REFERENCE TITLE: personal information; data security breaches
State of Arizona
House of Representatives
Second Regular Session
amending title 18, chapter 5, Arizona Revised Statutes, by adding article 4; providing for transferring and renumbering; amending section 18-552, Arizona Revised Statutes, as transferred and renumbered; amending sections 33-1701 and 36-3802, Arizona Revised Statutes; repealing Laws 2006, chapter 232, section 3, as amended by Laws 2016, chapter 80, section 31; relating to data security breaches.
(TEXT OF BILL BEGINS ON NEXT PAGE)
Be it enacted by the Legislature of the State of Arizona:
Section 1. Title 18, chapter 5, Arizona Revised Statutes, is amended by adding article 4, to read:
ARTICLE 4. DATA SECURITY BREACHES
In this article, unless the context otherwise requires:
1. "Breach" or "security system breach":
(a) Means an unauthorized acquisition of, or unauthorized access that materially compromises the security or confidentiality of, unencrypted or unredacted computerized data that includes personal information maintained as part of a database of personal information regarding multiple individuals.
(b) Does not include a Good faith acquisition of personal information by a person's employee or agent for the purposes of the person if the personal information is not used for a purpose unrelated to the person and is not subject to further wilful unauthorized disclosure.
2. "Court" means the supreme court, the court of appeals, the superior court, a court that is inferior to the superior court and a justice court.
3. "Data element" means:
(a) An individual's social security number.
(b) The number on an individual's driver license issued pursuant to section 28‑3166 or nonoperating identification license issued pursuant to section 28‑3165.
(c) An individual's financial account number or credit or debit card number.
4. "Encrypted" means the use of an algorithmic process to transform data into a form that renders the data unreadable or unusable without using a confidential process or key.
5. "Individual" means a resident of this state who has a principal mailing address in this state as reflected in the records of the person conducting business in this state at the time of the breach.
(a) Means a natural person, corporation, business trust, estate, trust, partnership, association, joint venture, government or governmental subdivision or agency or any other legal or commercial entity.
(b) Does not include the department of public safety, a county sheriff's department, a municipal police department, a prosecution agency or a court.
7. "Personal information":
(a) Means any of the following:
(i) An individual's first name or first initial and last name in combination with one or more data elements.
(ii) An individual's electronic signature.
(iii) a physical characteristic that is attributable to an individual, including a fingerprint, eye, hand, vocal or facial characteristic or any other physical characteristic used to electronically identify that individual with a high degree of certainty.
(iv) an individual's protected health information, such as the individual's health insurance identification number, medical history, mental or physical condition, medical treatment or diagnosis by a health care professional.
(v) an individual's taxpayer identification number or an identity protection personal identification number issued by the United States Internal Revenue Service.
(vi) An individual's user name or e-mail address, in combination with a password or security question and answer, that allows access to an online account.
(vii) Student personally identifiable data.
(b) Does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
8. "Prosecution agency" means the attorney general, a county attorney or a municipal prosecutor.
9. "Redact" means to alter or truncate a social security number, driver license number, nonoperating identification license number, financial account number or credit or debit card number so that not more than the last four digits are accessible.
10. "Security incident" means an event that indicates that a person's information systems or computerized data may have been compromised or that measures put in place to protect the person's information systems or computerized data may have failed.
11. "Student personally identifiable data" means a minor student's name, address, date of birth, social security number, e‑mail or social media address, credit, debit or other financial services account number or parent's name or any other information that would link a specific minor STUDENT to a specific school community.
Sec. 2. Section 18-545, Arizona Revised Statutes, is transferred and renumbered for placement in title 18, chapter 5, article 4, Arizona Revised Statutes, as section 18-552 and, as so renumbered, is amended to read:
18-552. Notification of security system breaches; requirements; enforcement; civil penalty; preemption; exceptions
A. When If a person that conducts business in this state and that owns, maintains or licenses unencrypted or unredacted computerized data that includes personal information becomes aware of an a security incident of unauthorized acquisition and access to unencrypted or unredacted computerized data that includes an individual's personal information, the person shall conduct a reasonable investigation to promptly determine if whether there has been a breach of the security system breach.
B. If the investigation results in a determination that there has been a breach in the security system breach, the person that owns or licenses the computerized data, within thirty days after the determination, shall:
1. Notify the attorney general in writing.
2. Notify the individuals affected. The notice shall be made in the most expedient manner possible and without unreasonable delay pursuant to subsection F of this section and subject to the needs of law enforcement as provided in subsection C E of this section and any measures necessary to determine the nature and scope of the breach, to identify the individuals affected or to restore the reasonable integrity of the data system.
C. If the breach requires notification of more than one thousand state residents, the person that owns or licenses the computerized data shall notify, promptly and without unreasonable delay and subject to the needs of law enforcement as provided in subsection E of this section, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
B. D. A person that maintains unencrypted or unredacted computerized data that includes personal information that the person does not own shall immediately notify the owner or licensee of the information on discovering any security system breach and cooperate with the owner or the licensee of the personal information of any breach of the security of the system following discovery of the breach without unreasonable delay. Cooperation shall include, including sharing information relevant to the breach of the security of the system with the owner or licensee. The person that owns or licenses the computerized data shall provide notice to the individual pursuant to this section the notifications required by subsections B and C of this section, as applicable. The person that maintained maintains the data under an agreement with the owner or licensee shall notify the attorney general in writing within thirty days after discovering the breach but is not required to provide notice to the individual affected individuals or consumer reporting agencies pursuant to this section article unless the agreement stipulates otherwise.
