Guide to

Arkansas Personal Information Protection Act

The Arkansas Personal Information Protection Act requires organizations that collect Personal Information (PI) to use reasonable security safeguards to protect such information. The law also requires that in the event such information is compromised, the organization must notify the affected individuals as soon as possible but no later than 45 days after the discovery of the breach. If the breach of Personal Information (PI) affects more than 1,000 people, the organization must also disclose the breach to the state attorney general.

How does the Arkansas Personal Information Protection Act define “personal information”?

The law defines “Personal Information” to include “An individual’s first name, or first initial and his or her last name, in combination with any one or more of the following data elements when either the name or the data element is not encrypted or redacted:

Social Security number
Driver’s license number or state identification card number
Account number, credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account
Medical information, including any individually identifiable information, in electronic or physical form, regarding the individual’s medical history or medical treatment or diagnosis by a healthcare professional
Biometric data, such as an individual’s voiceprint, handprint, fingerprint, DNA, retinal/iris scan, hand geometry, faceprint, or any other unique biological characteristic, if the characteristic is used by the owner or licensee to uniquely authenticate the individual’s identity when the individual accesses a system or an account
Health insurance policy number or subscriber identification number in combination with any unique identifier used by a health insurer
Login credentials, including email addresses in combination with passwords or security questions and answers that would permit access to an online account

What businesses are subject to the Arkansas Personal Information Protection Act?

The law applies to “any person, business or state agency (collectively, Entity) that acquires, owns, or licenses computerized data that includes PI.” It covers any organization maintaining information on Arkansas residents, regardless of whether it operates within the state.

Key requirements of the Arkansas Personal Information Act:

Notification obligation

The covered entity “shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of AR whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.”

Timing of the Notification

Disclosure of the breach needs to be made “as soon as possible, but no later than 45 days after the discovery of the breach.”

Third-party data notification

If the entity maintains electronic data that includes PI that it doesn’t own, it must notify the owner of the information of any breach of the security of the system immediately following discovery if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.

Records retention

The entity must retain a copy of the report on the details of the breach and any supporting documentation for five years from the date the breach was determined.

Who enforces the regulation?

The Arkansas state attorney general has the authority to enforce the law. The law does not grant individuals a private right of action.

Arkansas Personal Information Protection Act: Frequently Asked Questions

Under the Arkansas Personal Information Protection Act (PIPA), “personal information” refers to an individual’s first name or first initial and last name in combination with one or more of the following data elements when either the name or the data elements are not encrypted, redacted, or otherwise protected:

Social Security number
Driver’s license number or Arkansas identification card number
Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
Medical information, including any information regarding an individual’s medical history, condition, or treatment
Health insurance policy number or subscriber identification number in combination with any unique identifier used by a health insurer
Biometric data, meaning data generated by automatic measurements of an individual’s physical characteristics, such as fingerprints, voiceprints, iris or retina scans, or other unique physical characteristics used to authenticate an individual’s identity
Login credentials, including email addresses in combination with passwords or security questions and answers that would permit access to an online account

The protection of this information is designed to prevent identity theft and fraud by ensuring that organizations handling such data do so responsibly and with adequate safeguards.

The Arkansas Personal Information Protection Act has been amended several times to strengthen data privacy and protection measures. Significant changes in the amendments include:

Expansion of protected information: The definition of “personal information” was broadened to include biometric data, health insurance policy numbers, medical information, and online account credentials, reflecting the evolving nature of data and the types of information that need protection.
Updated notification requirements: The amendments reduced the time frame for notifying affected individuals and the Attorney General in the event of a data breach. Organizations are now required to provide notification as soon as possible, but no later than 45 days after the discovery of the breach.
Mandatory notification to the attorney general: If a breach affects more than 1,000 individuals, the organization must notify the Arkansas Attorney General, adding a layer of oversight and accountability.
Increased penalties for non-compliance: The amendments introduced more severe penalties for organizations that fail to comply with the notification requirements or take inadequate measures to protect personal information.

These changes reflect a growing emphasis on consumer protection and the importance of timely and transparent communication in the event of a data breach.

A data breach under the Arkansas PIPA is defined as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an organization. The key elements of a data breach include:

Unauthorized acquisition: Any access to personal information without the express authorization of the data owner.
Compromise of security: An incident that results in the data being exposed to unauthorized access, whether through hacking, accidental disclosure, or other means.

However, a data breach does not include good faith acquisitions by an employee or agent of the business for legitimate business purposes, provided the personal information is not used or subject to further unauthorized disclosure.

Under Arkansas PIPA, an organization that experiences a data breach must notify affected individuals as soon as possible but no later than 45 days after the discovery of the breach. The notification must include:

The date or estimated date of the breach
A description of the personal information that was compromised
Steps that the organization has taken to mitigate the breach and protect against future incidents
Advice on how affected individuals can protect themselves, including monitoring for signs of identity theft or fraud

If the breach affects more than 1,000 individuals, the organization must also notify the Arkansas Attorney General within the same timeframe. This ensures that larger breaches are subject to state oversight and that appropriate actions are taken to protect consumers.

A violation of the Arkansas PIPA occurs when an organization fails to:

Implement reasonable security measures to protect personal information;
Properly notify affected individuals and the Attorney General within the specified timeframe after discovering a data breach;
Accurately report the nature and extent of the breach, including the types of personal information that were compromised.

These violations can result from negligence, willful disregard of the law, or inadequate data protection practices. Compliance with the act requires both proactive measures to secure personal information and responsive actions in the event of a data breach.

The consequences of a data breach under Arkansas PIPA can be significant and include:

Legal penalties: Organizations found in violation of the notification requirements or other provisions of the PIPA may face civil penalties. The Arkansas Attorney General has the authority to bring legal action against non-compliant entities, which could result in fines and other sanctions.
Reputational damage: A data breach can severely damage an organization’s reputation, leading to a loss of consumer trust and potentially long-term financial harm. The negative publicity surrounding a breach can also deter new customers and business partners.
Financial loss: Beyond legal penalties, organizations may incur costs related to breach mitigation, such as forensic investigations, legal fees, and customer notification expenses. Additionally, there could be compensation claims from affected individuals or class-action lawsuits.
Operational disruption: The aftermath of a data breach often requires extensive internal resources to manage the response, implement new security measures, and deal with regulatory scrutiny, which can disrupt normal business operations.

These consequences underscore the importance of complying with Arkansas PIPA and taking robust measures to protect personal information from unauthorized access and breaches.

Hyperproof makes Arkansas Personal Information Protection Act compliance simple

Effortlessly map controls to the Arkansas Personal Information Protection Act and other relevant regulatory standards, like GDPR and CCPA
Reduce the time required to align with the Arkansas Personal Information Protection Act , ensuring your organization meets all necessary regulations promptly
Reuse evidence across various compliance frameworks like GDPR and CCPA, simplifying the documentation process
Seamlessly integrate with the productivity tools your team already uses, enhancing workflow efficiency
Scale your compliance operations effortlessly as your organization grows and regulations evolve