[BreachExchange] Arizona Expands Regulator Data Breach Notification Obligations

[Matthew Wheeler]

https://www.natlawreview.com/article/arizona-expands-regulator-data-breach-notification-obligations


Arizona recently amended its breach notice law to change the regulator
notification requirements. Starting this summer, depending on the scope of
the incident, the Arizona Department of Homeland Security will need to be
notified. Specifically, as amended, if more than 1,000 Arizona individuals
are notified of a breach, then notification must be made to the three
largest consumer reporting agencies, the Arizona attorney general and the
Arizona Department of Homeland Security. Previously, only the consumer
reporting agencies and Arizona AG needed to be notified if that threshold
was met. This notification should be made within 45 days after the
determination that there has been a breach. Arizona joins New York as being
one of the few states that require notification to multiple state
regulatory agencies.

Putting it into practice: Beginning July 22, 2022, companies who suffer a
breach impacting more than 1,000 Arizona residents will need to notify the
Arizona Department of Homeland Security (in addition to other agencies).
This amendment joins the minor change in Indiana that we wrote about
previously, which will also go into effect in July.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220412/276ab82c/attachment.html>