Arkansas Personal Information Protection Act (Data Breach)
A.C.A. § 4-110-101, et seq.
SUMMARY:
EFFECTIVE. August 12, 2005
WHO DOES THIS LAW APPLY TO. (1) Any person, business or State agency that acquires, owns, or licenses computerized data that includes Personal Information on State residents; and (2) any person, business or State agency that maintains Personal Information on State residents.
WHAT IS A BREACH. Unauthorized acquisition computerized data that compromises the security, integrity or confidentiality of Personal Information that affects the personal information of more than one thousand (1,000) individuals, maintained by a person, business, or State agency.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data element is not encrypted or redacted:
-
Social Security Number.
-
Driver’s license number or State identification card number.
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
-
Medical information.
-
Biometric data means data generated by automatic measurements of an individual's biological characteristics, including without limitation: fingerprints, faceprint, a retinal or iris scan, hand geometry, voiceprint analysis, deoxyribonucleic acid (DNA), any other unique biological characteristics of an individual if the characteristics are used by the owner or licensee to uniquely authenticate the individual's identity when the individual accesses a system or account.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the individuals affected and to the State Attorney General.
EXCEPTION. This Section does not apply to the following:
-
A good faith acquisition of Personal Information by an employee or agent of the person, business or State agency for internal purposes only is not a breach, if it is not used or subject to further unauthorized disclosure.
-
No notification is required if the person, business State agency, after a reasonable investigation, determines that a security breach is not likely to harm customers.
-
A person, business or State agency which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected individuals are notified by the person, business, or State agency in accordance with its policies.
-
A person, business or State agency that is regulated by State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules that provide greater protection and at least as thorough disclosure requirements as this Section, is considered in compliance with this Section.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person, business, or State agency discovers or is notified of a security breach or within forty-five (45) days after the person or business determines that there is a reasonable likelihood of harm to customers, whichever occurs first. The disclosure shall be made in the most expedient manner possible and without unreasonable delay, consistent with the needs of law enforcement or any measures necessary to determine the scope of the breach, and to restore the reasonable integrity of the data system. Notification may be delayed if law enforcement determines it will impede a criminal investigation. In that instance, notification will be made following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic (if notice is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person, business, or State agency can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the person, business or State agency has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person, business, or State agency has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person, business or State agency if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person, business or State agency maintains unencrypted data that includes Personal Information that it does not own, then the person, business or State agency shall notify the owner or licensee immediately following discovery of the breach. The person, business or State Agency that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. The State Attorney General has the authority to enforce violations to this Section to include:
-
A court order to prohibit any further violations.
-
Action to recover actual damages.
-
Assessment of penalties paid to the State of up to $10,000 per violation.
-
Recovery of attorney fees and costs.
RECORDS RETENTION. A person or business shall retain a copy of the written determination of a breach of the security of a system and supporting documentation for five (5) years from the date of determination of the breach of the security of the system. If the Attorney General submits a written request for the written determination of the breach of the security of the system, the person or business shall send a copy of the written determination of the breach of the security of the system and supporting documentation to the Attorney General no later than thirty (30) days after the date of receipt of the request. The determination and documentation retained are confidential and not subject to public disclosure.
PRIVATE RIGHT OF ACTION. None is provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. Ark. Code § 4-110-103 - § 4-110-104. (a) A person or business shall take all reasonable steps to destroy or arrange for the destruction of a customer’s records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means. (b) A person or business that acquires, owns, or licenses personal information about an Arkansas resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
LEGISLATIVE UPDATES.
S.B. 1167 – Signed into law on 3/31/2005, Effective 8/12/2005.
H.B. 1943 – signed into law on 4/15/2019, Effective 7/23/2019.
For more information, see here: https://www.arkleg.state.ar.us/Acts/Document?type=pdf&act=1030&ddBienniumSession=2019%2F2019R
AND
https://www.arkleg.state.ar.us/Bills/Detail?ddBienniumSession=2019%2F2019R&measureno=HB1943
AND
https://advance.lexis.com/container?config=00JAA3ZTU0NTIzYy0zZDEyLTRhYmQtYmRmMS1iMWIxNDgxYWMxZTQKAFBvZENhdGFsb2cubRW4ifTiwi5vLw6cI1uX&crid=18731635-5dbe-46b5-baf9-fb4da18b70a2&prid=7ddd8102-b27f-4e17-865a-f33c9221b9f1
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.