Legal Guidelines for Handling Data Breaches in Arionza

January 28, 2022 | 4 minutes read
Legal Guidelines for Handling Data Breaches in Arionza

AZ Rev Stat § 18-545 is a data breach law that was passed in the U.S. state of Arizona in 2016. In lieu of a comprehensive data privacy law on a state or federal level, AZ Rev Stat § 18-545 represents the foremost legal means by which Arizona residents can protect themselves in the event that their personal information is disclosed during a data breach. As such, the law establishes the requirements that organizations and business entities operating within the state must follow in the event that the personal information they have obtained from Arizona residents is subject to a data breach. Moreover, the law also establishes the punishments that these parties stand to face should they fail to comply with the various provisions set forth in the law.

How is a data breach defined?

Under AZ Rev Stat § 18-545, a data breach is defined as an “unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially compromises the security or confidentiality of personal information maintained by a person as part of a database of personal information regarding multiple individuals and that causes or is reasonably likely to cause substantial economic loss to an individual. Good faith acquisition of personal information by an employee or agent of the person for the purposes of the person is not a breach of the security system if the personal information is not used for a purpose unrelated to the person or subject to further willful unauthorized disclosure”.

Alternatively, personal information that has been redacted, encrypted, or secured by some other means and has subsequently been disclosed in a data breach or related incident is not covered under the provisions of AZ Rev Stat § 18-545. Conversely, healthcare breaches, while not originally covered under AZ Rev Stat § 18-545, are now covered under the law as of 2018, “with a 45-day notification deadline for notification of individuals.” Furthermore, covered information under AZ Rev Stat § 18-545 is limited to electronic information, as information that is in written form is not protected under the provisions of the law. To this end, the following categories of personal information are covered under the law:

What are the requirements of businesses and organizations?

In the event that a business or organization within Arizona is involved in a data breach or related security incident, said entities are responsible for providing all affected consumers within the state with written notice describing the various details concerning the breach or incident. These notices must provide consumers with information detailing the categories of personal information that were disclosed, as well as what measures were in place to prevent such an incident, as well as any remedies, among other pertinent details. On the contrary, “If the entity demonstrates that the cost of providing notice using these methods would exceed $50,000 or more than 100,000 individuals must be notified, substitute notification may be used including a conspicuous publishing of the notice on the entity’s website or notification to major statewide media.”

What are the penalties?

In terms of the enforcement of AZ Rev Stat § 18-545, the law is enforced by the Arizona Attorney General. To this point, businesses and organizations that fail to comply with provisions established by the law are subject to a number of penalties and sanctions. Such punishments include “civil penalties up to $10,000 per breach (or a series of breaches of a similar nature discovered in a single investigation).” What’s more, both government and non-government agencies are subject to civil penalties in the event that said entities violate the provisions of the law. To illustrate the potential scope and severity of such punishments, Phoenix-based healthcare provider Banner Health was ordered to pay “8.9 million in December 2019 to cover expenses incurred from a 2016 breach involving 3.7 million victims, as well as to fund improvements to its security posture, court documents show.”

Through the provisions of AZ Rev Stat § 18-545, citizens of the state of Arizona have the means to seek compensation in the event that certain categories of personal information concerning them are disclosed or improperly accessed during a data breach. As the case of Banner Health shows, the penalties for violating the law can be extremely steep. While H.B. 2154, a proposed bill that would have placed more stringent requirements on businesses and organizations within Arizona with regards to data breach notifications, ultimately failed to be passed by the Arizona State Legislature in late 2021, AZ Rev Stat § 18-545 does provide citizens of the state of Arizona with some level of protection as it relates to data breach incidents.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »