Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 45 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect personal information
  • Written Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws from $10,000 per affected individual up to $500,000.00

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • The attorney general is not prevented from recovering restitution for individuals affected by a breach.
  • There are other notification requirements when the breach involves an individual’s username or email address.
  • There are additional requirements for notification involving a breach of more than 1,000 individuals.
  • Publicly communicating or transmitting a resident of the state’s social security number is a violation and subject to a civil penalty of up to $500.00 for each act.
  • A person or entity that knowingly or intentionally violates section 44-1373, subsection A, paragraph 2 is subject to a civil penalty of $100.00 for each violation.
  • An entity who knowingly discards or disposes of records or documents without redacting personal identifying information (some exceptions apply) is in violation and is subject to a civil penalty of $500.00 for first violation, $1,000.00 for a second violation, $5,000.00 for a third or subsequent violation.
  • A retailer that knowingly or intentionally violates section 44-7701, subsection A is subject to a civil penalty of $500.00 for first violation, $1,000.00 for a second violation, $5,000.00 for a third or subsequent violation.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • Ariz. Rev. Stat., §§ 18-551 & 18-552 Data security breaches
  • Ariz. Rev. Stat., §§ 36-3801-3809 Provisions of health information organizations
  • Ariz. Rev. Stat., §§ 18-551 & 18-552 Data security breaches
  • Ariz. Rev. Stat., § 44-7012 Electronic records retention
  • Ariz. Rev. Stat., § 44-7601 Discarding and disposing of Personal Identifying Information Records
  • Ariz. Rev. Stat., § 44-7701 Retention of customer information; transmission to third parties prohibited
BAck to map