Arkansas Personal Information Protection Act

The Arkansas Personal Information Protection Act requires organizations that collect Personal Information (PI) to use reasonable security safeguards to protect such information. The law also requires that in the event such information is compromised, the organization must notify the affected individuals in a timely manner. If the breach of Personal Information (PI) affects more than 1,000 people, the organization must also disclose the breach to the state attorney general.

How Does the Arkansas Personal Information Protection Act Define “Personal Information”?

The law defines “Personal Information” to include “An individual’s first name, or first initial and his or her last name, in combination with any one or more of the following data elements when either the name or the data element is not encrypted or redacted:

  • Social Security number;
  • Driver's license number or state identification card number;
  • Account number, credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
  • Medical information, including any individually identifiable information, in electronic or physical form, regarding the individual’s medical history or medical treatment or diagnosis by a healthcare professional; or
  • Biometric data, such as an individual’s voiceprint, handprint, fingerprint, DNA, retinal/iris scan, hand geometry, faceprint, or any other unique biological characteristic, if the characteristic is used by the owner or licensee to uniquely authenticate the individual’s identity when the individual accesses a system or an account.

What Businesses Are Subject to the Arkansas Personal Information Protection Act?

The law applies to “any person, business or state agency (collectively, Entity) that acquires, owns, or licenses computerized data that includes PI.” It covers any organization maintaining information on Arkansas residents, regardless of whether it operates within the state.

Key requirements of the Arkansas Personal Information Act:

  • Notification obligation: The covered entity “shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of AR whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.”

  • Third-party data notification: If the entity maintains electronic data that includes PI that it doesn’t own, it must notify the owner of the information of any breach of the security of the system immediately following discovery if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.

  • Timing of the Notification: Disclosure of the breach needs to be made without “unreasonable delay, subject to any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.”

  • Records Retention: The entity must retain a copy of the report on the details of the breach and any supporting documentation for five years from the date the breach was determined.

Who Enforces the Regulation?

The Arkansas state attorney general has the authority to enforce the law. The law does not grant individuals a private right of action.
Image

Get the latest from Hyperproof

Stay ahead of the risk and compliance curve. Get the latest regulation updates and analysis, guidance on achieving continuous compliance, and exclusive opportunities. Sign up for Hyperproof's bimonthly newsletter.
Stay in-the-know