Arkansas State Data Breach Notification Laws Overview

The document provided is an overview of the State Data Breach Law. It is not a substitute for advice from an attorney, but meant to be used as a business tool to help educate and start conversations between business, IT and council. I hope you find it helpful. Please let me know if you have any questions or comments.

 
soleprop.JPG
 

Who must comply?

Sole proprietorship, partnership, corporation, association, or other group, however organized and whether profit or non-profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this state, any other state, the United States, or of any other country or the parent or the subsidiary of a financial institution. that acquire, own, or license personal information about the citizens of the State of Arkansas.

*includes any entity that destroys records and a state agency

 
WhatsCovered.JPG
 

What Data is Covered?

Personal Information (PI)

First initial or name with last name combined with any one or more of the following:

  • Social Security number;

  • Driver's license number or Arkansas identification card number;

  • Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account;

  • Medical information;

  • Unique Biometric data or biological characteristics of an individual used by the owner or licensed to uniquely authenticate the individual's identity when accessing a system or account;

 
Encryption.JPG
 

Exclusions

Public or Encrypted PI

  • Does not include any publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number

  • Encrypted Data

  • Notification is not required if, after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to customers.

 
Databreach.JPG
 

What is a breach?

  • Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI maintained by a person or business.  

  • Does not include a good faith acquisition of PI by an employee or agent of the person or business for the legitimate purposes of the person or business if the PI is not otherwise used or subject to further unauthorized disclosure

 
Compliance.JPG
 

How to Comply

Preparation Compliance

  • Take all reasonable steps to destroy or arrange destruction of a record that contains a customer's PI that is no longer to be retained in the custody or control by the person or business.

  • Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the PI from unauthorized access, destruction, use, modification or disclosure.  

Post Security Incident Compliance

  • Disclose any breach of the security of the system following discovery or notification of the breach to Arkansas residents whose information was or is reasonably believed to have been acquired by an unauthorized person.

  • Disclosure shall be made in the most expedient time and manner possible and without unreasonable delay subject to the needs of law enforcement or legitimates needs to take measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.

  • A person or business that maintains computerized data that includes PI shall notify the owner or licensee of the information immediately flowing discovery if the PI was or is reasonably believed to have been acquired by and unauthorized person. 

  • See Note under exclusions regarding determination of likelihood of harm.

 
Notice.JPG
 

Notice Requirements

Notice shall be provided by one of the following methods:

  • Written notice.

  • Electronic notice conforming to E-sign Act

If the breach requires notification of more than 1,000 individuals, at the same time as disclosure to the individuals or within 45 days after the breach, whichever is first, the person or business should disclose the security breach to the Attorney General

Substitute Notice

  • If the cost of providing notice above would

o   exceed $250,000

o   the affected class exceeds 500,000

o   there is insufficient contact information. 

  • Substitute notice shall consist consists of ALL of the following:

o   Electronic mail notice when the person or business has an electronic mail address for the subject persons;

o   Conspicuous posting of the notice on the website of the person, if the person maintains one.

o   Notification by statewide media

Records

  • A person or business shall retain a copy of the written determination of a breach of the security of a system and supporting documentation for five (5) years from the date of determination of the breach of the security of the system.

  • If requested, the person or business shall send a copy of the written determination of the breach and supporting documentation to the Attorney General no later than 30 days after the request. 

  • This information is confidential and not subject to public disclosure.

 
Sanctions.JPG
 

Sanctions and Remedies

  • Violations of the Personal Information Protection Act are punishable by action of the Attorney General under the § 4-88-101 Deceptive Trade Practices and may include civil or criminal penalties.

cybersecurity, PrivacyKelly Knecht SlovinacPrivacy, data breach, PIIComment