Arizona gets tough on businesses with new data breach reporting law

Among new requirements, the law boosts the maximum civil penalty for a knowing statute violation from 0,000 per breach to 00,000.

For some time, government has let companies off the hook for negligence in cyberspace, waiting until after an incident to act. The Arizona legislature is hoping to flip the script, by holding businesses more accountable for data breaches.

Following the passage of HB 2154 , Arizona will now penalize poor cyber hygiene and irresponsible data management, while bolstering protections for consumers and adding notification requirements for data breach victims. By setting a hard data breach notification deadline, establishing standards to work with law enforcement, significantly raising the maximum fine for offending businesses, and widely expanding protections for Arizonans, the new law’s standards are among the toughest in the nation.

Pursuant to the new law, businesses in Arizona that suspect they have suffered a breach “shall conduct a reasonable investigation” into the incident. If a breach has indeed occurred, businesses must notify the attorney general in writing, as well as all the individuals affected. If more than 1,000 Arizonans are affected, the business must also promptly notify consumer reporting agencies.

The bill, sponsored by Rep. T.J. Shope and authored by Arizona Attorney General Mark Brnovich , raises the stakes for businesses by increasing the maximum civil penalty for a knowing or willful violation of the statute from $10,000 per breach to $500,000.


“Consumers have a right to know when their sensitive information has been breached so they can protect themselves from financial loss,” Brnovich said in a statement. “A key component of the legislation was notification to the Attorney General’s Office of a breach. My office will be better positioned to investigate massive breaches in the future and assist consumers to protect their assets from theft.”

The law also spells out how affected businesses should comply with law enforcement, expands the definition of protected personal information, and requires that notice to breach-affected individuals occur within 45 days after determining an incident has occurred.

Prior to the passage of the law, there was no definitive timeline for businesses to notify customers — they were able to delay notification for months or even years.

“That was very disturbing because if there is a data breach, we want to know about it as soon as possible so that we can take steps to protect our information and protect our identities,” Brnovich told ABC 15 Arizona .

Arizona now joins the ranks of states prioritizing cyber defense through legislation and regulation. This spring has seen a flurry of legislative activity nationwide, with several states proposing or strengthening data breach notification laws.


Oregon passed a similar bill in March. Alabama , South Dakota , and Vermont created new laws, while Louisiana strengthened the law they had on the books. Colorado passed a bill with similar guidelines to Arizona’s HB 2154, though Colorado’s AG notification window is just 30 days. With 30-day notification windows, Colorado and Florida have the most stringent data breach reporting requirements.

“Hopefully as laws like this continue to be passed throughout the United States, it will make people more aware,” Cocanower told ABC 15 . “And if they say, ‘Gee, if I have this exposure that I might have to trigger this notification, maybe I’m going to put a little bit more effort into preventing it in the first place.'”

Latest Podcasts