Advanced Search
View Mobile Site
ExperiencePracticesProfessionalsOfficesEventsNews/BlogsFirmDiversityCareers

Arizona


Ariz. Rev. Stat. § 44-7501

S.B. 1338 (signed into law April 26, 2006, Chapter 232)

Effective December 31, 2006 

Application.  Any person or entity (collectively, Entity) that conducts business in AZ and that owns or licenses unencrypted computerized data that includes PI.
    • The provisions governing maintenance of PI that the Entity does not own appear applicable to any Entity maintaining information on state residents, whether or not the Entity conducts business in the state.
Security Breach Definition.  An unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially compromises the security or confidentiality of PI maintained by an Entity as part of a database of PI regarding multiple individuals and that causes or is reasonably likely to cause substantial economic loss to an individual.
    • Good-faith acquisition of PI by an employee or agent of the Entity for the purposes of the Entity is not a breach of the security system if the PI is not used for a purpose unrelated to the Entity or subject to further willful unauthorized disclosure.
Notification Obligation.  Any Entity to which the statute applies shall notify the individuals affected when it becomes aware of an incident of unauthorized acquisition and access to unencrypted or unredacted computerized data that includes an individual’s PI.
    • An Entity is not required to disclose a breach of the system if the Entity or a law enforcement agency, after a reasonable investigation, determines that a breach of the security of the system has not occurred or is not reasonably likely to occur.
Third-Party Data Notification.  If an Entity maintains unencrypted data that includes PI that the Entity does not own, the Entity shall notify and cooperate with the owner or the licensee of the information of any breach of the security of the system following discovery of the breach without unreasonable delay.  Cooperation shall include sharing information relevant to the breach of the security of the system with the owner or licensee.  The person or entity that owns or licenses the computerized data shall provide notice to the individual.  The Entity that maintained the data under an agreement with the owner or licensee is not required to provide notice to the individual unless the agreement stipulates otherwise.

Timing of Notification.  The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with any measures necessary to determine the nature and scope of the breach, to identify the individual affected or to restore the reasonable integrity of the data system.

Personal Information Definition.  An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, redacted or secured by any other method rendering the element unreadable or unusable:
    • Social Security Number;

    • Number on a driver license issued pursuant to § 28-3166 or number on a nonoperating identification license issued pursuant to § 28-3165; or

    • Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
PI does not include publicly available information that is lawfully made available to the general public from the federal, state, or local government.

Notice Required.  Notice may be provided by one of the following methods:
    • Written notice;

    • Telephonic notice; or 

    • Electronic notice if the Entity’s primary method of communication with the individual is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).
Substitute Notice Available.  If the Entity can demonstrate that the cost of providing notice will exceed $50,000 or that the affected class of persons to be notified exceeds 100,000.  Substitute notice shall consist of all of the following:
    • Email notice if the Entity has email addresses for the individuals subject to the notice;

    • Conspicuous posting of the notice on the Web site of the Entity if the Entity maintains one; and

    • Notification to major statewide media.
Exception:  Compliance with Other Laws.
    • Primary Regulator.  Notification pursuant to laws, rules, regulations, guidances, or guidelines established by an Entity’s primary or functional state regulator is sufficient for compliance.

    • Gramm-Leach-Bliley Act.  The provisions of this statute shall not apply to any Entity who is subject to the provisions of Title V of the Gramm-Leach-Bliley Act.

    • HIPAA-Covered Entities.  A provider of health care, health care service plan, health insurer, or a covered entity governed by the medical privacy and security rules issued by the federal Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) shall be deemed in compliance with this chapter.
Other Key Provisions:
    • Delay for Law Enforcement.  Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation.  Notice required by the statute must be made after the law enforcement agency determines that notification will no longer impede the investigation. 

    • AG Enforcement.  The state AG may seek actual damages for willful and knowing violations, as well as a civil penalty not to exceed $10,000 per breach or series of similar breaches.
Contact Us  ·  Mobile Access  ·  Site Map  ·  Terms Of Use  ·  Privacy Policy  ·  Legal Disclaimer  · Alumni ·  Perkins Coie Trust Company LLC
2012 Perkins Coie LLP