Arizona Governor Doug Ducey recently signed HB 2154 and HB 2311 into law, both taking effect on July 21, 2018. HB 2154 provides employers with additional guidance and updated notice procedures in the event of a data security system breach, and HB 2311 bolsters limited liability protections for employers when hiring employees or contracting with independent contractors previously convicted of criminal offenses.
Data Security Breaches
HB 2154 strengthens Arizona’s data breach consumer protection statutes1 by implementing increased employer notification requirements for victims of data and security system breaches.
The new legislation also defines “personal information” more expansively and will include e-mail addresses in combination with passwords or security questions and answers allowing access to “online-accounts.” Protected personal information includes other data such as: Social Security numbers, driver's license or passport numbers, pin numbers, bank account/credit/debit card numbers, health insurance and other medical information, tax payer IDs, and even unique biometric data generated from human body characteristics (facial recognition, thumb or fingerprint access, voice recognition, or eye and palm scanners).
The law requires Arizona employers that become aware of a “security incident” to conduct a prompt investigation to determine whether a security system breach has occurred. If the investigation determines a breach has occurred, businesses will now be required to notify all affected individuals within 45 days after discovery. Specifically, the law clarifies the notification requirements and acceptable forms of notice. Notice must include: (1) approximate breach date; (2) information exposed by the breach; (3) toll-free numbers of the three largest nationwide consumer reporting agencies; and (4) numbers and addresses for the Federal Trade Commission and agencies assisting consumers with identity theft. Notifications must be communicated by either e-mail, direct telephone call (no prerecorded messages), or substitute notice if the employer demonstrates it meets the minimum qualifications to notify affected consumers in an alternative format. If the breach requires notification of more than 1,000 individuals, the employer must directly notify the three largest nationwide consumer credit reporting agencies and the state attorney general.
Employers are encouraged to take proactive steps in securing consumer information because knowing and willful violations of this legislation are unlawful and include civil penalties—with amounts not to exceed the lesser of $10,000 per affected individual or the total amount of economic loss sustained by the affected individuals, with the maximum penalty not exceeding $500,000. There is no private cause of action; the law is enforced solely by the Arizona attorney general.
Limited Liability for Hiring Ex-Criminal Offenders
Employers are often hesitant to contract, interview, or hire workers with criminal records. This hesitation stems at least in part from the increased risks and liability associated with possible negligent hiring claims. New Arizona legislation, HB 2311,2 has the social goal of expanding job opportunities for non-violent offenders, while shielding employers from certain lawsuits.
The law prohibits introducing evidence of an employee’s or independent contractor’s criminal offenses and/or convictions prior to the date of hire or engagement in negligent hiring cases. The legislation’s definition of “criminal offense” does not cover all past crimes. “Criminal offense” is defined as “any criminal offense except violent offenses and sexual offenses.” The broadest categories of coverage will be for non-violent or aggravated theft or the possession and sale of illegal drugs.
Notably, the liability limitations do not preclude potential lawsuits alleging negligent supervision. Furthermore, liability will not be precluded in situations where the employee/independent contractor was convicted of a criminal offense when the conviction is directly related to the nature of the work and the conduct giving rise to the action if the employer knows of the conviction or acted in a grossly negligent manner in not knowing of the conviction.
Likewise, the following examples are specifically precluded from the employer's limitations on liability:
- Misuse of monies or property by the employee/contractor if the employee/contractor has previously been convicted for an offense encompassing fraud or the misuse of monies prior to being hired or contracted, and it was foreseeable that the position would involve fiduciary responsibilities.
- Misappropriation of monies by an employee/contractor who was hired or contracted as an attorney, if the employee/contractor had prior convictions associated with fraud, the misuse of monies, or properties prior to being hired or contracted.
- Violent offenses or improper use of excessive force by an employee/contractor hired as a law enforcement officer or security guard.
Because both new laws take effect in a little over a month, employers should consider reviewing and revising their data security breach and hiring policies now.