Mandated Timeframe for Breach Reporting and/or Consumer Notification
Within 45 days
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach notification laws:
- $10,000 per individual up to $500,000
None to minimal
The attorney general may recover damages for individuals affected by a breach.
All Arizona residents affected by a breach must be notified within 45 days after determination of the breach has been made.
If more than 1,000 Arizona residents have been affected by a breach, regulatory reporting to the Attorney General and all credit reporting agencies must be completed within 45 days.
There are other notification requirements when the breach involves an individual’s username or email address.
A person or entity that knowingly or intentionally violates regulations for the restricted disclosure of Social Security numbers is subject to a civil penalty of $100 for each violation.
An entity who knowingly discards or disposes of records or documents without redacting personal identifying information (some exceptions apply) is in violation and is subject to a civil penalty of $500 for first violation, $1,000 for a second violation, $5,000 for a third or subsequent violation.
A retailer that knowingly or intentionally violates the restrictions for the use, retention and disclosure of consumers’ drivers license or identification card is subject to a civil penalty of $500 for first violation, $1,000 for a second violation, $5,000 for a third or subsequent violation.
If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete any regulatory and consumer notifications.
If a breach affects residents of other jurisdictions, those individual must be notified based on the breach notification laws of the jurisdiction where they reside.
Sector-specific laws (health, education) include specific protections for personal information, such as security procedures and practices, contractual requirements for vendors, and an individual’s right to access their personal information.
Statutes and Laws
Ariz. Rev. Stat., §§ 15-1041-1046 Student Accountability Information System
Ariz. Rev. Stat., §§ 18-551 & 18-552 Data security breaches
Ariz. Rev. Stat., §§ 36-3801-3809 Provisions of health information organizations
Ariz. Rev. Stat., §§ 44-1373-1373.03 Restricted use of Personal Identifying Information
Ariz. Rev. Stat., § 44-7012 Electronic records retention
Ariz. Rev. Stat., § 44-7601 Discarding and disposing of Personal Identifying Information Records
Ariz. Rev. Stat., § 44-7701 Retention of customer information; transmission to third parties prohibited