C. E. The notification notifications required by subsection A subsections B and C of this section may be delayed if a law enforcement agency advises the person that the notification will impede a criminal investigation. The person shall make the notification after the law enforcement agency determines that it will not compromise the investigation. On being informed by the law enforcement agency that the notifications no longer compromise the investigation, the person shall notify the affected individuals pursuant to subsection B, paragraph 2 of this section within thirty days and shall notify consumer reporting agencies pursuant to subsection C of this section, if applicable, promptly and without unreasonable delay.
D. F. The disclosure notification required by subsection A B, paragraph 2 of this section shall include at least the following:
1. the approximate date of the breach.
2. A brief description of the personal information included in the breach.
3. The toll-free numbers and addresses for the three largest consumer reporting agencies.
4. The toll-free number, address and website address for the federal trade commission or any federal agency that assists consumers with identity theft matters.
G. The notification required by subsection B, paragraph 2 of this section shall be provided by one of the following methods:
1. Written notice.
2. Electronic notice if the person's primary method of communication with the individual is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in the electronic signatures in global and national commerce act (P.L. 106‑229; 114 Stat. 464; 15 United States Code section 7001).
3. Telephonic notice, if telephonic contact is made directly with the affected individuals and is not through a prerecorded message.
4. Substitute notice if the person demonstrates that the cost of providing notice pursuant to paragraph 1, 2 or 3 of this subsection would exceed two hundred fifty thousand dollars or that the affected class of subject individuals to be notified exceeds one hundred thousand persons, or the person does not have sufficient contact information. Substitute notice shall consist consists of all of the following:
(a) Electronic mail E-mail notice if the person has electronic mail e-mail addresses for the individuals who are subject to the notice.
(b) Conspicuous posting of the notice on the website of the person if the person maintains one.
(c) Notification to major statewide media.
E. H. A person who that maintains the person's own notification procedures as part of an information security policy for the treatment of personal information and who that is otherwise consistent with the requirements of this section shall be article is deemed to be in compliance with the notification requirements of this section subsection B, paragraph 2 of this section if the person notifies subject individuals in accordance with the person's policies if a breach of the security system breach occurs.
F. i. A person that complies with the notification requirements or security system breach procedures pursuant to the rules, regulations, procedures, guidance or guidelines established by the person's primary or functional federal regulator is deemed to be in compliance with the requirements of subsection B, paragraph 2 of this section.
G. J. Notwithstanding subsection B of this section, a person is not required to disclose a breach of the security of the system breach to affected individuals or consumer reporting agencies if the person or an independent third-party forensic auditor or a law enforcement agency, after a reasonable investigation, determines after a reasonable investigation that a breach of the security of the system breach has not occurred or is not reasonably likely to occur.
H. This section may only be enforced by the attorney general. The attorney general may bring an action to obtain actual damages for a wilful and knowing violation of this section and a civil penalty not to exceed ten thousand dollars per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation.
K. The notification provided to the attorney general pursuant to subsection B, paragraph 1 of this section is confidential pursuant to section 44-1525 and is exempt from disclosure under title 39.
L. A violation of this article is an unlawful practice pursuant to section 44-1522, and only the attorney general may enforce such a violation by investigating and taking appropriate action pursuant to title 44, chapter 10, article 7.
I. M. The state legislature determines that security system breach notification is a matter of statewide concern. The power to regulate security system breach notification is preempted by this state, and this section shall supersede article supersedes and preempt preempts all municipal and county laws, charters, ordinances and rules relating to issues regulated by this section article.
J. N. This section article does not apply to either of the following:
1. A person that is subject to title V of the Gramm‑Leach‑Bliley act (P.L. 106‑102; 113 Stat. 1338; 15 United States Code sections 6801 through 6809).
2. Covered entities and business associates as defined under regulations implementing the health insurance portability and accountability act of 1996, 45 Code of Federal Regulations section 160.103 (2003) (2013).
K. O. The department of public safety, a county sheriff's department, a municipal police department, a prosecution agency and a court shall create and maintain an information security policy that includes notification procedures for a breach of the security system breach of the department of public safety, the county sheriff's department, the municipal police department, the prosecuting agency or the court.
L. For the purposes of this section:
1. "Breach", "breach of the security of the system", "breach of the security system" or "security breach" means an unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially compromises the security or confidentiality of personal information maintained by a person as part of a database of personal information regarding multiple individuals and that causes or is reasonably likely to cause substantial economic loss to an individual. Good faith acquisition of personal information by an employee or agent of the person for the purposes of the person is not a breach of the security system if the personal information is not used for a purpose unrelated to the person or subject to further wilful unauthorized disclosure.
