AZ HB2154

Creates Article 4 in Title 18, Chapter 5 of Arizona Revised Statutes establishing comprehensive definitions and requirements for data security breach notification, including definitions of "breach," "personal information," "encrypt," "redact," and other key terms.

Requires persons conducting business in Arizona that own, maintain, or license unencrypted and unredacted computerized personal information to conduct an investigation upon discovering a security incident and notify affected individuals within 45 days if a breach is determined to have occurred.

Mandates notification to the three largest nationwide consumer reporting agencies and the Arizona Attorney General if a breach affects more than 1,000 individuals, with specific requirements for notification content and methods including written notice, email, telephone, or substitute notice.

Exempts entities subject to federal regulations including the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA), as well as law enforcement agencies and courts, from state breach notification requirements.

Establishes enforcement by the Arizona Attorney General only, with civil penalties up to $10,000 per breach or series of related breaches, and preempts all municipal and county laws relating to data security breach notification.