Arizona Cybersecurity Compliance: Laws, Requirements & What Businesses Must Do

Arizona's approach to cybersecurity regulation reflects a state that is rapidly growing as a technology and healthcare hub but has not yet enacted comprehensive consumer data privacy legislation. Unlike California, Colorado, or Texas, Arizona does not have a broad privacy law granting consumers rights over their personal data. Instead, Arizona businesses must comply with a focused breach notification statute — ARS 18-552, significantly strengthened in 2018 — along with sector-specific federal requirements that apply to the state's dominant industries: healthcare, semiconductor manufacturing, defense contracting, and financial services.

For organizations operating in Arizona, this patchwork approach means that compliance planning requires careful attention to which regulations apply based on your industry and the types of data you handle. The history of Arizona data breaches demonstrates what happens when organizations fail to implement adequate protections, and the financial penalties under Arizona law — up to $500,000 per breach — make compliance failures expensive. This guide breaks down every applicable law, its specific requirements, and practical steps for building a compliance program that works for Arizona businesses.

Arizona Data Breach Notification Law: ARS 18-552

Overview and History

Arizona's primary cybersecurity statute is ARS 18-552, originally enacted in 2006 and substantially amended by HB 2154 in 2018. The 2018 amendments transformed Arizona's breach notification requirements from among the weakest in the nation to one of the more prescriptive state frameworks. Before HB 2154, Arizona had no specific notification deadline and no requirement to notify the Attorney General. The amendments introduced a 45-day notification deadline, AG notification requirements, and civil penalties for noncompliance.

Who Must Comply

ARS 18-552 applies to any person or entity that conducts business in Arizona and that owns, maintains, or licenses unencrypted and unredacted computerized data that includes personal information. This covers businesses physically located in Arizona as well as out-of-state companies that maintain data on Arizona residents. Government entities are also covered under separate provisions in ARS 18-551.

Definition of Personal Information

Under ARS 18-552, personal information is defined as an individual's first name or first initial and last name combined with one or more of the following data elements:

• Social Security number

• Driver's license number or state identification card number

• Financial account number or credit/debit card number, in combination with any required security code, access code, or password that would permit access to the account

• Health insurance identification number

• Medical or mental health treatment information or diagnosis by a healthcare professional

• Passport number

• Taxpayer identification number or IRS identity protection personal identification number

• Unique biometric data generated from measurements or technical analysis of human body characteristics used to authenticate an individual, such as a fingerprint, retina or iris image, or voice print

Notably, the 2018 amendments expanded this definition significantly beyond the original 2006 version, adding health insurance IDs, medical information, passport numbers, taxpayer IDs, and biometric data.

Notification Requirements

When a breach of unencrypted personal information is discovered, the entity must:

• Notify affected individuals within 45 days of determining that a breach has occurred, by written notice to the individual's last known mailing address, by telephone, or by email if the individual has consented to electronic notice

• Notify the Arizona Attorney General within 45 days if the breach affects more than 1,000 Arizona residents

• Notify the three largest nationwide consumer reporting agencies (Equifax, Experian, TransUnion) within 45 days if more than 1,000 Arizona residents are affected

• Include specific content in the notification: a general description of the incident, the type of personal information compromised, the approximate date of the breach, and contact information for the entity providing notice

Encryption Safe Harbor

ARS 18-552 provides an important safe harbor: if the breached data was encrypted or redacted, notification is not required unless the encryption key or security credential was also compromised. This incentivizes businesses to encrypt personal information and maintain strong key management practices. Organizations that encrypt sensitive data at rest and in transit effectively reduce their regulatory exposure under Arizona law.

Penalties and Enforcement

The Arizona Attorney General has exclusive enforcement authority under ARS 18-552. Civil penalties can reach up to $500,000 per breach — not per individual affected, but per breach event. The AG can also seek injunctive relief and recover costs of investigation. There is no private right of action under the statute, though individuals may pursue separate claims under negligence or other common law theories. The AG's office has been increasingly active in investigating breach notification compliance since the 2018 amendments took effect.

Reasonable Security Requirements

ARS 18-552 requires that any person conducting business in Arizona implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information the business maintains. While the statute does not prescribe specific technical controls, regulatory guidance and enforcement trends point to several baseline expectations:

• Risk assessments conducted at least annually to identify vulnerabilities in systems that store or process personal information

• Access controls that limit employee access to personal information based on job function and business need

• Encryption of personal information at rest and in transit, particularly for data stored on portable devices or transmitted over public networks

• Employee training on data protection practices, phishing recognition, and incident reporting procedures

• Vendor management including contractual requirements for third-party service providers that access Arizona resident personal information

• Incident response planning with documented procedures for detecting, containing, and reporting breaches within the 45-day statutory deadline

Federal Regulations Affecting Arizona Businesses

HIPAA (Healthcare)

Arizona's healthcare sector is among the state's largest employers and most heavily regulated industries. HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule impose requirements on covered entities and business associates that go beyond ARS 18-552. Banner Health, Honor Health, Dignity Health, and dozens of smaller providers must maintain HIPAA compliance programs that include risk analyses, workforce training, business associate agreements, and breach notification to HHS within 60 days for breaches affecting 500 or more individuals. The Banner Health breach of 3.7 million records demonstrated the consequences of HIPAA failures at scale.

