New York’s SHIELD Act Affects Your Arizona Business: Here’s Why
Arizona businesses should be aware of a recent act initiated in New York that looks to change the way companies approach security practices...
Did you know Arizona has a legislation that requires private entities or government agencies to notify individuals who have been impacted by security breaches that may compromise their personally identifiable information?
Please note, entities covered by the federal Health Insurance Portability and Accountability Act (“HIPAA”) or Gramm-Leach-Bliley Act are exempt from this law. This is because federal regulations are far more tough and regulating both at the state & federal level would be a nightmare.
Arizona’s data breach notification laws are applicable to individuals or entities that conduct business in the state who also license, own, or maintain covered information. It does not apply to encrypted or redacted information, or information secured in some other way that renders it unreadable or unusable – as long as the encryption key was not accessed or acquired.
Covered information is the combination of “personal information” and “specified data element”.
Does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
Security incident means an event that creates reasonable suspicion that a person’s information systems or computerized data may have been compromised or that measures put in place to protect the person’s information systems or computerized data may have failed.
If a covered person discovers a “security incident,” as defined by the law, the person is required to investigate to determine if a “breach” has occurred. If a breach has occurred, the owner or licensee of the breached personal information is required to notify affected individuals, unless the person, a law-enforcement agency, or an independent forensic auditor determines that the breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals. Generally, the notification must be provided within 45 days and must be made using one of the methods specified by the law. See A.R.S. § 18-552, subsections (E) through (I). For breaches involving more than 1,000 Arizona residents, notification must also be provided to the three largest nationwide consumer reporting agencies and to the Arizona Attorney General’s Office.
A knowing and willful violation of the law constitutes a violation of the Arizona Consumer Fraud Act, A.R.S. § 44-1521 et seq. Only the Attorney General may enforce such a violation. In doing so, the Attorney General may seek up to $500,000 in civil penalties, in addition to any restitution that may be owed to the affected individuals.
Healthcare data breaches are now covered by Arizona’s data breach notification law as of April 2018, with a 45-day notification deadline for notification of individuals.
If your an employer, you likely have your employees’ name/address/phone number (personal information) and SSN (specified data element) stored somewhere. If you’ve made it electronic, the law applies to your employee data.
If your business involves storing protected data such as names and SSNs, this law applies to your client data. Law firms, CPAs, and financial services are examples of industries that deal with this type of data every day.
If you have “Covered Information”, and you’re breached, it’s a Security incident and you need to have a plan on how to remediate the it with this law in mind. Reach out to us if you’d like to talk about how this law affects your business and how to properly mitigate as much risk as possible with smart IT and policy choices.
Read more about this topic via the Arizona Attorney General: Arizona’s Data-Breach Notification Law FAQ
Contact us here and we’ll be happy to answer your questions.
Arizona businesses should be aware of a recent act initiated in New York that looks to change the way companies approach security practices...
Kaspersky recently became the first company to be added to the US Federal Communications Commission’s list of entities that pose an “unacceptable...
Cutting straight to the point: Criminals are adapting and taking advantage of the COVID-19 situation.