New Arizona Law Mandates Specific Notification Requirements To Victims of Data Breaches

HB 2154 recently amended A.R.S. § 18-541 et seq. requiring any “person that conducts business in this state and that owns, maintains or licenses unencrypted or unredacted computerized data that includes personal information” to conduct a proper investigation in case of a possible data breach (“security incident”) and eventually notify, in the prescribed manners, the state attorney general and any affected person after thirty days from the determination of the breach.

If the security incident involves more than one thousand state residents, notification shall be given “promptly and without unreasonable delay” also to the three largest nationwide consumer credit reporting agencies.

A person that maintains but does not own the personal information shall “immediately notify the owner or licensee of such information on discovering any security system breach and cooperate with the owner or the licensee of the personal information”.

Notice to affected individuals must include: (i) approximate breach date; (ii) information exposed by the breach; (ii) toll-free numbers of the three largest nationwide consumer reporting agencies; and (iv) numbers and addresses for the Federal Trade Commission and agencies assisting consumers with identity theft.  Notifications must be communicated by either e-mail, direct telephone call (no prerecorded messages), or substitute notice if the employer demonstrates it meets the minimum qualifications to notify affected consumers in an alternative format.

Willful violations of the foregoing requirements are sanctioned with a fine of $10,000 per affected individual. However, the maximum civil penalty from a breach or series of related breaches may not exceed $500,000.

There is no private cause of action as the law is enforced solely by the state attorney general, who, in addition to the sanctions above, may also seek restitution for the affected individuals.

The new law is effective as of August 3, 2018, and may require employers to amend their security data policies and implement proper notification procedures to avoid the described penalties.

Our firm can help you to get accomplished with the new law. Call us today to find out how we can help.

Leave a Comment

Your email address will not be published. Required fields are marked *