Arizona recently amended its breach notice law to change the regulator notification requirements. Starting this summer, depending on the scope of the incident, the Arizona Department of Homeland Security will need to be notified. Specifically, as amended, if more than 1,000 Arizona individuals are notified of a breach, then notification must be made to the three largest consumer reporting agencies, the Arizona attorney general and the Arizona Department of Homeland Security. Previously, only the consumer reporting agencies and Arizona AG needed to be notified if that threshold was met. This notification should be made within 45 days after the determination that there has been a breach. Arizona joins New York as being one of the few states that require notification to multiple state regulatory agencies.
Putting it into practice: Beginning July 22, 2022, companies who suffer a breach impacting more than 1,000 Arizona residents will need to notify the Arizona Department of Homeland Security (in addition to other agencies). This amendment joins the minor change in Indiana that we wrote about previously, which will also go into effect in July.