Organizations may contract with Vendors to handle consumer notifications and/or regulatory reporting.

1,000 or more Arizona residents affected by a data breach must be reported to the AZ Attorney General, Director of the AZ Department of Homeland Security, and all credit reporting agencies within 45 days.

All Arizona residents affected by a breach must be notified within 45 days after the determination of the breach. If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

A vendor discovering a breach or suspected breach must notify the organization. The organization is responsible for reporting to the regulator and consumer notification. Vendors must cooperate with Organizations and provide all necessary information about a breach incident.

Educational facilities must implement and maintain a data governance plan and are required to provide employee training on student privacy laws. There are sector-specific vendor contract requirements for educational entities. Educational facilities must provide notification to parents in the event of a breach.

Arizona’s Genetic Information Privacy law governs the collection, use, disclosure and consent of resident’s genetic data, and mandates that companies implement a comprehensive security program. In addition, genetic testing companies (GTC) are required to publish a privacy notice detailing the collection, consent, use, access, disclosure, transfer, security and retention/deletion practices of their data. GTCs must provide a process for the access or deletion/destruction of genetic data or biological samples. GTC may not disclose a direct resident consumer’s genetic data to an employer, nor any entity that offers health, life or long-term care insurance, without their express written consent.

An entity knowingly discarding or disposing of records/documents without redacting personal identifying information (some exceptions apply) is in violation and subject to a civil penalty: $500 for first violation, $1,000 for a second violation, $5,000 for a third or subsequent violation. Retailers knowingly or intentionally violating the restrictions for the use, retention and disclosure of consumers’ driver’s license or identification card are subject to a civil penalty: $500 for first violation, $1,000 for a second violation, $5,000 for a third or subsequent violation. Knowingly or intentionally violating regulations for the restricted disclosure of Social Security numbers can result in a civil penalty of $100 per violation.