Scope of This Summary:
Notification requirements applicable to persons or entities that conduct business in the state and own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Unauthorized acquisition and access that materially compromises the security or confidentiality of covered information maintained as part of a database of personal information regarding multiple individuals, and that causes or is reasonably likely to cause substantial economic loss to a resident, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted, redacted, or secured by any other means rendering the element unreadable or unusable.
Form of Covered Information
- Personal information means an individual's first name or first initial and last name in combination with one or more of the following specified data elements:
- Social Security number.
- The number on a driver's license issued pursuant to § 28-3166 or number on a non-operating identification license issued pursuant to § 28-3165.
- A private key that is unique to an individual and that is used to authenticate or sign an electronic record.
- A financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to the individual's financial account.
- A health insurance identification number.
- Information about an individual's medical or mental health treatment or diagnosis by a healthcare professional.
- Passport number.
- Taxpayer identification number or an identity protection personal identification number issued by the United States Internal Revenue Service.
- Unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account.
- Personal information also means:
- An individual's username or email address in combination with a password or security question and answer that allows access to an online account.
- Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.
Consumer Notice Timing
Notice required within 45 days of determination that a breach has occurred.
Consumer Notice Method
By written notice; email notice if the person has email addresses for the individuals who are subject to the notice; or telephonic notice, if telephonic contact is made directly with the affected individuals and is not through a prerecorded message. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
- Notifications to affected individuals must include at least:
- The approximate date of the breach.
- A brief description of the personal information included in the breach.
- The toll-free numbers and addresses for the three largest nationwide Consumer Reporting Agencies.
- The toll-free number, address, and website address for the Federal Trade Commission or any federal agency that assists consumers with identity theft matters.
- For a breach of only an individual's username or email address in combination with a password or security question and answer that allows access to an online account, an entity may comply with notification requirements by:
- Providing the notification in an electronic form that directs the affected individual to promptly change their password and security question or answer as applicable, or to take other steps that are appropriate to protect the online account with the entity and all other online accounts for which the individual uses the same username and email address and password or security question or answer.
Notification may be delayed if law enforcement advises that notice will impede a criminal investigation. Notice must be made no later than 45 days after law enforcement informs the covered entity that delay is no longer required.
If notice to more than 1,000 residents is required, the entity shall notify the Attorney General.
Consumer Reporting Agency Notice
If notice to more than 1,000 residents is required, the entity shall notify the three largest nationwide Consumer Reporting Agencies within 45 days.
Exceptions for Other Laws
The statute exempts from compliance the following entities: Any person who is subject to the federal Gramm-Leach-Bliley Act (GLBA); Any person who is subject to the federal Health Insurance Portability and Accountability Act (HIPAA).
If you maintain unencrypted computerized data that includes covered information on behalf of another entity, you must notify it without unreasonable delay following discovery of a breach. Must cooperate by sharing relevant information about breach.
Private Right of Action
The Arizona statute does not provide for a private right of action.
Violations may result in civil penalties.