Arizona Data Breach Notification Laws: Reporting Rules & Timelines (2026)

If your business handles personal data belonging to Arizona residents, state law requires you to act quickly when a breach occurs. Arizona's data breach notification statute sets a firm 45-day notification deadline and imposes civil penalties for noncompliance.

The law was originally enacted in 2006 and significantly updated through HB 2146 in 2022, which added biometric data to the list of protected information, shortened the notification window, and expanded government reporting requirements to include the Arizona Department of Homeland Security.

For an overview of Arizona's broader privacy framework, see the parent guide to [Arizona Data Privacy Laws](/us-laws/data-privacy-laws/arizona-data-privacy-laws).

What Counts as a Security System Breach

Under A.R.S. § 18-551, a security system breach means the unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information.

Two conditions must exist for a breach to be reportable. The data must be unencrypted and unredacted, and the compromise must be material rather than trivial.

The statute includes a good faith exception. If an employee or agent of the business acquires personal information for legitimate business purposes, and the data is not used for an unrelated purpose or subjected to further unauthorized disclosure, that access does not count as a breach.

Protected Personal Information

Arizona defines personal information broadly. The law covers an individual's first name or first initial and last name combined with any of the following data elements:

• Social Security number
• Driver's license number or state identification card number
• Private key that is unique to an individual and used to authenticate or sign an electronic record
• Financial account number or credit/debit card number, in combination with any required security code, access code, or password that would permit access to the account
• Health insurance identification number
• Medical or mental health treatment information
• Passport number
• Taxpayer identification number
• Unique biometric data generated from a measurement or analysis of human body characteristics for authentication purposes

The law also covers a standalone category: an individual's username or email address combined with a password or security question and answer that allows access to an online account. This category does not require a name to trigger notification.

Publicly available information lawfully made available from federal, state, or local government records is excluded from the definition.

The 45-Day Notification Timeline

When a business that conducts business in Arizona and owns, maintains, or licenses unencrypted computerized personal information becomes aware of a security incident, the business must conduct a reasonable investigation to determine whether a breach has occurred.

Once the investigation confirms a breach, the clock starts. Under A.R.S. § 18-552, the business must notify affected individuals within 45 days after the determination that a breach occurred.

Law enforcement can request a delay if notification would impede a criminal investigation. Once law enforcement clears the notification, the 45-day window applies from the date of that clearance.

Who Must Be Notified

Arizona's notification requirements extend to multiple parties depending on the size of the breach.

Affected Individuals

Every person whose unencrypted personal information was compromised must receive direct notice. The notice must include:

• The approximate date of the breach
• A description of the personal information that was involved
• Contact information for the three largest nationwide consumer reporting agencies
• Contact information for the Federal Trade Commission, along with a statement that the individual can obtain information from the FTC about identity theft prevention

Attorney General and Department of Homeland Security

If a breach affects more than 1,000 Arizona residents, the business must also notify the Arizona Attorney General and the Director of the Arizona Department of Homeland Security. These notifications are confidential and exempt from public records disclosure.

The AG's office provides a data breach notification form that businesses must complete when reporting a breach.

Consumer Reporting Agencies

When more than 1,000 individuals must be notified, the business must also notify the three largest nationwide consumer reporting agencies about the timing, distribution, and content of the individual notices.

How Notification Must Be Delivered

Arizona allows several notification methods under A.R.S. § 18-552:

• Written notice sent to the individual's mailing address
• Email notice if the business has email addresses on file
• Telephone notice through direct conversation (not prerecorded messages)

Substitute Notice

A business may use substitute notice if it demonstrates that direct notification would cost more than $50,000, that more than 100,000 individuals need to be notified, or that the business does not have sufficient contact information.

Substitute notice requires two steps:

1. A written letter to the Attorney General explaining the facts that justify using substitute notice
2. Conspicuous posting of the notice on the business's website for at least 45 days

Encryption Safe Harbor

Arizona's breach notification law only applies to unencrypted and unredacted personal information. If the compromised data was properly encrypted or if data elements like Social Security numbers were redacted (truncated to show only the last four digits), notification is not required.

This safe harbor gives businesses a strong incentive to encrypt personal information at rest and in transit.

