Click here to review text of state statute
Information Covered / Important Definitions
Personal information of Arizona residents.
Definition includes: a private key used to authenticate or sign an electronic record, individual health insurance identification number, medical information, passport number, a taxpayer identification number or PIN issued by the IRS, or unique biometric data used to access online accounts.
“Security Breach” means an unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals.
"Encrypt" means to use a process to transform data into a form that renders the data unreadable or unusable without using a confidential process or key.
“Redact" means to alter or truncate a number so that not more than the last four digits are accessible and at least two digits have been removed.
Covered Entities* / Third Party Recipients
Subject to statute:
Any legal or commercial entity that conducts business in Arizona and owns, maintains, or licenses unencrypted and unredacted computerized personal information.
Third party recipients:
A person that maintains unencrypted and unredacted computerized personal information it does not own or license shall notify, as soon as practicable, the owner or licensee of the information on discovering any security system breach and cooperate with the owner or the licensee of the personal information, including sharing information relevant to the breach with the owner or licensee. The owner or licensee of the data must satisfy all further notification obligations under the statute.
Notice Procedures & Timing / Other Obligations
Written, e-mail, or telephonic notice must be provided to victims of a security breach within forty-five (45) days following the determination of the breach, unless a law enforcement agency advises the covered entity that notifications will impede a criminal investigation (on being informed by the law enforcement agency that the notifications no longer compromise the investigation, the person shall make the required notifications, as applicable, within forty-five (45) days.).
- Specific requirements for the form and content of notice are described in the statute.
- Substitute notice is available by means prescribed in the statute if costs to exceed $50,000, affected class exceeds 100,000 individuals, or covered entity has insufficient contact information.
- Notice not required if the covered entity, an independent third-party forensic auditor, or law enforcement entity determines that a breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.
Any covered entity that must notify more than 1,000 individuals of a security breach is also required to notify the three largest nationwide consumer reporting agencies and the attorney general.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted, redacted or secured by method rendering data unreadable or unusable.
Safe harbor not available if the personal information is encrypted but the encryption key has been accessed or acquired.
Exemption for good faith acquisition of personal information by a person's employee or agent for the purposes of the person if the personal information is not used for a purpose unrelated to the person and is not subject to further unauthorized disclosure.
A covered entity is deemed in compliance with the Arizona statute if it (i) maintains and complies with its own notification requirements as part of an information security policy that are consistent with the Arizona statute is deemed in compliance, or (ii) complies with notification requirements or procedures imposed by its primary or functional federal regulator.
Entities subject to the GLBA or covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are exempt.
Notification to Regulator / Waiver
A determination of no likelihood of harm:
Does not require notification to attorney general.
Actual damages for a willful and knowing violation of the statute.
Civil penalty not to exceed $10,000 per affected individual or the total amount of economic loss sustained by affected individuals, with a maximum civil penalty from a breach or series of related breaches of $500,000.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute