Given the nearly daily reports of data breaches, ransomware attacks and phishing exploits affecting entities of all sizes, Arizona entities should be aware that Arizona law may require them to provide notice to employees, customers and/or other third parties if the entity is the victim of a security breach. At the same time, however, entities that take the time to understand Arizona law before a breach occurs can implement measures to better protect themselves from spending thousands of dollars (if not more) responding to a cybersecurity incident.
Under Arizona's breach notification law, entities that conduct business in the state and that own, maintain, or license computerized data that includes personal information (PI) are required to conduct a prompt investigation if they become aware of an event that creates a reasonable suspicion that information systems or computerized data may have been compromised or that measures put in place to protect the information systems or computerized data may have failed. Entities must notify affected individuals if the investigation determines that there was unauthorized acquisition of and access to unencrypted and unredacted PI that materially compromises its security and is likely to cause substantial economic loss to an individual. The notice must be provided within 45 days after that determination is made.
The law defines "personal information" broadly as an individual's first name or first initial and last name combined with any of the following data elements:
- a social security number;
- a driver's license number or nonoperating identification license number;
- a private key that is unique to an individual and that is used to authenticate or sign an electronic record;
- a financial account number or credit or debit card number in combination with any required security code, access code, or password that would allow access to the individual's financial account;
- an individual's health insurance identification number;
- information about an individual's medical or mental health treatment or diagnosis by a health care professional;
- a passport number;
- a taxpayer identification number or an identity protection personal identification number issued by the IRS; or
- unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account.
Consequently, any entity with employee, customer, or third-party records containing these data elements may have to provide notice in the event of a security breach.
Notably, the law does not require notification if the computerized data was encrypted or redacted (i.e., altering the data element such that only the last four digits are accessible and at least two digits have been removed). That provision is significant because it allows entities to take steps today to store only redacted data or to encrypt it in transit (e.g., email) and at rest (e.g., as stored on a server). Considering that providing notice can easily cost tens of thousands of dollars, these steps could pay substantial dividends down the road.
Notice also is not required if the computerized data was accessed or acquired by an employee or agent of the entity for a legitimate purpose and the data was not otherwise improperly used. For example, this could apply if an employee mistakenly accesses a database containing PI.
Further, as noted, notice does not need to be provided if the security breach did not result in and is not reasonably likely to result in substantial economic loss to affected individuals. The law allows that determination to be made by the person, an independent third-party forensic auditor, or a law enforcement agency.
If notice is required, the notice must provide at least the following:
- the approximate date of the breach;
- a brief description of the PI involved in the breach;
- the toll-free numbers and addresses for the three largest nationwide consumer reporting agencies; and
- the toll-free number, address, and website address for the FTC or any federal agency that assists consumers with identity theft matters.
If an entity will have to notify more than 1,000 individuals, it also must notify the three largest nationwide consumer reporting agencies and the Arizona Attorney General.
Arizona also is one of only a few states that require notice if a breach involves the loss of log-in credentials for online accounts. Specifically, the Arizona law encompasses the loss of usernames or email addresses, in combination with passwords or security questions and answers that allow access to online accounts. If the breach is restricted to that information (and does not include the loss of other PI), notice can be provided in an electronic form that directs individuals to change their passwords and security questions/answers. The notice also should direct individuals to change their log-in information for any other online account that uses the same information. If the compromised information is for an email account, notice does not need to be provided to that email address but rather can be provided to the individuals when they are connected to the online account from an internet protocol address or online location that they are known to customarily use.
Entities that possess or maintain unencrypted PI that they do not own or license (e.g., a payroll vendor or cloud service provider) are required to notify the owner of the information "as soon as practicable" if they suffer a security breach and cooperate in any investigation. However, unless an agreement between the parties provides otherwise, the data owner (and not the third-party service provider that suffered the breach) must provide notice of the breach to affected individuals. Because of that, entities should consider requiring third-party service providers to indemnify them for any costs incurred in having to provide notice. Alternatively, entities could consider requiring the third-party service provider to provide the notice; however, for customer-relations purposes, it may be better for the entity to provide the notice.
Additionally, to mitigate the risk of a breach even occurring, entities should contractually require third-party service providers to implement reasonable security measures to protect the computerized data. For example, third-party service providers could be contractually required to encrypt data in transit and at rest, implement access controls, and segregate the data on their systems. Entities that frequently disclose PI to third-party service providers also should consider creating a vendor questionnaire and form of contractual terms to streamline this process and ensure that PI is adequately protected across different service providers.
The Arizona Attorney General is authorized to enforce the statute and bring an action against any entity that fails to comply. The Attorney General is permitted to impose a civil penalty not to exceed the lesser of $10,000 per affected individual or the total amount of economic loss sustained by affected individuals, with a cap of $500,000. The Attorney General also may recover restitution for affected individuals.
The law does not apply to entities that are subject to Title V of the Gramm-Leach-Bliley Act, regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), or a charitable fund-raising foundation or nonprofit corporation whose primary purpose is to support a specified HIPAA covered entity, if the charitable fund-raising foundation or nonprofit corporation complies with any applicable HIPAA provision or regulation.
It is worth noting that all 50 states have statutes that require notice to individuals if their PI is compromised. However, those statutes vary widely. For example, state laws vary on how quickly notice must be provided and what types of information the notice must include. Therefore, entities that suffer a data breach should consider retaining outside privacy/cybersecurity counsel to conduct an investigation and to navigate through the legal requirements of providing notice, if necessary.