On April 11, 2018 Governor Ducey signed into law Arizona HB2154. The bill amended the existing Arizona ‘data breach’ law and was designed to add enhanced protection for customer and client data. The amended law added new notification procedures and requirements for any company that experiences a data breach in Arizona.

For instance, A.R.S. §18-551 now expands the definition of personal information to include all online data, including names when connected to health insurance and medical information. Passwords, security questions and answers and email addresses and passport and tax identification numbers are now defined as protected personal data. The new amendments also expand the definition to include any biometric information collected on customers and clients.

Importantly, Arizona companies which learn of a data breach must notify the affected individuals in writing (either by U.S. mail, e-mail or telephone, whichever is the individuals preferred method of contact) within 30 days of learning of the breach. Such written notifications must include: the approximate date of the breach, a description of the personal information that was compromised, toll-free numbers for the three largest consumer reporting agencies (when more than 1000 individuals are impacted by the breach) and contact information for Federal Trade Commission. Exceptions to the notice requirement exist when the cost of providing notice will exceed $250,000 or the company does not have sufficient contact information for all individuals who must be notified.

Arizona companies should take heed of this new law as the maximum civil penalties have been increased to $500,000 per breach for “willful” violation of the new state law. This amounts to a substantial increase from the previous maximum of $10,000 per violation. A.R.S. §18-551 now clearly details the Attorney General’s enhanced investigation and enforcement powers for data breaches in the state of Arizona.

A full text of House Bill 2154 is available here<https://www.azleg.gov/legtext/53leg/2R/laws/0177.pdf>.

Should you or your company need advice on how to navigate this enhanced data breach law, please feel free to contact the lawyers at Carson Messinger at 602-264-2261 or rrutila@carsonlawfirm.com.