Arizona Updates Data Breach Notice Law With Capped Penalties

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Companies in Arizona hit with a data breach will now face up to $500,000 in civil fines from the state attorney general if they don’t notify affected consumers within 45 days, under a new law signed by Governor Doug Ducey (R).

Recent massive data breaches and a growing consumer focus on privacy issues has led multiple states to either enact or update data breach notification laws. Every U.S. state and the District of Columbia now have data breach notification statutes, after Alabama and South Dakota passed laws earlier this year.

The new standard updates Arizona’s data breach notification statute by specifying that companies have 45 days to notify impacted individuals. If a data breach involves more than 1,000 consumers, companies will have to alert the state attorney general and the three largest consumer credit reporting agencies—Equifax Inc., Experian Plc, and TransUnion. Companies subject to the law also must promptly start internal investigations into the breach.

Companies get some reprieve from the 45-day notice rule if they directly work with law enforcement. These companies, if directed by a law enforcement agency such as the FBI, Department of Justice, or state-level equivalents, would have to notify affected consumers 45 days after law enforcement determines that the notification no longer compromises the investigation.

The measure also would cap civil penalties arising from a data breach to $500,000. Consumers do not have a private right of action to directly sue companies for failure to follow the law. Only the state attorney general can enforce alleged violations.

The law also clarifies the types of personal information that, if breached, would trigger the notification requirement. For example, login credentials that aren’t publicly available, such as usernames, email addresses, and passwords, would all be considered protected data and subject to the law following a breach.

Licensees and non-owners of data have different reporting standards and must notify data-owners of a breach “as soon as practicable” upon discovering a breach. Licensees, however, don’t have to report to the attorney general or consumers unless previously specified in a contract with the data-owner.

The update to Arizona’s data breach notification law was supported by state Attorney General Mark Brnovich (R), the Arizona Chamber of Commerce and cable television and internet provider Cox Communications Inc.

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: Barbara Yuill at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security