Section 44-7501 of the Arizona Revised Statutes — a.k.a., the Notification of Breach of Security System law — requires businesses, websites, and apps, to inform users and customers of data breaches.
What Is Personal Information Under Arizona Law?
Arizona’s data security law applies when personal information is compromised. That raises the question: What is “personal information” under Arizona State law?
In the Grand Canyon State, personal information, as it relates to data breach law, is a first name or initial paired with a last name and one of the following:
- A social security number
- Driver’s license or official ID information
- Credit or debit card numbers, coupled with password or security data that could grant access to accounts
If you’re unsure if your event qualifies for notification, contact a digital privacy lawyer in Arizona.
Who is beholden to the Arizona data breach notification law?
Any business, person, or group operating within Arizona that owns, licenses, or maintains unencrypted user data, must comply with 44-7501. That includes:
- Companies headquartered in Arizona
- Commercial websites that permit Arizona residents to access or interact with their sites or apps
- Large companies with offices or customers in Arizona
Does Arizona’s data breach law apply to you? Get in touch and we’ll help you figure it out.
What Constitutes a “Breach” Under Arizona’s Personal Data Law?
Not all leaked or stolen information requires notification. For a data security incident to qualify, personal data must be compromised and the potential exists for consumer economic loss. Examples of possible breaches:
- Hacking incident
- Loss of laptop, memory stick, computer, or hard drive
- Employment misconduct with digital records and accidental emails
The above examples aren’t the only data breach models that require notification; they’re simply an overview of what courts have previously deemed breaches under Arizona law.
What is the general purpose of 44-7501 – Arizona’s Data Breach Notification Law?
Law 44-7501 outlines the notification process for unauthorized data breaches.
When Must I Launch a Data Security Breach Investigation?
Under Arizona’s data breach law, the moment operators become aware of potential security issues they must launch a “prompt investigation.” If officials discover that you turned the other cheek when the signs pointed to a potential breach, they’ll fine you – heavily.
How Long Do Companies Have To Notify Affected Parties?
If an investigation concludes that a third party may have gained access, AZ law requires businesses to alert compromised parties “in the most expedient manner possible and without unreasonable delay.”
What are acceptable notification methods according to Arizona’s data breach notification rules?
If you’re responsible for alerting consumers about an Arizona data breach, acceptable contact methods include:
- Phone
- Regular mail
- Email, only if the person has indicated email as their preferred contact medium
If the breach affects more than 100,000 people or notification costs would exceed $50,000, businesses can use “substitute notification methods,” including:
- Email (some restrictions apply)
- Conspicuous notification on company website; or
- Notification to major statewide media outlets.
Law enforcement can delay notifications if the incident affects another investigation.
What Is the Penalty for Breaking Arizona’s Data Breach Law?
What are the punishments for violating Arizona’s data breach law? Most people pay about $10,000 per breach, plus actual damages. So if there were $2 million in breach damages, the responsible party would owe $2,010,000.
Who Can Sue for Data Breach Notification Violations?
Only the Arizona Attorney General can bring breach notification violation charges against defendants. Additionally, State law supersedes municipal and county laws addressing the issue. This would not, however, preclude private citizens from bringing causes of action for other claims.