🔐 Arizona Data Breach Laws: What Businesses Need to Know

Data Privacy
Written By Eric Hurley

Data breaches aren’t just a PR nightmare—they can also bring legal penalties, regulatory investigations, and lawsuits. If your business handles personal information in Arizona, you’re subject to Arizona’s data breach notification laws, which are among the stricter ones in the country.

Here’s what every Arizona business needs to know to stay compliant and respond quickly when data security goes wrong.

What Counts as a Data Breach Under Arizona Law?

Under A.R.S. § 18-552, a breach occurs when there is unauthorized acquisition or access of unencrypted or unredacted personal information that compromises the security or integrity of the data.

What Is “Personal Information”?

Arizona defines personal information as:

  • A first name or initial and last name plus one or more of the following:

    • Social Security number

    • Driver’s license or state ID number

    • Financial account or credit/debit card number plus security/access code

    • Medical or health insurance information

    • Biometric data (fingerprint, retina scan, etc.)

📌 Encrypted data is generally excluded—unless the encryption key was also accessed.

When Must a Business Notify?

You must notify affected individuals within 45 days after discovering the breach if it’s reasonably believed the data was accessed or acquired.

Who Must Be Notified?

  • The individuals whose data was exposed

  • The Arizona Attorney General (if more than 1,000 individuals are affected)

  • Consumer reporting agencies (also if 1,000+ affected)

Notification Methods

  • Written notice

  • Email (under certain conditions)

  • Substitute notice (if notification costs exceed $50,000 or affected parties exceed 100,000)

📌 Failure to notify can lead to enforcement actions and civil penalties.

What Should Be in a Breach Notification?

Arizona law requires that notices include:

  • The nature of the breach

  • The type of personal information involved

  • Contact info for the business

  • Advice on how to protect against identity theft

📌 Don’t include specifics that could be exploited further—like exact passwords or PINs.

Best Practices for Breach Prevention and Response

  1. Have an incident response plan in place before a breach happens

  2. Train employees on phishing, password hygiene, and data handling

  3. Encrypt sensitive data at rest and in transit

  4. Review your vendor agreements—third-party breaches can trigger your obligations

  5. Consult legal counsel immediately after a suspected breach

Final Thoughts

Arizona’s breach laws require a quick, organized response—and failing to act can cost you in fines and reputation.

If your business experiences a breach, or you want to prepare ahead of time, legal guidance is essential to limit liability and maintain compliance.

Hurley Law Group
Privacy & Compliance Counsel for Arizona Businesses and Healthcare Providers
📞 308-383-1867
🌐 hurleylawgroup.com
✉️ eric@hurleylawgroup.com

Eric Hurley
Previous

🌐 CCPA and Out-of-State Privacy Laws: What Arizona Companies Must Comply With
Next

🏛️ LLC vs. S Corp in Arizona: What’s the Difference and Which Is Right for You?