Arizona Revised Statutes, Article 3 § 18-545
Type of Data Covered: "...unencrypted computerized data that includes personal information..." See ARS §18-545(A). This language indicates that the statute would not cover a breach of physical data.
Is Breach Defined?
Yes! §18-545(L)(1) defines breach as "an unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially compromises the security or confidentiality of personal information maintained by a person as part of a database of personal information regarding multiple individuals and that causes or is reasonably likely to cause substantial economic loss to an individual. Good faith acquisition of personal information by an employee or agent of the person for the purposes of the person is not a breach of the security system if the personal information is not used for a purpose unrelated to the person or subject to further wilful unauthorized disclosure."
When is notice required?
Notice is required after an investigation determines that a breach occurred and must be given "in the most expedient manner possible and without unreasonable delay subject to the needs of law enforcement as provided in subsection C of this section and any measures necessary to determine the nature and scope of the breach, to identify individuals affected or to restore the reasonable integrity of the data system. See §18-545(A). The disclosure of the breach may be done by written notice, electronic notice, telephonic notice, or substitute notice, depending on the circumstances. See §18-545(D)
What are the penalties for non-compliance?
§18-545(H) says that the Attorney General has exclusive enforcement rights and that office may bring an action to obtain "actual damages for a willful and knowing violation...and a civil penalty not to exceed ten thousand dollars per breach of the security system...that are discovered in a single investigation."