This summer, an updated data breach law will take effect in Arizona. Earlier this spring, Arizona governor Doug Ducey signed HB2154 into the law. Arizona’s Attorney General, Mark Brnovich, authored the bill “updating and strengthening Arizona’s data breach consumer protection statute.”
According to Brnovich, one of the more important changes is that it establishes 45-day notification deadline, meaning businesses have only 45 days after learning of a data breach to notify those affected by it. Besides notifying the affected consumers, businesses must also notify the Attorney General’s Office as well and the major credit bureaus if larger scale breaches occur. Brnovich stated the change was needed because, “Consumers have a right to know when their sensitive information has been breached so they can protect themselves from financial loss.”
Another key feature of the revamped law is that it protects a broader category of “personal information.” The previous statute, A.R.S. 18-545, protected social security numbers, driver’s license numbers in some cases, financial account numbers, and credit or debit card numbers combined with their PIN or access code. Personal information will soon include “online account credentials, as well as an individual’s name in combination with health insurance or other medical information, passport or taxpayer identification numbers, or certain biometric data.”
These changes are important because according to the founder of cybersecurity firm RedJack, “Compared to financial data, which is usually short-lived, the information in medical records tends to last a lot longer—it’s a lot more sticky.” Where credit cards or debit cards can be readily canceled, a consumer cannot as easily change a social security number, hospital identification number, name, date of birth, income information, medical or clinical information, or address.
Stolen information can lead to identity theft or fraud where third parties (the thieves or people who buy the stolen information) use the personal information to access financial accounts, obtain credit or loans, assume the victim’s identity, obtain medical goods or services or government benefits. Victims of a data breach experienced increase fear of becoming an identity theft victim. Those who became victims of medical identity theft spent, on average $13,500 and around 200 hours to address the effects of theft and possible fraud.
Companies also suffer serious financial harm from data breaches. According to a 2017 study by the Ponemon Institute, an organization that conducts research on privacy, data protection, and information security policy, the average total cost of a data breach across the companies surveyed was $3.62 million dollars. The changes in Arizona’s data breach laws stand to increase the overall costs for the most egregious failures to appropriately prevent or respond to a data breach. Beginning in August, the maximum penalty will increase from $10,000 to $500,000 per breach.
Whether motivated by the new provisions of state law, by a commitment to consumer privacy, by public perception, or something else, all Arizona businesses should take reasonable privacy protection measures. Even minor breaches can have devastating impacts both for affected consumers and the businesses trusted with consumers’ personal information.
By Alexandra Tracy-Ramirez, HopkinsWay PLLC. | © HopkinsWay PLLC 2018. All rights reserved.