Did you know Arizona has a legislation that requires private entities or government agencies to notify individuals who have been impacted by security breaches that may compromise their personally identifiable information?
Please note, entities covered by the federal Health Insurance Portability and Accountability Act (“HIPAA”) or Gramm-Leach-Bliley Act are exempt from this law. This is because federal regulations are far more tough and regulating both at the state & federal level would be a nightmare.
Arizona’s data breach notification laws are applicable to individuals or entities that conduct business in the state who also license, own, or maintain covered information. It does not apply to encrypted or redacted information, or information secured in some other way that renders it unreadable or unusable – as long as the encryption key was not accessed or acquired.
What is “Covered Information”?
Covered information is the combination of “personal information” and “specified data element”.
The Notification Law defines “personal information” to include:
- An individual's first name or first initial and last name in combination with one or more specified data elements.
- An individual's user name or e-mail address, in combination with a password or security question and answer, that allows access to an online account.
“Specified data element" means any of the following:
- An individual's social security number.
- The number on an individual's driver license issued pursuant to section 28-3166 or nonoperating identification license issued pursuant to section 28-3165.
- A private key that is unique to an individual and that is used to authenticate or sign an electronic record.
- An individual's financial account number or credit or debit card number in combination with any required security code, access code or password that would allow access to the individual's financial account.
- An individual's health insurance identification number.
- Information about an individual's medical or mental health treatment or diagnosis by a health care professional.
- An individual's passport number.
- An individual's taxpayer identification number or an identity protection personal identification number issued by the United States internal revenue service.
- Unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account.
Does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
What’s a “Security incident”?
Security incident means an event that creates reasonable suspicion that a person's information systems or computerized data may have been compromised or that measures put in place to protect the person's information systems or computerized data may have failed.
What does the law require after a “Security Incident”?
If a covered person discovers a “security incident,” as defined by the law, the person is required to investigate to determine if a “breach” has occurred. If a breach has occurred, the owner or licensee of the breached personal information is required to notify affected individuals, unless the person, a law-enforcement agency, or an independent forensic auditor determines that the breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals. Generally, the notification must be provided within 45 days and must be made using one of the methods specified by the law. See A.R.S. § 18-552, subsections (E) through (I). For breaches involving more than 1,000 Arizona residents, notification must also be provided to the three largest nationwide consumer reporting agencies and to the Arizona Attorney General’s Office.
What are the Penalties?
A knowing and willful violation of the law constitutes a violation of the Arizona Consumer Fraud Act, A.R.S. § 44-1521 et seq. Only the Attorney General may enforce such a violation. In doing so, the Attorney General may seek up to $500,000 in civil penalties, in addition to any restitution that may be owed to the affected individuals.
Healthcare data breaches are now covered by Arizona’s data breach notification law as of April 2018, with a 45-day notification deadline for notification of individuals.
What does this mean for your Arizona-based business?
If your an employer, you likely have your employees’ name/address/phone number (personal information) and SSN (specified data element) stored somewhere. If you’ve made it electronic, the law applies to your employee data.
If your business involves storing protected data such as names and SSNs, this law applies to your client data. Law firms, CPAs, and financial services are examples of industries that deal with this type of data every day.
If you have “Covered Information”, and you're breached, it’s a Security incident and you need to have a plan on how to remediate the it with this law in mind. Reach out to us if you’d like to talk about how this law affects your business and how to properly mitigate as much risk as possible with smart IT and policy choices.
Contact us here and we’ll be happy to answer your questions.