Governor Ducey signed HB 2154 into law, updating and strengthening Arizona’s data breach consumer protection statute. The bill bolsters protections and adds notification requirements for victims of a data breach.
Highlights from the new state law include:
- Expanding the definition of protected “personal information” to include online account credentials, as well as an individual’s name in combination with health insurance or other medical information, passport or taxpayer identification numbers, or certain biometric data;
- Requiring that notice to individuals affected by a breach be provided within 45 days after determining that a breach has occurred (whereas existing law provided no definitive deadline);
- Clarifying the necessary content and available delivery methods for notifications to consumers;
- Requiring notification to the three largest consumer reporting agencies for any breach involving more than 1,000 individuals;
- Increasing the maximum civil penalty for a knowing or willful violation of the statute from $10,000 per breach to $500,000 per breach; and
- Clearly explaining the Attorney General’s powers in connection with the investigation and enforcement of data-breach matters.
For a copy of the newly signed law, click here.