Changes to data breach notification laws continue to pop up across the country this Spring. The latest comes from a new law signed by Arizona Governor Doug Ducey that amends the state’s data breach standards. Although much of the Arizona law has remained the same, the new law updates a few key provisions, including the definition of personal information, the requirements for the content of the data breach notice, the timing of notice, and the capping of penalties.
As for the new definition of personal information, the updated law specifies that certain login credentials, so long as they are not publicly available, would be considered protected data and subject to the law.
The new law also imposes requirements on the contents of the disclosure of a breach, which should now include the approximate date of the breach; a brief description of the personal information included in the breach; the toll-free numbers and addresses for the three largest nationwide consumer reporting agencies; and the toll-free number, address and website address for the federal trade commission or any federal agency that assists consumers with identity theft matters.
The timing of the notice of the breach has now been specified to forty-five days, with an exception if law enforcement advises that the notice will impede an investigation. Entities that maintain but do not own or license the data have different reporting standards; these entities must notify data-owners of a breach “as soon as practicable” upon discovering a breach. The new law imposes a $500,000 cap on the Attorney General’s imposition of civil penalties for violations of the statute.
These updates reflect a growing focus by states to broaden data breach laws to expand notice and provide more specifics around the content and timing of notification. Indeed, this year we now have data breach laws on the books in all 50 U.S. states.