Effective August 1, 2018, the House Bill 2154 recently signed by the Arizona governor will expand the current Arizona data breach notification law. Following the trend of other states, the amended statute expands the definition of “personal information.” The law will now require individual and regulatory notification within 45 days of a breach and will expand the risk of harm provision to not require individual or regulatory notification if it is determined the breach is unlikely to result in substantial economic loss to affected individuals.
Expanded Definition of Personal Information
Prior to the amendment, Arizona’s definition of “personal information” was consistent with that of many other states and included an individual’s first name or first initial and last name in combination with their Social Security number, driver’s license number, and financial account or credit card number in combination with a security code or password.
The new definition of “personal information” encompasses “specified data element[s],” including usernames and passwords, digital signature keys, passport numbers, an individual’s taxpayer identification number or IRS PIN and biometric data. Arizona is the eighth state to include biometric data in the definition of personal information.
Arizona’s revamped definition of “personal information” also includes an individual’s medical treatment or diagnosis information and health insurance identification numbers.
Timing and Form of Individual and Regulatory Notice
As amended, the statute requires information holders to notify affected individuals within 45 days of determining through an investigation that a “security system breach” occurred. Prior to the amendment, affected individuals were required to be notified “without unreasonable delay.”
The amended statute also requires notification to the Arizona attorney general and the “three largest nationwide consumer reporting agencies” if 1,000 or more Arizona residents are given notice of the breach. Previously, regardless of the number of Arizona residents involved in the incident, there was no requirement to notify the Arizona attorney general or the consumer reporting agencies. Information holders that do not meet the new 45-day deadline are subject to civil fines of up to $500,000.
Arizona’s amendment simplifies e-mail notification by removing the E-Sign Act requirement. Should an organization provide a substitute notice, it is no longer required to give notice to statewide media. In the alternative, an organization must provide the attorney general with a written explanation that “demonstrates the facts necessary for substitute notice.”
Risk of Harm Provision
Although the amended statute expands the protections afforded to individuals, it also provides relief to information holders by revamping the risk of harm provision. Prior to the amendment, information holders were not required to notify individuals if it was determined that a breach did not occur. Now, notification to individuals and regulators is not required if the information holder, an independent forensic firm or a law enforcement agency determines that the breach is “not reasonably likely to result in substantial economic loss to affected individuals.” In other words, even if an information holder determines that a breach occurred, it may not be necessary to notify individuals or regulators if the circumstances surrounding the incident make it unlikely that the data will be used to cause economic harm.
For additional information regarding data breach notification statutes enacted in the United States and worldwide, please refer to BakerHostetler’s state-by-state survey of data breach notification laws and key issues in state data breach notification laws.