The Arizona legislature recently adjusted the licensing fees paid to the Department of Financial Institutions and amended its law related to data security breaches.  Both bills discussed in this memorandum are effective July 16, 2018.

Arizona Senate Bill 1150

The following nonrefundable fees are payable to the Department of Financial Institutions:

• To apply for a banking permit - $1,000 (previously $500)
• To organize and establish any other financial institutions for which an application or investigation fee is not otherwise provided by law - $1,000 (previously $500)
• To apply for a trust company license - $1,000 (previously $2500)
• To apply for a commercial mortgage banker, mortgage banker, escrow agent or consumer lender license - $1,000 (previously $500)
• To apply for a mortgage broker, commercial mortgage broker, sales finance company or debt management company license - $500 (previously $800)
• To apply for approval to convert from a national bank or federal savings and loan charter to a state chartered institution - $1,000 (previously $500)
• To apply for approval to convert from a federal credit union to a state chartered credit union - $500 (previously $1,000)

Arizona House Bill 2154

“Breach” or “Security System Breach” means an unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals.  It does not include a good faith acquisition of personal information by a person’s employee or agent for the purposes of the person if the personal information is not used for a purpose unrelated to the person and is not subject to further unauthorized disclosure.

“Encrypt” means to use a process to transform data into a form that renders the data unreadable or unusable without using a confidential process or key.

“Individual” means a resident of Arizona who has a principal mailing address in Arizona as reflected in the records of the person conducting business in Arizona at the time of the breach.

“Nationwide Consumer Reporting Agency”: means a consumer reporting agency that compiles and maintains file on consumers on a nationwide basis.  It does not include a nationwide specialty consumer reporting agency.

“Person” means a natural person, corporation, business trust, estate, trust, partnership, association, joint venture, government or governmental subdivision or agency or any other legal or commercial entity.  It does not include the Department of Public Safety, a county sheriff’s department, a municipal police department, a prosecution agency or a court.

“Personal Information” means any of the following:

• An individual’s first name or first initial and last name in combination with one or more specified data elements;
• An individual’s user name or e-mail address, in combination with a password or security question and answer, that allows access to an online account.

Personal Information does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed data.

“Prosecution Agency” means the Attorney General, a county attorney or a municipal prosecutor.

“Redact” means to alter or truncate a number so that not more than the last four digits are accessible and at least two digits have been removed.

“Security Incident” means an event that creates reasonable suspicion that a person’s information systems or computerized data may have been compromised or that measures put in place to protect the person’s information systems or computerized data may have failed.

“Specified Data Element” means any of the following:

• An individual’s social security number;
• The number on an individual’s driver license or nonoperating identification license;
• A private key that is unique to an individual and that is used to authenticate or sign an electronic record;
• An individual’s financial account number or credit or debit card number in combination with any required security code, access code or password that would allow access to the individual’s financial account;
• An individual’s health insurance identification number;
• Information about an individual’s medical or mental health treatment or diagnosis by a health care professional;
• An individual’s passport number;
• An individual’s taxpayer identification number or an identity protection personal identification number issued by the United States Internal Revenue Service; or
• Unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account.

If a person that conducts business in Arizona and that owns, maintains, or licenses unencrypted and unredacted computerized personal information becomes aware of a security incident, the person must conduct an investigation to promptly determine whether there has been a security system breach.

If the investigation results in a determination that there has been a security system breach, the person that owns or licenses the computerized data, within forty-five days after the determination, must:

• Notify the individuals affected as required, subject to the needs of law enforcement as provided below;
• If the breach requires notification of more than 1,000 individuals, notify both:
  • The three largest nationwide consumer reporting agencies; and
  • The Arizona Attorney General, in writing, in a form prescribed by rule or order of the Attorney General or by providing the Attorney General with a copy of the notice sent to the individuals affected.

