What are the Data Breach Requirements in Arizona?

Cyberattacks are a significant headache for small business owners, managers, and customers. The costs to recover from an attack vary, but the damage to your brand, customer trust, and business can be felt for many years. For your customers, the exposure of personal information – that you are entrusted to protect as a business owner – is a significant area of concern for federal and state authorities.  New regulations in Arizona[1] impose requirements on organizations to:

  • Conduct investigations on whether a “breach” has occurred upon becoming aware of a security incident; and
  • Based on customer volumes, you may need to report the incident to the Arizona Attorney General, the Arizona Department of Homeland Security, and the three consumer reporting agencies – Equifax, Experian, and Transunion. (See ARS § 18-551, 18-552).

Additionally, if your business accepts credit cards (American Express, Diners, Discover, Master Card, & Visa), you may need to take additional steps to address the issues associated with the cyberattack.  This could include holding any incoming payments, hiring a forensic investigator, and remediating any technical issues.

Time is of the essence in the hours following a cyberattack, and the decisions you make as a business owner are highly critical. Because there are many variables to a cyberattack and response, we strongly recommend establishing a relationship with a cybersecurity consultant to help you during your time in need. A cybersecurity consultant can help you with your insurance, validate how far bad actors have infiltrated your systems, and determine which data types have been accessed or exfiltrated from your organization.  The actions taken by a consultant such as HOZHO Cybersecurity can help you avoid missteps which can result in fines, penalties, and sanctions.

[1]See Arizona Revised Statutes § 18-551, 18-552

Note: The information provided in this post does not constitute legal or professional advice.  The information is provided for information-sharing purposes and should not be relied upon for business decision-making.  For advice or guidance on cybersecurity matters, please consult appropriate legal counsel or a Cybersecurity professional in your region.


Leave a Reply

Your email address will not be published. Required fields are marked *