Form: Cost-of-Breach DisclosureSource: IBM 2025Filed: 28 Apr 2026
DataBreachCost.comOpen calc
01 Calculator02 Statistics03 By Industry04 Breaches05 Prevention ROI06 Ransomware07 Small Business08 By Country09 Notification Laws11 50-State Laws10 Cost Breakdown
State File AZ / Breach Notification StatuteA.R.S. 18-551, 18-552

State notification register

Arizona data breach notification law: within 45 days after determining a breach occurred.

Arizona's breach-notification obligations are set by A.R.S. 18-551, 18-552. This page summarises the deadline to notify affected residents, the attorney general notification threshold, whether a private right of action exists, and the penalties for late or missing notification. Every provision is cited to its source statute and was verified in June 2026.

Individual deadline

45 days

From discovery / determination

AG notification

1,000

More than 1,000 Arizona residents (AG and Dept. of Homeland Security)

Private action

No

Only the Arizona Attorney General may enforce

Statute

AZ

A.R.S. 18-551, 18-552

Section AZ.1

What the statute requires

Under A.R.S. 18-551, 18-552, a business that owns or licenses computerized personal information of Arizona residents must notify affected individuals within 45 days after determining a breach occurred.

Attorney general or state-agency notification is more than 1,000 arizona residents (ag and dept. of homeland security). Where required, the timeline is: within the same 45-day window.

Section AZ.2

What triggers notification

Like most US state statutes, notification is triggered by the unauthorized acquisition of unencrypted, unredacted computerized personal information that compromises its security, confidentiality, or integrity. Two concepts recur across the states and apply here.

Encryption safe harbor

Personal information that was encrypted, and where the encryption key was not also acquired, generally does not trigger notification. A stolen device with full-disk encryption is typically a non-event; an unencrypted record, or an encrypted record where the key was exposed alongside it, is a reportable breach.

Who must be notified

  • [1] Affected Arizona residents: 45 days
  • [2] Attorney general / state agency: more than 1,000 arizona residents (ag and dept. of homeland security)
  • [3] Consumer reporting agencies where the breach is large-scale

Section AZ.3

Penalties and enforcement

Up to $10,000 per affected individual, capped at $500,000 per breach, under the Consumer Fraud Act.

Private right of action: No. Only the Arizona Attorney General may enforce.

Primary source:Arizona statute A.R.S. 18-551, 18-552; verified June 2026 against state statutory summaries and the underlying statute text.

Section AZ.4

How this compares to the strictest states

The strictest US deadlines are 30 days (California, Florida, Washington, Colorado, Maine, New York, New Jersey). The majority of states use a qualitative "without unreasonable delay" standard with no fixed day cap. Here is where Arizona sits.

Arizona imposes a fixed 45-day deadline. The strictest states cut this to 30 days, so Arizona sits 15 days behind the tightest regimes.

Cross-references

Index / All 50 states + DC

The full register: deadline and AG threshold for every state.

Schedule 09 / Notification laws

Global frameworks and the cost of notification.

01 / Breach cost calculator

Estimate your Arizona breach exposure, including notification cost.

Regulation / GDPR

The 72-hour clock and 4%-of-revenue fine framework.

Cost / Notification

Why notification is roughly 6% of total breach cost.

Schedule F / Reference Q&A

Frequently Asked Questions

Primary source:Arizona data breach notification statute (A.R.S. 18-551, 18-552). Provisions verified June 2026 against state statutory summaries (Recording Law US data-privacy series, 2026 edition), the IAPP US State Data Breach Notification Chart, Foley & Lardner's chart, and the underlying statute text.