A new law strengthening the protections guarding data breach victims is now in effect in Arizona.

Gov. Doug Ducey has signed HB2154, a statute created by the state's Attorney General’s Office that requires that victims be notified in a timely manner and given information about the breach.  

“I applaud Representative (T.J.) Shope and members of the legislature for adopting these common sense improvements to our data breach laws,” Attorney General Mark Brnovich said in an announcement. 

“Consumers have a right to know when their sensitive information has been breached so they can protect themselves from financial loss. A key component of the legislation was notification to the Attorney General’s Office of a breach. My office will be better positioned to investigate massive breaches in the future and assist consumers to protect their assets from theft.” 

HB2154 clearly defines the role of the Attorney General’s Office in investigating data breaches.  

The law also redefines “personal information” to include an individual’s name and account credentials in conjunction with medical or health insurance information.   

Consumers will also be provided with more information about what occurred and how much of their personal details was exposed. 

After a data breach occurs, victims will be notified within 45 days of the incident. The previous law also required victim notification, but didn’t impose a firm deadline. If the breach involves more than 1,000 people, the new law requires that the country’s three biggest consumer reporting agencies are notified as well.  

The maximum penalty that an individual can receive for knowingly or willfully violating the statute has been substantially increased.  Fines can now reach as high as $500,000. The previous limit was $10,000.