Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 45 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- $10,000 per individual up to $500,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • The attorney general may recover damages for individuals affected by a breach.
  • All Arizona residents affected by a breach must be notified within 45 days after determination of the breach has been made.
  • If more than 1,000 Arizona residents have been affected by a breach, regulatory reporting to the Attorney General and all credit reporting agencies must be completed within 45 days.
  • There are other notification requirements when the breach involves an individual’s username or email address.
  • A person or entity that knowingly or intentionally violates regulations for the restricted disclosure of Social Security numbers is subject to a civil penalty of $100 for each violation.
  • An entity who knowingly discards or disposes of records or documents without redacting personal identifying information (some exceptions apply) is in violation and is subject to a civil penalty of $500 for first violation, $1,000 for a second violation, $5,000 for a third or subsequent violation.
  • A retailer that knowingly or intentionally violates the restrictions for the use, retention and disclosure of consumers’ drivers license or identification card is subject to a civil penalty of $500 for first violation, $1,000 for a second violation, $5,000 for a third or subsequent violation.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete any regulatory and consumer notifications.
  • If a breach affects residents of other jurisdictions, those individual must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Sector-specific laws (health, education) include specific protections for personal information, such as security procedures and practices, contractual requirements for vendors, and an individual’s right to access their personal information.
Statutes and Laws
  • Ariz. Rev. Stat., §§ 15-1041-1046 Student Accountability Information System
  • Ariz. Rev. Stat., §§ 18-551 & 18-552 Data security breaches
  • Ariz. Rev. Stat., §§ 36-3801-3809 Provisions of health information organizations
  • Ariz. Rev. Stat., §§ 44-1373-1373.03 Restricted use of Personal Identifying Information
  • Ariz. Rev. Stat., § 44-7012 Electronic records retention
  • Ariz. Rev. Stat., § 44-7601 Discarding and disposing of Personal Identifying Information Records
  • Ariz. Rev. Stat., § 44-7701 Retention of customer information; transmission to third parties prohibited
BAck to map