Legal Guidelines for Handling Data Breaches in Arizona
January 28, 2022 | 4 minutes read
AZ Rev Stat § 18-545 is a data breach law that was passed in the U.S. state of Arizona in 2016. In lieu of a comprehensive data privacy law on a state or federal level, AZ Rev Stat § 18-545 represents the foremost legal means by which Arizona residents can protect themselves in the event that their personal information is disclosed during a data breach. As such, the law establishes the requirements that organizations and business entities operating within the state must follow in the event that the personal information they have obtained from Arizona residents is subject to a data breach. Moreover, the law also establishes the punishments that these parties stand to face should they fail to comply with the various provisions set forth in the law.
How is a data breach defined?
Under AZ Rev Stat § 18-545, a data breach is defined as an “unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially compromises the security or confidentiality of personal information maintained by a person as part of a database of personal information regarding multiple individuals and that causes or is reasonably likely to cause substantial economic loss to an individual. Good faith acquisition of personal information by an employee or agent of the person for the purposes of the person is not a breach of the security system if the personal information is not used for a purpose unrelated to the person or subject to further willful unauthorized disclosure”.
Alternatively, personal information that has been redacted, encrypted, or secured by some other means and has subsequently been disclosed in a data breach or related incident is not covered under the provisions of AZ Rev Stat § 18-545. Conversely, healthcare breaches, while not originally covered under AZ Rev Stat § 18-545, are now covered under the law as of 2018, “with a 45-day notification deadline for notification of individuals.” Furthermore, covered information under AZ Rev Stat § 18-545 is limited to electronic information, as information that is in written form is not protected under the provisions of the law. To this end, the following categories of personal information are covered under the law:
- Social security numbers.
- Driver’s license or state identification card numbers.
- Financial account numbers.
- Credit or debit card numbers, as well as any security or access code numbers that are needed to use said cards.
What are the requirements of businesses and organizations?
In the event that a business or organization within Arizona is involved in a data breach or related security incident, said entities are responsible for providing all affected consumers within the state with written notice describing the various details concerning the breach or incident. These notices must provide consumers with information detailing the categories of personal information that were disclosed, as well as what measures were in place to prevent such an incident, as well as any remedies, among other pertinent details. On the contrary, “If the entity demonstrates that the cost of providing notice using these methods would exceed $50,000 or more than 100,000 individuals must be notified, substitute notification may be used including a conspicuous publishing of the notice on the entity’s website or notification to major statewide media.”
What are the penalties?
In terms of the enforcement of AZ Rev Stat § 18-545, the law is enforced by the Arizona Attorney General. To this point, businesses and organizations that fail to comply with provisions established by the law are subject to a number of penalties and sanctions. Such punishments include “civil penalties up to $10,000 per breach (or a series of breaches of a similar nature discovered in a single investigation).” What’s more, both government and non-government agencies are subject to civil penalties in the event that said entities violate the provisions of the law. To illustrate the potential scope and severity of such punishments, Phoenix-based healthcare provider Banner Health was ordered to pay “8.9 million in December 2019 to cover expenses incurred from a 2016 breach involving 3.7 million victims, as well as to fund improvements to its security posture, court documents show.”
Through the provisions of AZ Rev Stat § 18-545, citizens of the state of Arizona have the means to seek compensation in the event that certain categories of personal information concerning them are disclosed or improperly accessed during a data breach. As the case of Banner Health shows, the penalties for violating the law can be extremely steep. While H.B. 2154, a proposed bill that would have placed more stringent requirements on businesses and organizations within Arizona with regards to data breach notifications, ultimately failed to be passed by the Arizona State Legislature in late 2021, AZ Rev Stat § 18-545 does provide citizens of the state of Arizona with some level of protection as it relates to data breach incidents.