A new data breach law that goes into effect today in Arizona will hold businesses accountable for data breaches.
To help explain what you need to know about the new law, Az Business talked with Robin Campbell, who co-leads the Squire Patton Boggs’ Data Privacy & Cybersecurity Group. She serves on Law360’s 2018 Cybersecurity & Privacy Editorial Advisory Board and has been recognized as a cybersecurity and data privacy trailblazer by the National Law Journal.
Az Business: What types of businesses need to be aware of Arizona’s new data breach law?
Robin Campbell: Arizona’s data breach law, effective August 3, 2018, applies to any entity that conducts business in Arizona and owns, maintains or licenses unencrypted or unredacted computerized data that includes personal information (“covered entities”). Personal information (PI) is defined as first name or first initial and last name in combination with a Social Security Number, driver’s license, financial account number, private key used to authenticate or sign an electronic record, biometric data, passport number, tax identification number, health insurance identification number, or medical or mental health information. The law was also expanded to include online account credentials and covers username or email address in combination with a password or security question and answer that might allow access to an online account.
AB: What do businesses need to know about Arizona’s new data breach law?
RC: The changes also strengthen the enforcement options and allow the Attorney General to seek a civil penalty for knowing and willful violations in the amount of $10,000 per affected individual or the total amount of economic loss sustained by affected individuals, whichever is less. However, the total penalty is capped at $500,000, a substantial increase over the previous cap of $10,000 per breach.
Although the AZ law has been strengthened across the board, it still contains a harm threshold such that individual and regulator notification is not required if a business determines that the breach has not resulted in, or is not reasonably likely to result in, substantial economic loss to affected individuals.
AB: Is there anything a business can do to reduce its risk of a data breach?
RC: In the first instance, a covered entity can encrypt or redact PI to the extent it is feasible to do so and, thus, remove it from the definition of PI that triggers notification and other requirements.
More generally, a covered entity should broadly evaluate its technical and organizational controls to ensure that they meet industry best practice (taking into consideration the volume and sensitivity of the PI it handles) and will sufficiently protect against a security breach. Additionally, education and training for employees is crucial as employees are the first line of defense when it comes to identifying possible vulnerabilities and risks, as well as an actual security breach. Lastly, a covered entity should develop a comprehensive, but understandable Incident Response Plan that has been tested in advance of a breach to ensure a timely and effective response. While regulators understand that technology cannot protect against every possible breach, they are generally less tolerant of mishandling of a breach response, which can be avoided with good planning.
AB: What does a company in Arizona need to do if it is a victim of a data breach?
RC: The first thing a business should do is follow its Incident Response Plan and investigate whether a breach, as defined by the law, has occurred. A breach is defined as “an unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted or unredacted computerized data maintained as part of a database of PI regarding multiple individuals.” If a breach has occurred, the business must evaluate whether the breach has resulted, or will likely result, in substantial economic loss to affected individuals, which is not always an easy assessment to make. If a breach has occurred that is likely to result in economic loss to affected individuals, the business must notify affected individuals within 45 days of that determination. If the number of affected individuals exceeds 1,000, the business must also notify all three major consumer-reporting agencies and the Attorney General.
AB: What is the best piece of advice you can give a business leader about staying compliant under the new law?
RC: Entities that do business in Arizona and collect personal information from Arizona residents should recognize and understand these changes and determine whether their existing security practices are sufficient to protect against data breaches. Businesses should also put in place a well-defined Incident Response Plan that identifies the response team, details the roles and responsibilities of each, includes appropriate triggers for escalation and has been stress tested in advance of a breach.
