Arizona Data Breach Notification Law

Notification deadline: 45 days from determination that breach occurred

Enforcement: Arizona Attorney General

Overview

Arizona requires businesses to notify affected residents within 45 days of determining a breach occurred. The law covers both data breach notification and security requirements for disposing of personal information.

Who Must Be Notified

• • Affected Arizona residents (within 45 days)
• • Arizona Attorney General (if 1,000+ residents affected)
• • Consumer reporting agencies (if 1,000+ residents affected)

Covered Data Types

Social Security number, Driver's license number, Financial account number with access code, Private key for electronic signatures, Passport number, Taxpayer ID number, Tribal ID number, Health insurance ID number, Medical history information, Biometric data, Username with password

Notification Requirements

• • Written, telephonic, or electronic notice within 45 days
• • Include date or estimated date of breach
• • Description of personal information involved
• • Contact information for business
• • Contact information for credit bureaus
• • Notify AG if 1,000+ Arizona residents affected

Exemptions

• • Encrypted data (if key not compromised)
• • Good faith acquisition by employee
• • Entities in compliance with GLBA, HIPAA
• • Redacted data

Penalties

Civil penalties up to $10,000 per breach. AG can seek additional penalties up to $500,000 for intentional violations.