Identity Theft

Arizona's Cybersecurity Team

Governor Ducey announced the formation of Arizona’s cybersecurity team.  The team will consist of experts from diverse backgrounds and disciplines who will work together to identify cyber threats and prevent cyber attacks on Arizona citizens.  The team will include members from state, local and federal government as well as experts from private business and universities.  It is hoped the team combined with the new security breach law will better protect Arizona residents against cybercrime.

The Security Threat We All Face.

Since the dawn of the 21st century, American citizens and businesses have been hit with a number of serious cyber-attacks.  Just this morning, I woke up to a news report of a data breach affecting 50 Arizona businesses.  The breach was discovered in early January, when IT personnel at North Country Business Products identified suspicious activity on client networks.  The resulting investigation showed 50 Arizona restaurants, hotels, and other businesses had been hacked.  The thieves stole cardholder names, credit card numbers, card expiration dates, and CVV numbers.  This is just the latest data theft in a long list.

In 2014, Yahoo was hit with the biggest data breach in history.  The attack compromised the names, telephone numbers, birth dates, and email addresses of 500 million users.  Yahoo also admitted that a year earlier, in 2013, a different group of hackers had compromised over 1 billion accounts, netting names, addresses, emails, birth dates, passwords, and the answers to security questions.  At the time of the disclosure, Yahoo was in negotiations to sell Yahoo to Verizon.  The disclosure knocked the sales price down by $ 350 million.

In November of 2018, Mariott International announced that hackers had stolen data on 500 million customers.  The breach was eventually tracked to a Chinese Intelligence agency   Equifax was the target of another serious data breach.  This one occurred in 2017, and it exposed information on 147.9 million consumers.  The hackers got birth dates, social security numbers, addresses and drivers’ license numbers.  Some 209,000 consumers also had credit card data stolen in this hack.  The list goes on: eBay – 145 million users exposed; Heartland Payment Systems – 134 million credit cards compromised; Target Stores – 110 million customers’ credit card and debit card information taken; TJX Companies – 94 million credit cards exposed; Uber – personal information of 57 million customers and 600,000 drivers stolen; J.P. Morgan Chase – personal information on 76 million customers and 7 million small businesses. 

Even the federal government has suffered breaches.  Chinese hackers breached the firewalls of the United States Office of Personnel Management (OPM) in 2012.  They were not detected in the federal system until March 20, 2014.  There was a second hack in May of 2014, that was not detected for nearly a year.  The thieves got away with personal data that included information on security clearances and fingerprint data. 

Both private industry and government have come to realize that as software engineers improve security methods and encryption algorithms, cyber thieves are also improving their tools for hacking the system. Government must take concerted action to meet and beat back this threat. 

The Role the Arizona Cybersecurity Team Will Play.

The Cybersecurity team is to be staffed by the Arizona Department of Administration.  The team is expected to stay on top of the latest information in data security and breaches.  Team members will develop recommendations for elevating the state’s security and continuously advise the Governor.  The team is also expected to advise the Governor on available federal resources and developments in cybersecurity measures. 

The team will work to enhance both cooperation and collaboration among government agencies, law enforcement, and private industry. The group will push for industry to develop improved cybersecurity methods.  The cybersecurity team is also tasked with encouraging higher education institutions to develop more classes and programs in data security and IT education. The goal is to educate more students about cutting edge IT developments and security issues.  The cybersecurity team is also tasked with keeping the public alerted to new cyberthreats and with offering tips to help people deal with threats as they arise.  It is hoped the team will enhance our state’s awareness of cyberthreats and better position government, business and consumers to deal with those threats. 

Arizona’s Amended Data Breach Notification Law.

In addition to creating the Arizona Cybersecurity Team, Arizona has amended its data breach notification law so that consumers are more quickly alerted to possible data thefts.  The law was amended on April 11, 2018.  The amended law requires persons, companies and government agencies to notify anyone affected by a data breach within 45 days of discovering (1) that a breach occurred; and (2) that the breach is reasonably likely to lead to affected persons suffering substantial economic loss. 

Under the amended law, the definition of “personal information” has been expanded.  It includes a person’s first name or initial and last name in combination with one or more of the following pieces of information:  (a) Social Security number, (b) drivers’ license or non-operators’ license number, (c) a private key used to sign electronic documents,(d)  financial account number, credit card or debit card number combined with required security codes, access codes or passwords to the account, (e) health insurance account numbers, (f) health insurance information or medical records information,(g)  taxpayer ID issued by the IRS, (h) passport identification number, (i) biometric data used to access accounts (things like scanned finger or thumbprints). Personal information also includes user names or email addresses coupled with security question answers or passwords.

If the breach is large enough to require more than 1000 people be notified, there must also be notification to the Attorney General and the three major credit reporting agencies.

The amended law requires entities suffering a data breach to conduct a prompt investigation once the breach is discovered. Notification is not required if the stolen data is encrypted and/or redacted.  For example:  some entities maintain only the last 4 digits of the account number. That qualifies as redacted data.  The law also requires entities with stored personal information to make sure third-party service providers protect that data on secure servers with up to date security.  That would include employers who use third party payroll companies to maintain payroll records and issue checks to employees. It also includes businesses that use a billing company to handle all their client billing and collection matters. 

The Arizona Attorney General’s office has the authority to enforce the notification law. The AG can bring an enforcement action against any entity failing to comply with the statute.  The AG can impose a civil penalty up to $10,000 per affected individual against the offending entity. The cap for the civil penalty is $500,000. The AG can also collect restitution for the individuals affected by the breach.

Data hacks are a major headache for government, law enforcement, and private business.  They are often difficult to detect and costly for victims.  Early identification of data breaches coupled with more intense efforts to enhance security and identify risks will assist government and business in the battle to keep our data secure.  As long as there is money to be made, data thieves will keep improving their skills.



This website has been prepared for general information purposes only. The information on this website is not legal advice. Legal advice is dependent upon the specific circumstances of each situation. Also, the law may vary from state-to-state or county-to-county, so that some information in this website may not be correct for your situation. Finally, the information contained on this website is not guaranteed to be up to date. Therefore, the information contained in this website cannot replace the advice of competent legal counsel licensed in your jurisdiction.

Privacy Policy | Terms of Use