author photo
By Bruce Sussman
Mon | Jul 2, 2018 | 7:55 AM PDT

A data breach involving customers in Arizona is about to become exponentially more expensive for organizations than it used to be.

The governor has signed a new Arizona breach notification law that takes the civil penalty for a cyber breach from its current $10,000 maximum and raises that maximum to $500,000.

This is part of a national trend: Dozens of states are considering tougher breach notification laws.

The law takes effect during August 2018, and the Arizona Attorney General's office calls it "common sense." The state's new breach notification law makes a slew of changes.

2018 Arizona breach notification law changes

Here are the changes with this new law:

  • Expanding the definition of protected “personal information” to include online account credentials, as well as an individual’s name in combination with health insurance or other medical information, passport or taxpayer identification numbers, or certain biometric data;
  • Requiring that notice to individuals affected by a data breach be provided within 45 days after determining that a breach has occurred (whereas existing law provided no definitive deadline);
  • Clarifying the necessary content and available delivery methods for notifications to consumers;
  • Requiring notification to the three largest consumer reporting agencies for any breach involving more than 1,000 individuals;
  • Increasing the maximum civil penalty for a knowing or willful violation of the statute from $10,000 per breach to $500,000 per breach; and
  • Clearly explaining the Attorney General’s powers in connection with the investigation and enforcement of data breach matters.

The actual text of the Arizona breach notification law is here.

We have to wonder if it will also apply to agencies like the FDIC, which has an average breach notification time of 288 days. That story is still hard to believe.

[Image: Courtesy of the Arizona Office of Tourism]