News and Insights

Visit regularly for up-to-date information on relevant news, firm announcements and additions to our AZ Health Law Blog.

With the New Year comes a fresh start, an opportunity to make new goals and resolutions. For Arizonans, January 1st is a time to put new laws into effect. As we head into 2019, it’s important for families to know how these newly passed laws will impact their lives.

January 11th, 2019

Posted In: Uncategorized

Looking ahead to 2019, there are some new laws taking effect that you should know. We spoke with Stephanie Webb, associate attorney at Radix Law in Scottsdale about these laws including minimum wage, an additional recess period and the Farm Bill and how they will affect Arizonans.

December 31st, 2018

Posted In: Uncategorized

Is there anything worse for a business than having its data breached?

Yes — having to report that breach under an amended Arizona law that went into effect in August and requires companies to notify consumers affected by the breach within 45 days of a data breach or face up to $500,000 in penalties. If more than 1,000 Arizona residents are affected, businesses must notify the attorney general and the three largest nationwide consumer reporting agencies.

“The law is quite broad and applies to all Arizona businesses that own, maintain or license computerized data that includes personal information,” says Stephanie Webb, an associate at Radix Law. “Accordingly, all businesses maintaining any personal information of employees or customers on a computer should be aware of the law and its requirements.”

According to Joe Clees and Ryan Mangum of Ogletree Deakins, any business that operates in Arizona and owns, maintains, or licenses unencrypted and unredacted computerized personal information could be impacted. Personal information includes an individual’s first name — or first initial — and last name in combination with any of the individual’s following information:

• Social security number, driver’s license number, health insurance account number, passport number, taxpayer identification number, or financial account numbers;

• A private key unique to the individual that is used to authenticate an electronic record;

• Health information and history;

• Biometric data generated from a measurement or analysis of human body characteristics, such as a fingerprint;

• Personal information also includes a username plus password for online accounts, according to Scott Bennett, a partner at Coppersmith Brockelman.

Impact on businesses
“A breach under the law is unauthorized access to that personal information,” Bennett says. “Common examples of breaches are the loss or theft of a mobile device, data emailed to the wrong person and employees snooping in company computer files.”

The motivation behind the passage of HB 2154 was to penalize businesses that exercise poor cyber data management while improving protections for consumers. By implementing a data breach notification deadline, establishing law enforcement standards and raising the potential fines — the total penalty is capped at $500,000, a substantial increase over the previous cap of $10,000 per breach — for offending businesses, Arizona now has one of the strictest security breach laws in the country, according to Webb.

“Consumers have a right to know when their sensitive information has been breached so they can protect themselves from financial loss,” says Attorney General Mark Brnovich. “A key component of the legislation was notification to the attorney general’s office of a breach. My office will be better positioned to investigate massive breaches in the future and assist consumers to protect their assets from theft.”

Beyond protecting consumers, Webb says the goal of the new law is to encourage businesses to strengthen their cyber defense measures. So what can be done to reduce the risk of a breach?

Reducing risk
“There are many steps that businesses can take to reduce risk,” says Susie Ingold, a shareholder at Burch & Cracchiolo. “One often overlooked step is strengthening internal security practices through your employees. Every employee plays a critical role in protecting the company’s network and confidential data, from performing individual tasks to identifying and reporting problems that could lead to a data breach. Providing mandatory employee training to educate them on data security and privacy practices, emerging security risks, proactive identification and reporting of issues can help reduce the company’s risk of a data breach.”

According to Clees and Mangum, effective data security requires a multi-faceted approach consisting of technical, personnel and physical barriers to access.

Technical barriers: These include measures like encryption, dual authentication, password protection, limiting collection, access, storage, and retention of data, and keeping software and hardware, such as anti-virus protection, up to date.

Personnel barriers: Hackers will find ways to circumvent technical barriers through employee error. Training employees to recognize and avoid cyber scams that disclose passwords, clicking on threatening links, using weak passwords and storing data on insecure repositories — Gmail, Dropbox, etc. — is critical.

Physical barriers: Simple measures such as locking doors, securing physical files, and keeping access restrictions up to date, will also prevent data breaches.

“A (business) should develop a comprehensive, but understandable ‘Incident Response Plan’ that has been tested in advance of a breach to ensure a timely and effective response,” says Robin B. Campbell, co-leader of the Data Privacy & Cybersecurity Practice Group at Squire Patton Boggs. “While regulators understand that technology cannot protect against every possible breach, they are generally less tolerant of mishandling of a breach response, which can be avoided with good planning.”

Staying compliant
To compound the issue, data breach laws differ from state to state, so Webb says a company conducting business in multiple states is bound by the laws of those states and must become familiar with requirements of each in the event of a cybersecurity breach.

