer identification number or id number issued by the IRS;
- Biometric data; or
- User name or email, in combination with password or security question and answer that allows access to online account.
What The Law Requires. The trigger is when the data owner or maintainer becomes aware of an incident of unauthorized acquisition and access to unencrypted data that includes an individual’s personal information. The data owner or maintainer must conduct a prompt investigation to determine if there has been a breach. If there has been a breach, notification is required.
What is a Breach. The term “breach” under this law means unauthorized acquisition of and access to unencrypted data that materially compromises the security or confidentiality of personal information regarding multiple individuals, and that causes or is reasonably likely to cause substantial economic loss to an individual. Hacking into a system is a one example of a breach. But breaches often happen because of more ordinary events such as an employee losing a laptop or external drive, or the company accidentally emailing personal information to a third party.
When and How To Notify. If a breach is confirmed, the data owner or maintainer must notify the individual within 45 days. Written or phone notice is permitted. Email notice is permitted if the person notifying has email addresses for individuals who are subject to the notice. The Arizona Attorney General must be notified if more than 1,000 persons are involved. Substitute notice may be permitted if more than 100,000 people need to be notified or if the notice would exceed more than $50,000. Substitute notice includes (a) a written letter to the Arizona Attorney General that demonstrates facts for substitute notice; and (b) conspicuous posting of notice for at least 45 days on the website of the person notifying if that person maintains one.
What is Encryption. Encryption isn’t defined in the law, but it’s essential to fully understand it. Encryption is encoding data. It’s the process of obscuring information, often through the use of a cryptographic scheme, to make the data unreadable without the use of a decoding key. Encryption can be done on data “in communication” (from one computer to another) or on data “at rest” (stored locally).
What if Law Enforcement is Involved. The law provides that notification “may be delayed” if a law enforcement agency advises that notification will impede a criminal investigation. Notification “shall” be made after law enforcement determines that it will not compromise the investigation. Close cooperation to protect the interests of the business is well advised.
What are the Law’s Penalties. Penalties for a willful and knowing violation are $10,000 per individual affected, or the total amount of economic loss sustained by affected individuals. The maximum civil penalty from a breach or series of related breaches may not exceed $500,000. Only the Arizona Attorney General has the power to enforce the law. There is no private right of action. The state law says that it preempts all municipal and county laws and rules on this topic.
The full statute is found at A.R.S. § 18-551. In the event of a breach, a business should act immediately to secure its system, get the word out, and protect itself and its customers. It also may be appropriate to have a data breach response plan in place to prepare, and to test such a plan before a breach arises.