CMMC and ITAR (Defense and Aerospace)

Arizona is home to significant defense and aerospace operations, including Raytheon Missiles & Defense in Tucson, General Dynamics in Scottsdale, and Luke Air Force Base in Glendale. Defense contractors handling controlled unclassified information (CUI) must achieve Cybersecurity Maturity Model Certification (CMMC) Level 2, which requires implementation of 110 security practices aligned with NIST SP 800-171. Companies involved in defense articles and services must also comply with International Traffic in Arms Regulations (ITAR), which impose strict controls on data access by foreign nationals — a particular compliance challenge for multinational semiconductor manufacturers establishing Arizona operations.

GLBA and State Banking Regulations (Financial Services)

Banks, credit unions, mortgage brokers, and other financial institutions operating in Arizona must comply with the Gramm-Leach-Bliley Act's Safeguards Rule, which requires a written information security program. The Arizona Department of Financial Institutions provides additional oversight for state-chartered banks and credit unions. Given the volume of real estate transactions in Arizona — Maricopa County alone records over 100,000 home sales annually — financial institutions and title companies face elevated risk from business email compromise schemes targeting wire transfers.

Arizona's Approach to Privacy Legislation

No Comprehensive Privacy Law Yet

As of 2025, Arizona has not enacted a comprehensive consumer data privacy law comparable to the California Consumer Privacy Act (CCPA), Colorado Privacy Act, or Texas Data Privacy and Security Act (TDPSA). Arizona residents do not currently have statutory rights to access, delete, or opt out of the sale of their personal data at the state level.

Legislative Efforts

Several bills have been introduced in the Arizona Legislature to establish consumer data privacy protections. In 2022, SB 1143 proposed a framework modeled on the Virginia Consumer Data Protection Act, but it did not advance out of committee. In 2023, HB 2444 proposed data broker registration requirements and consumer opt-out rights, but also stalled. Privacy advocates and industry groups continue to debate the scope and enforcement mechanisms of potential legislation, and the rapid growth of Arizona's technology sector — particularly semiconductor manufacturing with significant foreign investment — may increase pressure for comprehensive privacy protections in future legislative sessions.

Building a Compliance Program for Arizona

Arizona businesses should build compliance programs that address both current ARS 18-552 requirements and the federal regulations applicable to their industry:

• Map your data inventory — identify all personal information you collect, where it is stored, who has access, and which third parties receive it

• Conduct a risk assessment evaluating your security posture against the types of threats relevant to your industry, whether that is ransomware targeting healthcare, supply chain attacks on manufacturing, or BEC schemes targeting real estate transactions

• Implement encryption for all personal information at rest and in transit to benefit from the ARS 18-552 safe harbor provision

• Develop and test an incident response plan that enables you to investigate, contain, and report breaches within the 45-day statutory deadline

• Document your security program in writing, including policies, procedures, training records, and risk assessments — this documentation becomes critical evidence of reasonable security practices if a breach occurs

• Monitor regulatory developments in the Arizona Legislature, as comprehensive privacy legislation could introduce new obligations with relatively short compliance timelines

Organizations that lack dedicated security staff can engage managed IT services providers to implement and maintain the technical controls required for compliance. For a broader understanding of the Arizona threat landscape, our threat analysis provides industry-specific risk context.

Frequently Asked Questions

Does Arizona have a comprehensive data privacy law?

No. As of 2025, Arizona does not have a comprehensive consumer data privacy law like California's CCPA or Colorado's CPA. Arizona's primary data protection statute is ARS 18-552, which focuses on breach notification requirements rather than granting broad consumer rights over personal data. Several privacy bills have been introduced in the Arizona Legislature but none have passed into law.

What is the notification deadline for a data breach in Arizona?

Arizona law requires notification within 45 days of determining that a breach of unencrypted personal information has occurred. This deadline was established by HB 2154 in 2018 — prior to that amendment, Arizona had no specific statutory timeline for breach notification. The 45-day clock begins when the entity determines a breach has occurred, not when the breach itself took place.

Do I need to notify the Arizona Attorney General after a data breach?

You must notify the Arizona Attorney General within 45 days if the breach affects more than 1,000 Arizona residents. You must also notify the three largest nationwide consumer reporting agencies (Equifax, Experian, and TransUnion) within the same 45-day window. For breaches affecting fewer than 1,000 residents, AG notification is not required, but you must still notify affected individuals.

What types of data are covered under Arizona's breach notification law?

ARS 18-552 covers a broad range of personal information when combined with an individual's name, including Social Security numbers, driver's license numbers, financial account numbers with access credentials, health insurance IDs, medical treatment information, passport numbers, taxpayer identification numbers, and biometric data. The definition was significantly expanded by HB 2154 in 2018 to include health, biometric, and government identification categories that were not in the original 2006 statute.

Is there an encryption safe harbor in Arizona's breach law?

Yes. ARS 18-552 provides that notification is not required if the breached data was encrypted or redacted, unless the encryption key or security credential was also acquired in the breach. This safe harbor is one of the strongest incentives in Arizona law for businesses to implement robust encryption and key management practices for all personal information they store or transmit.

What are the penalties for noncompliance with ARS 18-552?

The Arizona Attorney General can impose civil penalties of up to $500,000 per breach for violations of the notification requirements. The AG can also seek injunctive relief and recover investigation costs. There is no private right of action under the statute, meaning individuals cannot sue businesses directly for breach notification failures, though they may pursue claims under other legal theories such as negligence or breach of contract.