Exemptions

Several categories of entities are exempt from Arizona's breach notification law:

• HIPAA-covered entities and business associates that maintain notification procedures under HIPAA and the HITECH Act
• Financial institutions subject to the Gramm-Leach-Bliley Act that comply with federal interagency guidelines on response programs for unauthorized access
• Businesses with internal policies that are consistent with the timing requirements of the Arizona statute

The exemption for internal policies requires that those policies meet or exceed the 45-day notification standard and other requirements set by state law.

Penalties and Enforcement

Only the Arizona Attorney General may enforce violations of the data breach notification law. A knowing and willful violation is treated as an unlawful practice under the Arizona Consumer Fraud Act (Title 44, Chapter 10, Article 7).

The penalty structure works as follows:

• Per-individual penalty: Up to $10,000 per affected individual, or the total amount of economic loss sustained by affected individuals, whichever is less
• Maximum cap: $500,000 per breach or series of related breaches
• Restitution: The AG may also seek restitution for affected individuals

There is no private right of action. Individual consumers cannot sue businesses directly for failing to provide timely breach notification. Enforcement is exclusively through the AG's office.

Arizona AG Enforcement Track Record

The Arizona Attorney General has actively participated in major multistate data breach settlements. Notable cases include:

• Equifax (2019): Arizona joined 49 other states in securing a $600 million settlement following the 2017 breach that exposed personal data of approximately 147 million Americans
• Uber (2018): The AG secured $148 million in a nationwide settlement after Uber concealed a 2016 data breach affecting 57 million users, with Arizona receiving approximately $2.7 million
• Blackbaud (2024): Attorney General Kris Mayes joined a $49.5 million multistate settlement with the software company over a 2020 ransomware attack

These cases demonstrate that while individual state penalties are capped at $500,000, participation in multistate actions can result in significantly larger outcomes.

Substantial Economic Loss Exception

Arizona includes a notable exception to notification requirements. If the person who experienced the breach, a law enforcement agency, or an independent forensic auditor determines that the breach has not resulted in and is not reasonably likely to result in substantial economic loss to the affected individuals, notification is not required.

This determination must be documented and defensible. The Arizona AG FAQ makes clear that this exception does not eliminate the obligation to investigate every security incident.

Government Entity Requirements

The 2022 amendments added specific requirements for Arizona government entities. Public safety departments, county sheriff's offices, municipal police departments, prosecution agencies, and courts must establish and maintain reasonable security policies and procedures. These policies must include a breach notification component.

Government entities that handle personal information are subject to the same 45-day notification timeline as private businesses.

How Arizona Compares to Other States

Arizona's 45-day notification deadline places it among the states with specific statutory timelines, alongside states like Florida (30 days) and Colorado (30 days). Many states still use a less specific "most expedient time possible" standard.

The dual government notification requirement to both the AG and the Department of Homeland Security is relatively unusual among state breach notification laws. Most states that require government notification only mandate AG notification.

Arizona's inclusion of biometric data, passport numbers, and taxpayer identification numbers in its definition of personal information reflects the 2022 modernization of the statute. These categories are not universally covered across all state breach notification laws.

Steps to Take After a Breach in Arizona

If your organization discovers a potential breach involving Arizona residents, follow this sequence:

1. Investigate immediately. Determine whether the incident constitutes a security system breach under A.R.S. § 18-551.
2. Document the scope. Identify which data elements were compromised and how many Arizona residents were affected.
3. Check encryption status. If all compromised data was encrypted or redacted, the safe harbor may apply.
4. Assess economic impact. If the breach is not reasonably likely to cause substantial economic loss, document that determination thoroughly.
5. Notify within 45 days. If notification is required, provide notice to affected individuals using an approved method.
6. Report to the AG and DHS. If more than 1,000 individuals are affected, submit the AG notification form and notify the Director of the Arizona Department of Homeland Security.
7. Notify consumer reporting agencies. If more than 1,000 individuals are notified, inform the three largest nationwide consumer reporting agencies.

More Arizona Laws

• Arizona Recording Laws
• Arizona Recording Laws
• Arizona Data Privacy Laws
• Arizona Recording Laws
• Arizona Recording Laws
• Arizona Recording Laws
• Arizona Recording Laws
• Arizona Recording Laws

Sources and References

This article references Arizona statutes and official state government publications. For the full text of the breach notification law, visit the Arizona Legislature website. For guidance on reporting a breach or filing a complaint, visit the Arizona Attorney General's Data Breach page.

This article provides general legal information about Arizona data breach notification laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Arizona government sources.