A person that maintains unencrypted and unredacted computerized personal information that the person does not own or license must notify, as soon as practicable, the owner or licensee of the information on discovering any security system breach and cooperate with the owner or the licensee of the personal information including sharing information relevant to the breach with the owner or licensee.  The person that maintains the data under an agreement with the owner or licensee is not required to provide the notifications required unless the agreement stipulates otherwise.

The required notifications may be delayed if a law enforcement agency advises the person that the notifications will impede a criminal investigation.  After being informed by the law enforcement agency that the notifications no longer compromise the investigation, the person must make the required notifications, as applicable, within forty-five days.

The required notification must include at least the following:

• The approximate date of the breach;
• A brief description of the personal information included in the breach;
• The toll-free numbers and addresses for the three largest nationwide consumer reporting agencies; and
• The toll-free number, address and website address for the Federal Trade Commission or any federal agency that assists consumers with identity theft matters.

The notice must be provided by one of the following methods:

• Written notice;
• An e-mail notice if the person has e-mail addresses for the individuals who are subject to the notice;
• By telephone if contact is made directly with the affected individuals and is not through a prerecorded message; or
• Substitute notice if the person demonstrates that the cost of providing notice with one of the above methods would exceed $50,000, that the affected class of subject individuals to be notified exceeds 100,000 individuals, or that the person does not have sufficient contact information.  Substitute notice consists of all of the following:
  • A written letter to the Arizona Attorney General that demonstrates the facts necessary for substitute notice; and
  • Conspicuous posting of the notice for at least forty-five days on the website of the person if the person maintains one.

If a breach involves an individual’s electronic signature for an online account and does not involve an individual’s first name or first initial and last name in combination with one or more data elements, the person may comply with the notice requirement by providing the notification in an electronic or other form that directs the individual whose personal information has been breached to promptly change the individual’s password and security question or answer, as applicable, or to take other steps that are appropriate to protect the online account with the person and all other online accounts for which the individual whose personal information had been breached uses the same user name and e-mail address and password or security question or answer.  If the breach of personal information is for login credentials of an e-mail account furnished by the person, the person is not required to provide the notification to that e-mail address, but may comply by providing notification by another approved method or by providing clear and conspicuous notification delivered to the individual online when the individual is connected to the online account from an internet protocol address or online location from which the person knows the individual customarily accesses the account. The person satisfies the notification requirement by requiring the individual to reset the individual’s password or security question and answer for that account if the person also notifies the individual to change the same password or security question and answer for all other online accounts for which the individual uses the same user name or e-mail address and password or security question or answer.

A person that maintains the person’s own notification procedures as part of an information security policy for the treatment of personal information and that is otherwise consistent with the requirements of these provisions, including the forty-five day notification period, is deemed to be in compliance with the notification requirements if the person notifies subject individuals in accordance with the person’s policies if a security system breach occurs.

A person is not required to make the required notification if the person, an independent third-party forensic auditor or a law enforcement agency determines after a reasonable investigation that a security system breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.

Except for notifications provided to individuals affected by a security system breach, notifications provided to the Arizona Attorney General are confidential and are exempt from disclosure.

Knowing and willful violation of these provisions is an unlawful practice, and only the Arizona Attorney General may enforce such a violation by investigating and taking appropriate action.  The Arizona Attorney General may impose a civil penalty for a violation not to exceed the lesser of $10,000 per affected individual or the total amount of economic loss sustained by affected individuals but the maximum civil penalty from a breach or series of related breaches may not exceed $500,000.  This does not prevent the Arizona Attorney General from recovering restitution for affected individuals.

These provisions do not apply to either of the following:

• A person that is subject to Title V of the Gramm-Leach Bliley Act governing the treatment of nonpublic personal information about consumers by financial institutions; or
• A covered entity or business associate as defined under regulations implementing the Health Insurance Portability and Accountability Act (“HIPAA”) or a charitable fund-raising foundation or nonprofit corporation whose primary purpose is to support a specified covered entity, if the charitable fund-raising foundation or nonprofit corporation complies with any applicable provision of HIPPA and its implementing regulations.