The prevalence of data breaches over the past decade has led to the imposition of data breach laws in every U.S. state. These laws not only define what a data breach is, they also specify how companies are to notify those potentially harmed by a breach and assess penalties for failure to notify.

Arizona’s data breach law applies to any organization or person doing business in Arizona that owns, stores, or licenses data that includes personal information. Arizona defines “personal information” as a person’s first name or initial and last name combined with any of the following unsecured information:

• Social Security number
• Driver’s license or state identification card number
• Passport number
• Unique private key used as an electronic signature
• Credit, debit, or financial account number combined with required PIN
• Health insurance identification number
• Health care information, including medical treatment or diagnosis
• Taxpayer identification number or identity protection personal ID number issued by the IRS
• Unique biometric data

Arizona data breach notification requirements

Arizona law defines breach as “an unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals.”

Once a company has confirmed a breach has occurred, it has 45 days in which to notify the affected parties. The notification can be delivered by phone, mail, or email. If more than 1,000 people were affected by the breach, the Arizona Attorney General must be notified.

If more than 100,000 people were affected by a breach, or if the notice would exceed $50,000, Arizona law permits a substitute notice in the form of (1) a written notice to the Arizona Attorney General providing the reason(s) for a substitute notice; and (2) posting a notice in a conspicuous place on the website of the breached company for at least 45 days.

Companies that fail to notify individuals of a data breach are subject to a fine of $10,000 per person affected by the breach, not to exceed $500,000. The power to enforce the law resides with the Arizona Attorney General, who may file suit against a company for egregious disregard of the Arizona data breach law.

Williams Commercial Law Group, L.L.P., has the experience and reputation that you want when you are dealing with a business-related lawsuit. We are here to obtain the best possible outcome for your situation. Do not hesitate to contact Williams Commercial Law Group, L.L.P., at (602) 256-9400, and see how we can help you resolve your legal matter.