Assigned to CED                                                                                                                                     AS ENACTED

 

 

 

 

ARIZONA STATE SENATE

Forty-seventh Legislature, Second Regular Session

 

FINAL AMENDED

FACT SHEET FOR S.B. 1338

 

personal information; security breach; notification

 

Purpose

 

            Effective January 1, 2007, requires a business or governmental entity conducting business in Arizona to notify state residents of a breach of their security system when personal information of the individuals has been compromised.

 

Background

 

            According to the Federal Trade Commission (FTC), the major metropolitan areas with the highest per capita rates of identity theft in 2005 were: 1) Phoenix/Mesa/Scottsdale, AZ; 2) Las Vegas/Paradise, NV; and 3) Riverside/San Bernardino/Ontario, CA.   In 2005, the most common identity theft complaints related to credit card fraud, followed by phone or utility fraud, bank fraud and employment-related fraud.   The Identity Theft Data Clearinghouse administered by the FTC and shared through the Consumer Sentinel reports that, in 2005, 9,320 identity theft complaints were filed from Arizona victims.

 

            The growing concern of identity theft has induced states to look at ways to provide possible protection from identity theft.  California was the first state to enact legislation requiring entities that maintain personal data to notify residents that an incident of unauthorized acquisition or access to that data has occurred.  Security breaches can take many forms, including lost or misplaced disks or backup tapes, stolen laptops or computers, hacked data or compromised passwords.   As of December 2005, approximately 20 states had enacted security breach notification requirements.

 

            The anticipated fiscal impact associated with this legislation is undeterminable.  However, there may be a fiscal impact to the Attorney General’s Office related to increased caseloads for prosecution of businesses or governmental entities that fail to properly notify Arizona residents of a security breach. 

 

Provisions

 

Security Breaches

 

1.      Requires a person conducting business in Arizona that owns or licenses unencrypted computerized data that includes personal information who becomes aware of an incident of unauthorized acquisition of and access to unencrypted or unredacted computerized data to conduct an investigation to promptly determine if a breach of the security system has occurred.

2.      Defines a “person” to include a natural person, commercial entity or governmental entity, but does not include a law enforcement agency, a prosecution agency or a court.

 

3.      Defines a “security breach” as an unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially compromises the security or confidentiality of personal information maintained by a person as part of a database of personal information regarding multiple individuals and that causes or is reasonably likely to cause substantial economic loss to an individual. 

 

4.      States good faith acquisition of personal information by an employee of a person for the purposes of the person is not a security breach if the personal information is not used for a purpose unrelated to the person or subject to further willful unauthorized disclosure.

 

5.      Defines “personal information” as an individual’s first name or first initial and last name in combination with any of the following unencrypted, unredacted or nonsecured information:

a)      the individual’s social security number.

b)      the individual’s  driver license or nonoperating identification license number.

c)      the individual’s financial account number or credit or debit card number in combination with any required security code that would permit access to the individual’s financial account.

 

6.      Excludes publicly available information from being personal information.

 

Notification Requirements

 

7.      Requires a person that determines a security breach has occurred to notify the individuals affected.

 

8.      Defines an “individual” as a resident of Arizona as determined by the principal mailing address in Arizona reflected in the records of the person conducting business in Arizona at the time of the security breach.

 

9.      States a person is not required to notify individuals of a security breach if the person or a law enforcement agency, after a reasonable investigation, determines a security breach has not occurred or is not reasonably likely to occur.

 

10.  Requires the notice of a security breach to be made in the most expedient manner possible without unreasonable delay subject to the needs of law enforcement and any measures necessary to determine the nature of the breach, to identify affected individuals or to restore reasonable integrity of the data system.

 

11.  Allows notification of a security breach to be delayed if a law enforcement agency advises the person that notification will impede a criminal investigation.

 

12.  Requires a person that maintains but does not own unencrypted computerized data that includes personal information to notify and cooperate with the owner of the information following discovery of a security breach without unreasonable delay.  The owner of the data is required to provide notification of the security breach. 

 

13.  States the person that maintained the data under an agreement with the owner of the data is not required to provide notice to individuals of a security breach unless the agreement stipulates otherwise.

 

14.  Requires notification of a security breach to be either by written, electronic or telephonic means, or provided by substitute notice.

 

15.  Allows a substitute notice to be provided if the cost of providing a notice by written, electronic or telephonic means would exceed $50,000, the number of  affected individuals to be notified exceeds 100,000 persons or the person does not have sufficient contact information for the individuals. 

 

16.  Requires a substitute notice to consist of all of the following:

a)      email notice if the person has email addresses for the individuals.

b)      conspicuous posting of the notice on the person’s website if the person maintains one.

c)      notification to major statewide media.

 

Exceptions

 

17.  Deems a person to be in compliance with the security breach notification requirements if the person notifies individuals of a security breach in accordance with the person’s policies and those policies are consistent with the statute’s notification requirements.

 

18.  Deems a person to be in compliance with the security breach notification requirements if the person complies with the notification requirements or security breach procedures pursuant to the rules, regulations, procedures, guidance or guidelines of the person’s primary or functional federal regulator.

 

19.  Exempts the following from the security breach notification requirements:

a)      a person subject to the federal Gramm Leach Bliley Act.

b)      covered entities under the federal Health Insurance Portability and Accountability Act.

 

20.  Requires law enforcement and prosecution agencies and the courts to create and maintain an information security policy that includes notification procedures for a security breach of the agencies’ or the courts’ systems.

 

Miscellaneous

 

21.  Allows only the Attorney General to enforce the security breach notification requirements.

 

22.  Allows the Attorney General to bring an action to obtain actual damages for a willful and knowing violation of the security breach notification requirements and a civil penalty of not more than $10,000 per security breach or series of breaches of a similar nature that are discovered in a single investigation.

 

23.  States security breach notification is a matter of statewide concern and the notification requirements preempt all municipal and county ordinances and rules.

 

24.  Prescribes other definitions.

 

25.  Repeals the security breach notification requirements one year after the effective date of the federal personal data privacy and security act. Requires the Attorney General to notify the Director of Arizona Legislative Council of this date.

 

26.  Becomes effective on January 1, 2007.

 

Amendments Adopted by the House of Representatives

 

·      Excludes law enforcement agencies, prosecution agencies and the courts from the security breach notification requirements and requires the agencies and courts to create and maintain an information security policy that includes notification procedures for a security breach.

 

Senate Action                                                             House Action

 

CED                2/1/06     DP     8-0-0-0                       GRGFA          3/15/06     DPA     5-1-0-0

3rd Read         3/1/06               21-7-2-0                     COM               3/22/06     DPA     7-0-0-2

Final Read       4/20/06             22-6-2-0                     3rd Read         4/17/06                  54-0-6-0

 

Signed by the Governor 4/26/06

Chapter 232

 

Prepared by Senate Research

May 10, 2006

BP/ac