Is there anything worse for a business than having its data breached?
Yes — having to report that breach under an amended Arizona law that went into effect in August and requires companies to notify consumers affected by the breach within 45 days of a data breach or face up to $500,000 in penalties. If more than 1,000 Arizona residents are affected, businesses must notify the attorney general and the three largest nationwide consumer reporting agencies.
“The law is quite broad and applies to all Arizona businesses that own, maintain or license computerized data that includes personal information,” says Stephanie Webb, an associate at Radix Law. “Accordingly, all businesses maintaining any personal information of employees or customers on a computer should be aware of the law and its requirements.”
According to Joe Clees and Ryan Mangum of Ogletree Deakins, any business that operates in Arizona and owns, maintains, or licenses unencrypted and unredacted computerized personal information could be impacted. Personal information includes an individual’s first name — or first initial — and last name in combination with any of the individual’s following information:
• Social security number, driver’s license number, health insurance account number, passport number, taxpayer identification number, or financial account numbers;
• A private key unique to the individual that is used to authenticate an electronic record;
• Health information and history;
• Biometric data generated from a measurement or analysis of human body characteristics, such as a fingerprint;
• Personal information also includes a username plus password for online accounts, according to Scott Bennett, a partner at Coppersmith Brockelman.
Impact on businesses
“A breach under the law is unauthorized access to that personal information,” Bennett says. “Common examples of breaches are the loss or theft of a mobile device, data emailed to the wrong person and employees snooping in company computer files.”
The motivation behind the passage of HB 2154 was to penalize businesses that exercise poor cyber data management while improving protections for consumers. By implementing a data breach notification deadline, establishing law enforcement standards and raising the potential fines — the total penalty is capped at $500,000, a substantial increase over the previous cap of $10,000 per breach — for offending businesses, Arizona now has one of the strictest security breach laws in the country, according to Webb.
“Consumers have a right to know when their sensitive information has been breached so they can protect themselves from financial loss,” says Attorney General Mark Brnovich. “A key component of the legislation was notification to the attorney general’s office of a breach. My office will be better positioned to investigate massive breaches in the future and assist consumers to protect their assets from theft.”
Beyond protecting consumers, Webb says the goal of the new law is to encourage businesses to strengthen their cyber defense measures. So what can be done to reduce the risk of a breach?
Reducing risk
“There are many steps that businesses can take to reduce risk,” says Susie Ingold, a shareholder at Burch & Cracchiolo. “One often overlooked step is strengthening internal security practices through your employees. Every employee plays a critical role in protecting the company’s network and confidential data, from performing individual tasks to identifying and reporting problems that could lead to a data breach. Providing mandatory employee training to educate them on data security and privacy practices, emerging security risks, proactive identification and reporting of issues can help reduce the company’s risk of a data breach.”
According to Clees and Mangum, effective data security requires a multi-faceted approach consisting of technical, personnel and physical barriers to access.
Technical barriers: These include measures like encryption, dual authentication, password protection, limiting collection, access, storage, and retention of data, and keeping software and hardware, such as anti-virus protection, up to date.
Personnel barriers: Hackers will find ways to circumvent technical barriers through employee error. Training employees to recognize and avoid cyber scams that disclose passwords, clicking on threatening links, using weak passwords and storing data on insecure repositories — Gmail, Dropbox, etc. — is critical.
Physical barriers: Simple measures such as locking doors, securing physical files, and keeping access restrictions up to date, will also prevent data breaches.
“A (business) should develop a comprehensive, but understandable ‘Incident Response Plan’ that has been tested in advance of a breach to ensure a timely and effective response,” says Robin B. Campbell, co-leader of the Data Privacy & Cybersecurity Practice Group at Squire Patton Boggs. “While regulators understand that technology cannot protect against every possible breach, they are generally less tolerant of mishandling of a breach response, which can be avoided with good planning.”
Staying compliant
To compound the issue, data breach laws differ from state to state, so Webb says a company conducting business in multiple states is bound by the laws of those states and must become familiar with requirements of each in the event of a cybersecurity breach.
“After a breach happens, one important initial step is identifying the states of residence of all affected individuals, which can usually be assessed according to their mailing addresses,” Bennett says. “Many states’ laws apply to any breach of the personal information of their residents, regardless of whether the company that experienced the breach does business in that state.”
When a business experiences a data breach, Bennett says it should:
• Stop the breach. This might require bringing in an expert in computer forensics.
• Notify insurance carriers.
• Meet the requirements of all applicable breach laws.
• Consider ways to reduce the risk of harm to affected individuals, such as offering to pay for credit monitoring and ID-theft-protection services. That is not required by Arizona law but protects both the affected individuals and the business.
• Take corrective action to prevent the same kind of incident from happening again. That might include disciplining the employees involved, providing additional training, or enhancing computer security features.
“Companies doing business in Arizona that also collect personal information should take note of, and understand, the amended law and analyze whether their existing information security controls are adequate to protect against a data breach,” Ingold says. “Businesses must also be proactive in investigating a possible security system breach and ensuring that, when necessary, timely notice is provided to affected individuals under the new data breach law.”