Can I avoid having a data breach response plan in Arizona? What are the requirements?

Data Breach Response Plan Requirements in Arizona

Based on the information provided in document AZRS 18-552 and the additional context documents, if a person conducts business in Arizona and owns, maintains, or licenses unencrypted and unredacted computerized personal information, they are required to have a data breach response plan. The statewide information security and privacy office, established in the Arizona Department of Homeland Security, is responsible for developing, implementing, maintaining, and ensuring compliance with a coordinated statewide assurance plan for information security and privacy ^[2.1][5.1].

If a security incident occurs, the person must conduct an investigation to determine if there has been a security system breach. If a breach is confirmed, the person must notify affected individuals within 45 days and follow specific notification requirements outlined in the document. Failure to comply with these requirements may result in civil penalties [AZRS 18-552].

Therefore, it is not possible to avoid having a data breach response plan in Arizona if you conduct business and own, maintain, or license unencrypted and unredacted computerized personal information.

Source(s):

• [2.1] Statewide information security and privacy office; duties; suspension of budget unit’s information infrastructure
• [5.1] Statewide information security and privacy office; duties; suspension of budget unit’s information infrastructure

Jurisdiction

Arizona

• Privacy