A new law taking effect this summer means Arizona employers will face more stringent requirements in the event of a breach of personal information (PI) of customers or employees.
Governor Doug Ducey signed House Bill 2154 into law on April 11, and it will take effect 90 days after the current legislative session comes to an end. The bill was introduced with the backing of Arizona Attorney General Mark Brnovich, who said it will provide clarity on businesses’ and government organizations’ obligations after a data breach. Proponents of the new law call it one of the most comprehensive and proconsumer data breach laws in the country.
A breach of PI generally triggers notification duties, and Arizona’s current law includes a narrow definition of PI. Under the current law, PI is defined as an individual’s first name or first initial and last name combined with a Social Security number, driver’s license number, nonoperating identification license, or financial account, credit card, or debit card number in combination with a required security code, access code, or password that would permit access to the individual’s financial account.
When the new law becomes effective, Arizona’s definition of PI will be among the broadest in the nation. Under the new law, the list of “specified data elements” that constitutes PI when combined with first and last names or a first initial and a last name carries over the full list under prior law and adds to it:
- A private key unique to an individual used to authenticate or sign an electronic record;
- A health insurance identification number;
- Information about an individual’s medical or mental health treatment or diagnosis;
- A passport number;
- A taxpayer identification number or an identity protection personal identification number issued by the IRS; and
- Biometric data (if used to access an online account).
For online accounts, the new law creates an additional category of PI—a username or e-mail address combined with a password or a security question and answer. The new law also includes increased notice requirements and increased penalties.
The new law says notice must be provided to affected individuals, regardless of the size of the breach (with one exception), and sets a 45-day deadline for providing notice. The exception is narrow. It allows the person with the notice obligation, an independent third-party forensic auditor, or a law enforcement agency to determine, after a reasonable investigation, that the breach “has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.”
What Employers Should Do
Arizona employers should use the small window of time before the stricter law becomes effective to consider their internal procedures for monitoring and reporting potential data breaches. They also need to make sure they can comply with the 45-day notice window if a breach occurs and notice is required.
In addition, employers should talk to their insurance broker to make sure they have the right coverage if a breach occurs. Finally, it is important to make sure HR and IT personnel are working cooperatively to prevent data breaches from happening.
For more information on the new Arizona data breach law, see the May issue of Arizona Employment Law Letter.