AZ HB2146

Requires persons conducting business in Arizona who own, maintain, or license computerized personal information to investigate security incidents and determine if a security breach has occurred.

Mandates notification of affected individuals within 45 days of determining a breach has occurred, with options including written notice, email, telephone, or substitute notice posted on the company's website.

Requires notification to the three largest nationwide consumer reporting agencies and the Arizona Attorney General (and now the Arizona Department of Homeland Security) if a breach affects more than 1,000 individuals.

Establishes civil penalties not to exceed $10,000 per affected individual or $500,000 maximum per breach for knowing and willful violations, enforceable only by the Attorney General.

Exempts entities regulated under the Gramm-Leach-Bliley Act and HIPAA-covered entities, and requires state and local law enforcement and court agencies to maintain information security policies with breach notification procedures.