Mandated Timeframe for Breach Reporting and/or Consumer Notification
Within 45 days
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Third Party: Specific Obligations
Third Party: Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach and notification laws:
- $10,000 per individual up to $500,000
Third Party Management
None to minimal
The attorney general is not prevented from recovering restitution for individuals affected by a breach.
There are other notification requirements when the breach involves an individual’s username or email address.
There are additional requirements for notification involving a breach of more than 1,000 individuals.
Publicly communicating or transmitting a resident of the state’s social security number is a violation and subject to a civil penalty of up to $500 for each act.
A person or entity that knowingly or intentionally violates section 44-1373, subsection A, paragraph 2 is subject to a civil penalty of $100 for each violation.
An entity who knowingly discards or disposes of records or documents without redacting personal identifying information (some exceptions apply) is in violation and is subject to a civil penalty of $500 for first violation, $1,000 for a second violation, $5,000 for a third or subsequent violation.
A retailer that knowingly or intentionally violates section 44-7701, subsection A is subject to a civil penalty of $500 for first violation, $1,000 for a second violation, $5,000 for a third or subsequent violation.
If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
Ariz. Rev. Stat., §§ 18-551 & 18-552 Data security breaches
Ariz. Rev. Stat., §§ 36-3801-3809 Provisions of health information organizations
Ariz. Rev. Stat., §§ 44-1373-1373.03 Restricted use of Personal Identifying Information
Ariz. Rev. Stat., § 44-7012 Electronic records retention
Ariz. Rev. Stat., § 44-7601 Discarding and disposing of Personal Identifying Information Records
Ariz. Rev. Stat., § 44-7701 Retention of customer information; transmission to third parties prohibited