May 112018

Arizona Updates Data Breach Law

Colleen Theresa Brown and Elizabeth MacGill
, ,

Changes to data breach notification laws continue to pop up across the country this Spring.  The latest comes from a new law signed by Arizona Governor Doug Ducey that amends the state’s data breach standards.  Although much of the Arizona law has remained the same, the new law updates a few key provisions, including the definition of personal information, the requirements for the content of the data breach notice, the timing of notice, and the capping of penalties. 

As for the new definition of personal information, the updated law specifies that certain login credentials, so long as they are not publicly available, would be considered protected data and subject to the law.

The new law also imposes requirements on the contents of the disclosure of a breach, which should now include the approximate date of the breach; a brief description of the personal information included in the breach; the toll-free numbers and addresses for the three largest nationwide consumer reporting agencies; and the toll-free number, address and website address for the federal trade commission or any federal agency that assists consumers with identity theft matters.

The timing of the notice of the breach has now been specified to forty-five days, with an exception if law enforcement advises that the notice will impede an investigation.  Entities that maintain but do not own or license the data have different reporting standards; these entities must notify data-owners of a breach “as soon as practicable” upon discovering a breach.  The new law imposes a $500,000 cap on the Attorney General’s imposition of civil penalties for violations of the statute.

These updates reflect a growing focus by states to broaden data breach laws to expand notice and provide more specifics around the content and timing of notification.  Indeed, this year we now have data breach laws on the books in all 50 U.S. states.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Elizabeth MacGill

Elizabeth.MacGill@sidley.com

You might also like
Biden Administration Announces National Cybersecurity Strategy

On March 1, 2023, the Biden administration announced its long-awaited National Cybersecurity Strategy. The strategy is part of the administration’s efforts to bolster and modernize public and private responses to cybersecurity threats.

FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1