What Arizona Businesses Need to Know About Arizona’s Data Breach Law

Home / Blog / Business Litigation / What Arizona Businesses Need to Know About Arizona’s Data Breach Law
What Arizona Businesses Need to Know About Arizona’s Data Breach Law

The prevalence of data breaches over the past decade has led to the imposition of data breach laws in every U.S. state. These laws not only define what a data breach is, they also specify how companies are to notify those potentially harmed by a breach and assess penalties for failure to notify.

Arizona’s data breach law applies to any organization or person doing business in Arizona that owns, stores, or licenses data that includes personal information. Arizona defines “personal information” as a person’s first name or initial and last name combined with any of the following unsecured information:

  • Social Security number
  • Driver’s license or state identification card number
  • Passport number
  • Unique private key used as an electronic signature
  • Credit, debit, or financial account number combined with required PIN
  • Health insurance identification number
  • Health care information, including medical treatment or diagnosis
  • Taxpayer identification number or identity protection personal ID number issued by the IRS
  • Unique biometric data

Arizona data breach notification requirements

Arizona law defines breach as “an unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals.”

Once a company has confirmed a breach has occurred, it has 45 days in which to notify the affected parties. The notification can be delivered by phone, mail, or email. If more than 1,000 people were affected by the breach, the Arizona Attorney General must be notified.

If more than 100,000 people were affected by a breach, or if the notice would exceed $50,000, Arizona law permits a substitute notice in the form of (1) a written notice to the Arizona Attorney General providing the reason(s) for a substitute notice; and (2) posting a notice in a conspicuous place on the website of the breached company for at least 45 days.

Companies that fail to notify individuals of a data breach are subject to a fine of $10,000 per person affected by the breach, not to exceed $500,000. The power to enforce the law resides with the Arizona Attorney General, who may file suit against a company for egregious disregard of the Arizona data breach law.

Williams Mestaz, L.L.P., has the experience and reputation that you want when you are dealing with a business-related lawsuit. We are here to obtain the best possible outcome for your situation. Do not hesitate to contact Williams Mestaz, L.L.P., at (602) 256-9400, and see how we can help you resolve your legal matter.

Leave a Reply

Your email address will not be published. Required fields are marked *

The information you obtain at this site is not, nor is it intended to be, legal advice. You should consult an attorney for advice regarding your individual situation. We invite you to contact us, though doing so does not create an attorney-client relationship. Please do not send any confidential information to us until such time as an attorney-client relationship has been established. Our description of what we believe to be superior technology and how we win cases reflects our typical approach to litigation, which we believe:  (i) gives us a competitive advantage, and (ii) is responsible for any success we have had. But we do not win every case. Other lawyers may have technology or approaches that they believe gives them an advantage. Also, the results that we have obtained in other cases or that are described in our clients’ testimonials do not guarantee, promise, or predict the outcome of your case, which depends on the law, facts, and evidence specific to it.