AZBusiness Sept/Oct 2018

Page 22

LAW

ADDED SECURITY Here’s how Arizona businesses can remain compliant with the nation’s toughest data breach reporting law By MICHAEL GOSSIE

I

s there anything worse for a business than having its data breached? Yes — having to report that breach under an amended Arizona law that went into effect in August and requires companies to notify consumers affected by the breach within 45 days of a data breach or face up to $500,000 in penalties. If more than 1,000 Arizona residents are affected, businesses must notify the attorney general and the three largest nationwide consumer reporting agencies. “The law is quite broad and applies to all Arizona businesses that own, maintain or license computerized data that includes personal information,” says Stephanie Webb, an associate at Radix Law. “Accordingly, all businesses maintaining any personal information of employees or customers on a computer should be aware of the law and its requirements.” According to Joe Clees and Ryan Mangum of Ogletree Deakins, any business that operates in Arizona and owns, maintains, or licenses unencrypted and unredacted computerized personal information could be impacted. Personal information includes an individual’s first name — or first initial — and last name in combination with any of the individual’s following information: Social security number, driver’s license number, health insurance account number, passport number, taxpayer identification number, or financial account numbers; A private key unique to the individual that is used to authenticate an electronic record;

18

AB | September - October 2018