Last month, South Dakota and Alabama became the final two states to enact a data breach notification law. In addition, many other states, in response to trends, heightened public awareness, and a string of large-scale data breaches, have continued amending their existing laws. Arizona is the latest state to update its data breach notification law to reflect recent trends.
Introduced in January and signed into law recently by Arizona Governor Doug Ducey, the new law has several key updates, including:
- Expands the definition of personal information to encompass:
- information about an individual’s medical or mental health treatment or diagnosis by a healthcare professional;
- a private key that is unique to an individual and is used to authenticate or sign an electronic record;
- an individual health insurance identification number;
- a passport number;
- a taxpayer identification number or an identity protection personal identification number issued by the IRS;
- unique biometric data used for online authentication purposes; or
- an individual’s username or email address, in combination with password or security question and answer, that allows access to an online account.
- Sets a 45-day notification requirement for consumers affected by the breach.
- Risk of harm analysis: notification not required if a third-party forensic investigator or law enforcement agency determines that the “breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.”
- Types of notice: notice may be accomplished via email if the entity providing notice has email addresses for individuals subject to notification.
- Notification content requirement: notice must contain the date of the breach, a brief description of the information disclosed, and contact information for the three largest consumer credit reporting agencies, and the Federal Trade Commission.
- If the breach affects more than 1,000 people, notice must be provided to the consumer credit reporting agencies and the state Attorney General.
- The Attorney General can impose civil penalties on violators of $10,000 per affected individual or the total economic loss sustained by affected individuals up to a max of $500,000.
Today’s nationwide patchwork of state breach notification laws continues to evolve, and requires data holders operating in multiple states or maintaining personal information of residents of multiple states to keep up with the requirements across many jurisdictions.