A plain-language guide to ARS § 18-552 compliance for Arizona businesses
Unlock full access
What the Law Covers
The Statute
Arizona Revised Statutes § 18-552 governs the notification obligations of any person who conducts business in Arizona and owns, maintains, or licenses “personal information” about Arizona residents.
This is broad. If your business operates in Arizona and holds any personal information about Arizona residents — your own employees, your clients, your patients, your customers — you are subject to this law.
What Counts as “Personal Information”
Arizona’s law defines personal information as an individual’s first name or initial and last name in combination with any one or more of the following elements, when the combination is not encrypted, redacted, or otherwise protected:
Data Element | Examples | Covered? |
Social Security Number | SSN in HR or tax records | YES |
Financial account number + access code | Bank account + routing number, credit card + CVV | YES |
Driver’s license or state ID number | DL number in HR or intake records | YES |
Electronic or digital signature | Signed PDFs, e-signature records | YES |
Biometric data | Fingerprint scans, facial recognition data | YES |
Medical or health insurance information | PHI, insurance ID, diagnosis codes | YES |
Username or email + password | Login credentials for any account | YES |
Private key for digital signature | Cryptographic keys for authentication | YES |
If your breach involved encrypted, redacted, or otherwise protected data, notification may not be required. However, you must be able to demonstrate that the encryption was adequate. Consult counsel before concluding no notification is required.
What Triggers the Notification Obligation
The notification obligation is triggered when your business:
1. Discovers or is notified of a “security system breach” — meaning an unauthorized acquisition of and access to unencrypted or unredacted computerized data that compromises the security or confidentiality of personal information.
2. Has reason to believe that the personal information has been or is reasonably likely to be misused.
This second prong is important and often misunderstood. The law does not require confirmed misuse — it requires a reasonable belief that misuse is likely. In a ransomware attack where the attacker had access to systems containing personal information, the “reasonably likely” standard is almost always met.
Date of discovery is the date the obligation clock starts. The 45-day window begins at discovery, not at confirmed breach determination.
Who Must Be Notified
Affected Individuals
Any Arizona resident whose personal information was involved in the breach must be notified. This includes:
• Employees and former employees
• Clients and customers
• Patients (if you’re in healthcare — note that HIPAA also applies and has its own requirements)
• Vendors or contractors whose personal information you hold
The notification must be made in the most expedient time possible and without unreasonable delay, but not later than 45 days after discovering the breach.
The Arizona Attorney General
If the breach affects more than 500 Arizona residents, you must provide written notice to the Arizona Attorney General. The notification to the AG must include the date, estimated number of affected residents, and a description of the incident.
Consumer Reporting Agencies
If the breach affects more than 1,000 Arizona residents, you must notify the three largest consumer reporting agencies (Equifax, Experian, and TransUnion) of the timing, distribution, and approximate number of notices being sent. You do not need to send these agencies the content of the individual notifications.
Third-Party Data Holders
If you maintain personal information on behalf of another business (a service provider, cloud vendor, or contractor scenario), you have obligations to notify that business owner as well. The notification obligations then fall on the data owner, not just the service provider.
What the Notification Must Contain
Arizona law requires that notification to affected individuals include:
3. A description of what happened (summary of the incident).
4. The type of personal information that was or is reasonably believed to have been subject to the breach.
5. The steps the company is taking to investigate and address the breach.
6. The steps affected individuals can take to protect themselves.
7. Contact information for the company, including a telephone number.
How Notification Must Be Delivered
Method | When Permitted | Conditions |
Written notice (mail) | Always permitted | Sent to last known mailing address of affected individual |
Electronic notice | If prior consent obtained | Consistent with E-Sign Act; must have prior agreement to electronic communications |
Telephone notice | Supplemental only | Cannot be used as primary method; must follow up in writing |
Substitute notice | Only if cost > $250K or 500K+ affected | Website posting + notification to major AZ media outlets AND AG |
Email to affected individuals | Only with prior consent | Subject line must clearly identify the nature of the notice |
Penalties for Non-Compliance
The Arizona Attorney General may bring civil action against a person that fails to comply with the notification requirements. Civil penalties can reach up to $10,000 per breach — but total civil penalties are capped at $500,000 for the same breach.
However, civil penalties from the AG are not the only exposure. Non-compliance can also:
• Void or reduce cyber insurance coverage if non-compliance is material
• Create additional liability in civil litigation by affected individuals
• Trigger regulatory scrutiny under HIPAA (if healthcare), PCI-DSS (if payment card data), or other applicable frameworks
• Result in reputational damage that far exceeds any statutory penalty
The Practical Preparation Checklist
BEFORE AN INCIDENT
□ ☐ Inventory what personal information your business holds and where it lives
□ ☐ Identify all systems containing personal information, including employee records, client files, and financial data
□ ☐ Designate a breach response lead with authority to make notification decisions
□ ☐ Identify outside breach counsel in advance (not during the incident)
□ ☐ Review cyber insurance policy for notification coverage and claim procedures
□ ☐ Create a pre-drafted notification letter template (see AEGITz Incident Response Template Pack)
□ ☐ Document your security controls so you can demonstrate protective measures were in place
AT DISCOVERY
□ ☐ Record the date and time of discovery immediately — the 45-day clock starts now
□ ☐ Engage breach counsel before making notification decisions
□ ☐ Notify cyber insurance carrier within policy-specified timeframe
□ ☐ Preserve all evidence — logs, systems, communications
□ ☐ Do not make public statements before consulting counsel
WITHIN 45 DAYS
□ ☐ Determine what personal information was involved through forensic investigation
□ ☐ Identify all affected individuals
□ ☐ Send required notifications to individuals
□ ☐ Notify Arizona AG if 500+ residents affected
□ ☐ Notify credit bureaus if 1,000+ residents affected
□ ☐ Document all notifications with dates and methods
AEGITz helps Arizona businesses prepare for breach notification compliance as part of our managed services engagement — including documentation of security controls, pre-drafted notification templates, and breach counsel referrals. If you want to verify your current readiness, contact us for a compliance assessment.
