New Reporting Requirements Under Arkansas’ Data Breach Law

Published On May 22, 2019 | By Michelle Anderson, Marci Rozen and Armin Tadayon | Data Security, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

Arkansas has updated its breach notification law to expand the definition of “personal information” and to require notifying the Arkansas Attorney General when a breach involves more than 1,000 individuals’ personal information. On April 15, 2019, Governor Asa Hutchinson signed HB 1943, and the amendments go into effect on July 23, 2019. 

Personal Information

The amendments add “biometric data” to the statute’s definition of “personal information.” Biometric data includes fingerprints, faceprint, a retinal or iris scan, hand geometry, voiceprint analysis, DNA, or any other unique biological characteristics of an individual if the characteristics are used by the owner or licensee to uniquely authenticate the individual’s identity when the individual accesses a system or account.

Reporting Requirements

If a breach affects 1,000 or more individuals and the data owner is required to report the breach to individuals under the breach notification law, then the data owner must disclose the security breach to the Arkansas Attorney General at the later of (i) the same time the security breach is disclosed to affected individuals or (ii) within 45 days after the person or business determines that there is a reasonable likelihood of harm to customers. 

Security Breach Record Retention Requirements

In addition, the person or business that suffers a security breach must retain a copy of the written determination of the breach, as well as any supporting documentation, for five years from the date of determination of the breach. If the Attorney General submits a written request for the written determination of the breach, the person or business must send a copy of the determination and supporting documentation to the Attorney General no later than 30 days after the receipt of the request. Importantly, the determination and documentation are to remain confidential and are not subject to public disclosure laws.

About The Authors

Michelle Anderson counsels clients on a range of privacy, security, and consumer protection matters. She works closely with clients to understand their goals and risk profiles to help develop strategies for compliance with domestic and international privacy and security laws and regulations.

Marci counsels companies on a wide variety of issues involving privacy, cybersecurity, and information law. She routinely helps companies evaluate and develop corporate privacy and information security programs, and provides advice on matters involving cross-border data transfers, insider threat prevention and detection, cloud computing, and electronic surveillance. Marci also assist clients in responding to data breaches, including issuing breach notifications required under state and federal breach notification laws, advising on remediation efforts, and handling litigation and enforcement actions arising from data security incidents.

Leave a Reply

Your email address will not be published. Required fields are marked *