2. "Court" means the supreme court, court of appeals, superior court, courts inferior to the superior court and justice courts.
3. "Encrypted" means use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key.
4. "Individual" means a person that is a resident of this state as determined by a principal mailing address in this state as reflected in the records of the person conducting business in this state at the time of the breach.
5. "Person" means a natural person, corporation, business trust, estate, trust, partnership, association, joint venture, government, governmental subdivision or agency or any other legal or commercial entity. Person does not include the department of public safety, a county sheriff's department, a municipal police department, a prosecution agency or a court.
6. "Personal information":
(a) Means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, redacted or secured by any other method rendering the element unreadable or unusable:
(i) The individual's social security number.
(ii) The individual's number on a driver license issued pursuant to section 28‑3166 or number on a nonoperating identification license issued pursuant to section 28‑3165.
(iii) The individual's financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to the individual's financial account.
(b) Does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
7. "Prosecution agency" means the attorney general, any county attorney or any municipal prosecutor.
8. "Redact" means alter or truncate data such that no more than the last four digits of a social security number, driver license number, nonoperating identification license number, financial account number or credit or debit card number is accessible as part of the personal information.
Sec. 3. Section 33-1701, Arizona Revised Statutes, is amended to read:
33-1701. Definitions; exception
A. In this article, unless the context otherwise requires:
1. "Default" means the failure to perform on time any obligation or duty set forth in the rental agreement.
2. "Department" means the Arizona game and fish department in the case of motorized watercraft and the department of transportation in the case of all other vehicles.
3. "Electronic mail" means an electronic message or an executable program or computer file that contains an image of a message that is transmitted between two or more computers or electronic terminals and includes electronic messages that are transmitted within or between computer networks from which a confirmation of receipt is received.
4. "Last known address" means that postal address or electronic address provided by the occupant in the rental agreement or the postal address or electronic address provided by the occupant in a subsequent written notice of a change of address.
5. "Late fee" means a reasonable fee or charge that is assessed by the operator for the failure of the occupant to pay rent when due pursuant to section 33‑1703, subsection D.
6. "Leased space" means the storage space or spaces at the self‑service storage facility that are rented to an occupant pursuant to a rental agreement.
7. "Net proceeds" means the total proceeds received from the lien sale less minus the total amount of the lien.
8. "Occupant" means a person or the person's sublessee, successor or assign, that is entitled to the use of the leased space at a self‑service storage facility under a rental agreement, to the exclusion of others.
9. "Operator" means the owner, operator, lessor or sublessor of a self‑service storage facility, an agent or any other person authorized to manage the facility.
10. "Personal information" has the same meaning prescribed in section 18‑545 18-552 and includes passport information and medical or legal records.
11. "Personal property" means movable property that is not affixed to land and includes but is not limited to goods, wares, merchandise, household items and furnishings and vehicles.
12. "Protected property" means personal property for which the sale or disposal of which is regulated by state or federal law and that is one of the following:
(a) Documents, files or electronic data that contains personal information relating to clients, customers, patients or others in connection with the occupant's business.
(b) Alcoholic beverages.
(c) Pharmaceuticals other than those dispensed by a licensed pharmacy for the occupant's personal use.
13. "Registered owner" means an owner of a vehicle as stated in the official records of the department.
14. "Rental agreement" means any written agreement provided to the occupant that establishes or modifies the terms, conditions or rules concerning the use and occupancy of leased space at a self‑service storage facility.
15. "Self‑service storage facility" means any real property used for renting or leasing storage spaces in which the occupants themselves customarily store and remove their own personal property on a self‑service basis.
16. "Vehicle" means a motor vehicle, a trailer or a semitrailer as defined in section 28‑101 and a motorized watercraft as defined in section 5‑301.
17. "Verified mail" means any method of mailing that is offered by the United States postal service and that provides evidence of mailing.
B. This article does not apply to a warehouseman unless the warehouseman issues a warehouse receipt, bill of lading or other document of title for the personal property stored.
Sec. 4. Section 36-3802, Arizona Revised Statutes, is amended to read:
36-3802. Individual rights
A. A health information organization must provide the following rights to individuals:
1. To opt out of participating in the health information organization pursuant to section 36‑3803.
2. To request a copy of the individual's individually identifiable health information that is available through the health information organization. The health information organization may provide this right directly or may require health care providers participating in the health information organization to provide access to individuals. The copy may be provided electronically, if the individual requesting the copy consents to electronic delivery of the individually identifiable health information, and must be provided to the individual within thirty days after the individual's request. Charges for copies are governed by section 12‑2295.
3. To request the amendment of incorrect individually identifiable health information available through the health information organization.
4. To request a list of the persons who have accessed the individual's individually identifiable health information through the health information organization for a period of at least three years before the individual's request. This list must be provided to the individual within thirty days after the individual's request.
5. To be notified, pursuant to section 18‑545 18-552 and 45 Code of Federal Regulations part 164, subpart D, of a breach at the health information organization that affects the individual's individually identifiable health information.
B. If an individual does not have the capacity to make health care decisions, the individual's health care decision maker may exercise all individual rights in this chapter on behalf of the individual.
Sec. 5. Repeal