“After a breach happens, one important initial step is identifying the states of residence of all affected individuals, which can usually be assessed according to their mailing addresses,” Bennett says. “Many states’ laws apply to any breach of the personal information of their residents, regardless of whether the company that experienced the breach does business in that state.”

When a business experiences a data breach, Bennett says it should:

• Stop the breach. This might require bringing in an expert in computer forensics.

• Notify insurance carriers.

• Meet the requirements of all applicable breach laws.

• Consider ways to reduce the risk of harm to affected individuals, such as offering to pay for credit monitoring and ID-theft-protection services. That is not required by Arizona law but protects both the affected individuals and the business.

• Take corrective action to prevent the same kind of incident from happening again. That might include disciplining the employees involved, providing additional training, or enhancing computer security features.

“Companies doing business in Arizona that also collect personal information should take note of, and understand, the amended law and analyze whether their existing information security controls are adequate to protect against a data breach,” Ingold says. “Businesses must also be proactive in investigating a possible security system breach and ensuring that, when necessary, timely notice is provided to affected individuals under the new data breach law.”

September 24th, 2018

Posted In: Uncategorized

Temperatures of 100+ degrees have officially hit the Valley, which means many Arizona residents are starting to book summer vacations. However, there are certain rights you should be aware of before you commit to any travel plans. This includes knowing what to do in the event of a trip cancellation, missed flight, bad weather, hidden fees and other unforeseen circumstances.

July 2nd, 2018

Posted In: Uncategorized

Attorney Stephanie Webb sat down with 12News to talk about social media clauses in your prenup agreements and who might need one.

May 31st, 2018

Posted In: Uncategorized

Attorney Stephanie Webb sat down with 3TV to talk about what you should consider including with regards to a social media clause in your prenup agreement before getting married.

May 31st, 2018

Posted In: Uncategorized

Most attorneys, whether or not they practice bankruptcy law, are familiar with the “automatic stay” of 11 U.S.C. §362(a). Amongst other things, it operates to stay collection actions, service of process, lien perfection, and judgment enforcement, upon the debtor’s filing of a bankruptcy petition. Creditors and their attorneys alike, however, are less familiar with the provisions of 11 U.S.C. §108(c), which extends certain non-bankruptcy time limitations for taking actions that are prohibited while the automatic stay is in effect. Section108(c) provides, in pertinent part:

“If applicable non-bankruptcy law . . . fixes a period for commencing or continuing a civil action in a court other than a bankruptcy court on a claim against the debtor, . . . and such period has not expired before the date of the filing of the petition, then such period does not expire until the later of — (1) the end of such period, including any suspension of such period occurring on or after the commencement of the case; or (2) 30 days after notice of the termination or expiration of the stay under section 362 . . . of this title . . . with respect to such claim.”

The extension applies equally to co-debtors (individuals jointly obligated with the debtor on a consumer debt) under chapter 12 or 13.

While the language of section 108(c) appears relatively straight-forward, it can be a trap for those unfamiliar with the provision. The most common example of section 108(c)’s applicability is when a statute of limitations expires while a debtor is in bankruptcy. Because of the automatic stay, the civil action cannot be commenced. However, section 108(c) extends the period to bring the action until 30 days after the stay is lifted, usually via court order or because the bankruptcy is dismissed. Many, unfamiliar with section 108(c), wrongly assume that a bankruptcy case tolls any applicable statute of limitations. This is incorrect. Under section 108(c), if the statute of limitations ran while the bankruptcy case was pending, then a creditor has only 30 days to bring its claim once the stay is lifted. This is true regardless of how long the creditor was “stayed” by virtue of the bankruptcy filing.

Similarly, the deadline is not tolled if it expires after the automatic stay has been lifted. Rather, a creditor has until the expiration of the deadline itself, unless such deadline expires less than 30 days after the lifting of the stay, in which case the 30-day extension of sub-section (2) applies. Put another way, a creditor gets the longer of the expiration of the statute of limitations or the 30-day extension.

Most Chapter 7 bankruptcies proceed swiftly to a discharge providing a creditor with certainty about the effect on its claim. In those cases, the creditor’s claim is likely lost and any applicable statute of limitations becomes moot. Many Chapter 13 bankruptcies, however, are active for several years before eventually getting discharged or dismissed. If dismissed, pre-petition creditors once again have the ability to try to enforce their claims through collection or litigation. But, they must act swiftly if the deadline to act ran while the bankruptcy was pending.

If you represent creditors, make sure to properly advise your client about any applicable statute of limitations and the effect thereon of section 108(c). Failure to do so could result in your client losing its right to collect on its claim.

April 26th, 2018

Posted In: Uncategorized