What Businesses Need to Know About Arizona’s New Data Breach Law

In August of 2018, Arizona’s strong new data protection law went into effect. Authored by Arizona Attorney General Mark Brnovich, A.R.S. § 18-551 et seq. imposes strict reporting requirements and imposes tough penalties on businesses that fail to protect their Arizona customers’ personal information.

Data breaches exposing the personal information of Arizona residents have been on the rise. For example, Arizona recently settled a lawsuit against Uber, recovering more than $2.7 million in connection with a data breach where the personal information of about 17,500 Arizona based Uber drivers was stolen. The United States Department of Health and Human Services’ Office of Civil Rights is currently investigating Arizona-based Banner Health for a 2016 data breach that impacted 3.7 million patients at 27 locations, including in Arizona. In May of 2018, the City of Goodyear, Arizona notified its utility customers that the debit and credit card information it stored in connection with its online bill payment program had been compromised.

Arizona’s new data breach law is an effort to hold businesses that fail to protect individuals’ private information accountable. It applies to all persons and entities conducting business in Arizona that own, maintain, or license unencrypted and unredacted computerized personal information of their customers. The law applies to a wide range of non-public personal information, from online account credentials such as user names, passwords, and security question answers, to medical information, passport and taxpayer identification numbers, social security numbers, and driver’s license numbers, to biometric data.

Under the new law, a business that is a victim of a data breach must determine whether the breach is likely to cause substantial economic loss to affected individuals. If the business or a law enforcement agency determines that such substantial economic loss is likely, the business must notify the affected individuals within 45 days after discovering the breach occurred. In cases where 1,000 or more individuals are affected, businesses must also report the breach to the three largest national consumer reporting agencies and to the Arizona Attorney General.

The law empowers the Arizona Attorney General to impose civil penalties on businesses that knowingly or willfully violate these reporting requirements up to a maximum of $500,000 per breach. These penalties are in addition to any restitution the Arizona Attorney General may recover for affected individuals.

Businesses need to take steps to ensure that they comply with the new data protection law. First, businesses should, if possible, encrypt all personal data they collect and store regarding their customers. Businesses should routinely monitor the security of their data collections and put steps in place to quickly detect any potential breaches. Finally, businesses should develop a response plan that enables them to quickly and comprehensively assess the scope and potential economic impact of any breach and to notify customers who may be affected.

Sarah S. Letzkus (sletzkus@rllaz.com) is an attorney in Rusing Lopez & Lizardi’s Tucson, AZ office whose practice focuses on civil and commercial litigation and employment law. She represents businesses and individuals in all stages of dispute resolutions including pre-litigation settlement negotiations, administrative agency investigations, jury trials, bench trials, mediation, and appeals. She was named a Southwest Super Lawyer “Rising Star” in 2017 and 2018. She has served on the Tucson Metro Chamber of Commerce’s Emerging Leaders Council since July of 2018.

Disclaimer: The foregoing is not legal advice and does not create an attorney-client relationship. If you have any questions or require any assistance, please contact Ms. Sarah S. Letzkus at sletzkus@rllaz.com or (520) 529-4282.