Arizona Signs Bill to Amend Security Breach Notification Requirements

On March 29, 2022, Doug Ducey, the Arizona governor, signed HB 2146, amending the state’s security breach notification requirements.  

Amongst other changes, the bill requires that a person conducting business in Arizona, and owning, maintaining or licensing unencrypted and unredacted computerized personal information, to notify “the three largest nationwide consumer reporting agencies” if the company becomes aware of a security incident involving more than 1,000 individuals. Additionally, the person must notify the state attorney general and the director of the Arizona Department of Homeland Security within 45 days of the person's determination that a security incident has occurred.

Importantly, the covered entity must also notify the “individuals affected by the data breach” of the incident in a writing communicating the following:

• the estimated date of the breach;

• a description of the personal information that was obtained by the threat actor during the breach;

• the toll-free numbers and addresses for “the three largest nationwide consumer reporting agencies”; and

• the toll-free numbers and addresses for the federal agency or federal trade commission that assists consumers with incidents of identity theft.

These updated requirements will become affective 90 days after the Arizona legislature adjourns.  Covered entities should review their data breach notification and response procedures to fill any compliance gaps.