Arizona recently passed legislation strengthening the state’s data breach notification law.

Highlights from the new state law include:

  • Expanding the definition of protected “personal information” to include online account credentials, as well as an individual’s name in combination with health insurance or other medical information, passport or taxpayer identification numbers, or certain biometric data;
  • Requiring that notice to individuals affected by a breach be provided within 45 days after determining that a breach has occurred (whereas existing law provided no definitive deadline);
  • Clarifying the necessary content and available delivery methods for notifications to consumers;
  • Requiring notification to the three largest consumer reporting agencies for any breach involving more than 1,000 individuals;
  • Increasing the maximum civil penalty for a knowing or willful violation of the statute from $10,000 per breach to $500,000 per breach; and
  • Clearly explaining the Attorney General’s powers in connection with the investigation and enforcement of data-breach matters.

Expanded Definition of “Personal Information”
Prior state law narrowly defined “personal information” as an individual’s first name or first initial in combination with the individual’s social security number; driver’s license number or non-operating identification license number; or financial account or credit card number in combination with any required security code, access code, or password that would permit access to the account.

The new law expands that definition to include: a private key that is unique to an individual and is used to authenticate or sign an electronic record; an individual health insurance identification number; information about an individual’s medical or mental health treatment or diagnosis by a health care professional; a passport number; a taxpayer identification number or an identity protection personal identification number issued by the IRS; or unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account.

This new definition is one of the most expansive in the country.

Extension to Online Account Log-In Information
The new law now requires notification if there is a breach of an individual’s user name or email address, in combination with a password or security question and answer, that allows access to an online account. If the breach is limited to that information (and does not include any other data elements), notice may be provided in an electronic or other form that requires the affected individuals to change their passwords and security questions/answers and directs them to change their passwords and security questions/answers for any other online accounts that use the same information.

45-Day Deadline to Provide Notice
The new law now requires that notice be provided within 45 days after a determination that a “security system breach” has occurred. The statute defines “security system breach” as “an unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals.”

Notably, the amended statute provides that notice does not need to be provided “if the person, an independent third-party forensic auditor, or law enforcement agency determines after a reasonable investigation that a security system breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.” The prior law also contained a “substantial economic loss” requirement but did not specify that a third-party forensic auditor or law enforcement agency could make that determination.

Contents of the Notice
Notice must contain the approximate date of the breach, a brief description of the personal information included in the breach, and the contact information for the three largest nationwide consumer reporting agencies and the Federal Trade Commission.

Notice to Consumer Reporting Agencies and Attorney General
If the breach requires notification to more than 1,000 individuals, notice must be provided to the three largest nationwide consumer reporting agencies and the Arizona Attorney General.

Increased Civil Penalties
The Attorney General retains exclusive authority to enforce willful and knowing violations of the statute, and the new law significantly increases the potential penalty. Under prior law, the AG could seek a $10,000 civil penalty “per breach of the security system or series of breaches of a similar nature.” The new law provides that the AG may seek a civil penalty “not to exceed the lesser of ten thousand dollars per affected individual or the total amount of economic loss sustained by affected individuals,” with a “maximum civil penalty from a breach or series of related breaches” of $500,000.

Companies that do business in Arizona and collect personal information from state residents should take note of these changes and analyze whether their existing information security controls are sufficient to protect against a data breach.