Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

ARIZONA DATA PRIVACY REGULATIONS

Did You Know?

 
  • Comprehensive provisions for notifications
  • Limited methods of notification delivery
  • Data owners are responsible for breach reporting and notifications
  • Violations may result in state attorney general action to obtain actual damages and/or a civil penalty of up to $10,000
  • Laws cover data protection, data disposal, record retention, and more

Who Me?

 

Arizona breach and notification laws may apply if you:

  • Are a person that conducts business in AZ and owns or licenses data that includes unencrypted computerized PII 
  • Maintain unencrypted computerized PII that you do not own 

There are exemptions.

Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply.

What is PII?

 

PII relevant to a breach in Arizona include a person's name plus one of the following:

  • Social Security Number
  • Driver license or non-operating identification number
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's account

LAWS

APPLICABLE LAWS

TITLE 44 - TRADE AND COMMISSION / Chapter 32 - Notification for Compromised Personal Information / Article 1 - General Provisions / 44-7501/all sections

RELATED LAWS

TITLE 44 - TRADE AND COMMISSION:

  • Chapter 9 / 44-1373-Restricted use of personal identifying information
  • Chapter 26 / 44-7012-Electronic records retention; originals
  • Confidentiality of patient records - Ohio Admin. Code 4729-5-29
  • Chapter 33 / 44-7601-Discarding and disposing of records containing PII
  • Chapter 34 /44-7701-Retention of customer information

PENALTIES

$10,000 PER BREACH

In Arizona, the attorney general can bring an action to a willful and knowing violation and a civil penalty to include damages and up to $10,000 PER BREACH or series of breaches of a similar nature that are discovered in a single investigation.

BREACH REPORTING

MULTIPLE FACTORS TO CONSIDER

When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached
  • If the data was computerized
  • If the data was encrypted or redacted
  • If it was acquired by an unauthorized person
  • If there is a risk of the information being used for an unauthorized purpose

TIME LIMITS

Notifications must be made in the most expedient manner possible and without unreasonable delay, unless law enforcement advises the person it will impede a criminal investigation.

CONSUMER NOTIFICATION

Requires detailed information and potential provision of services

Disclosure may be made by written notice, electronically (with stipulations), or by telephone. A substitute notice, with specific requirements, may be sent if the cost of the notice exceeds $50,000 or the persons notified exceeds 100,000 or they do not have sufficient contact information.

Contact the Privacy Experts at CSR