The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice.
Arkansas
Data Breach Notification Statute
Highlights
Covered Entities: Persons, businesses, or state agencies that acquire, own, license, or maintain personal information.
Consumer Notification: Notification must be provided to Arkansas residents whose personal information was acquired without authorization.
Regulatory Notification: Notification must be provided to the Arkansas Attorney General if more than 1,000 Arkansas residents are notified of a breach. Notice must be provided at the same time the entity notifies the affected class, or 45 days after it determines there is a reasonable likelihood of harm to individuals, whichever occurs first.
Notification Timeline: Notification must be provided in the most expedient time and manner possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.
Data Format: Electronic
Citations: Arkansas Code §§ 4-110-101 to 4-110-108
More Details
Definitions:
- Breach: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an entity.
- Personal Information (PI):
- An individual’s first name, or first initial and last name, in combination with any one or more of the following data elements:
- Social Security number;
- Driver’s license number or state identification card number;
- Account number; credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
- Medical information;
- Biometric data.
- An individual’s first name, or first initial and last name, in combination with any one or more of the following data elements:
- Medical Information: Any individually identifiable information, in electronic or physical form, regarding the individual's medical history or medical treatment or diagnosis by a healthcare professional.
- Health Insurance Information: N/A
Safe Harbors:
- Encryption: Notification is not required where the PI was encrypted.
- Good Faith: Notification is not required where the PI was acquired in good faith by an employee or agent of the entity for the legitimate purpose of the entity, if the PI is not otherwise used or subject to further unauthorized disclosure.
- Risk of Harm: Notification is not required if, after a reasonable investigation, the entity determines there is no reasonable likelihood of harm to consumers.
- Law Enforcement Delay: Notification may be delayed in law enforcement determines that notice would impede a criminal investigation. Notice required by the statute must be made after the law enforcement agency determines that notification would no longer impede the investigation.
Direct Notice:
- Timing: Notification must be provided in the most expedient time and manner possible and without unreasonable delay, subject to any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.
- Format: N/A
- Content: N/A
- Method: Notification must be provided either via (1) written notice or (2) email notice if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. §7001 (E-Sign Act).
Substitute Notice:
An entity may provide substitute notice if it demonstrates that the cost of providing direct notice would exceed $250,000, that the affected class of persons to be notified exceeds 500,000, or the entity does not have sufficient contact information. Substitute notice shall consist of (1) email notice when the entity has email addresses for the subject individuals; (2) conspicuous posting of the notice on the entity’s website; and (3) notification to statewide media.
Remediation Services:
N/A
Regulatory Notice:
Notification must be provided to the Arkansas Attorney General if more than 1,000 residents require notification.
Credit Reporting Agencies Notice:
N/A
Third-Party Notice:
A third party who maintains, but does not own, PI shall notify the owner or licensor of the breach immediately following discovery if PI was, or is reasonably believed to have been, acquired by an unauthorized person.
HIPAA:
The provisions of this chapter do not apply to a person or business that is regulated by a state or federal law that provides greater protection to PI and at least as thorough disclosure requirements for breaches of the security of personal information than that provided by this chapter. Compliance with such state or federal law shall be deemed compliance with this chapter with regard to the subjects covered by this chapter.
Private Action:
N/A
Associated Regulations:
- Arkansas Code Ann §§ 4-110-103, 4-110-104 (Information Security Standards)
- Arkansas Code Ann. 23-61-113 (applicable to insurance entities)
- Arkansas Admin. Code § 214.00.2-5010-2 (applicable to certain securities licensees)
Insurance Data Security Statute
Highlights
Covered Entities: All licensed insurers, health maintenance organizations, or other insuring health entities regulated by the commissioner, producers, and other persons licensed or required to be licensed, authorized or required to be authorized, or registered or required to be registered by the commissioner or a legal entity engaged in the business of insurance, including without limitation an individual, corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd's insurer, fraternal benefit society, agent, broker, and adjuster.
Security Standard: Each licensee shall implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information. The administrative, technical and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.
Consumer Notification: Comply with all requirements for disclosure and notification of a data breach as required under Ark. Code Ann. § 4-110-105.
Regulatory Notification: Provide notification of a data breach to the commissioner in the same time and manner as required under § 4-110-105.
Notification Timeline: The disclosure shall be made in the most expedient time and manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.
Citations: Ark. Code Ann. § 23-61-113
More Details
Definitions:
- Consumer: An individual who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal information, or that individual's legal representative.
- Licensee: All licensed insurers, producers and other persons licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered pursuant to the Arkansas Insurance Code. For purposes of this regulation, "licensee" shall also mean the Arkansas Comprehensive Insurance Pool created pursuant to Act 292 of 1997.
- Nonpublic Personal Information: Nonpublic personal financial information, including any list, description, or other grouping of consumers that is derived using any personally identifiable financial information that is not publicly available, and nonpublic personal health information that identifies an individual who is the subject of the information or with respect to which there is a reasonable basis to believe that the information could be used to identify an individual:
- Personal financial information is defined as any information that:
- A consumer provides to a licensee to obtain an insurance product or service from the licensee;
- About a consumer resulting from a transaction involving an insurance product or service between a licensee and a consumer; or
- The licensee otherwise obtained about a consumer in connection with providing an insurance product or service to that consumer.
- Personal health information is defined as any information or data, except age or gender, created by or derived from a health care provider or a consumer, that can be used to identify a consumer and relates to:
- The past, present, or future physical, mental, or behavioral health or condition of a consumer or a member of the consumer’s family;
- The provision of health care to any consumer; or
- The payment for the provision of health care to any consumer.
- Personal financial information is defined as any information that:
Regulatory Notice:
A licensee shall notify the commissioner at the same time the breach is disclosed to an affected individual or within 45 days after the person or business determines that there is a reasonable likelihood of harm to customers, whichever occurs first.
Third-Party Notice Requirements:
Pursuant to Arkansas Code § 4-110-105, a third party that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee that there has been a breach of the security of the system immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Penalties:
Pursuant to Ark. Code Ann. § 23-63-1406, an insurer may be subject to, for each separate violation, a penalty in an amount of $1,000 or, if the commissioner has found willful misconduct or willful violation, $5,000 or revocation or suspension of the insurer's or person's license.
Associated Regulations:
- Ark. Code Ann. § 4-110-105, 054-00-02; Ark. Code R. § 1
Information Security Standard
Highlights
Covered Entities: Individuals, businesses, and state agencies. It does not apply to persons or businesses regulated by and compliant with state or federal laws with more stringent requirements for the protection of personal information.
First Party Security Standard: A business that owns, licenses, or maintains personal information about an Arkansas resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Third Party Security Standard: An entity that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity.
Disposal/Destruction Standard: Must take all reasonable steps to destroy or arrange for destruction of customer records containing personal information that is no longer to be retained.
Data Format: Electronic and physical.
Citations: Ark. Code §§ 4-110-103, 4-110-104
More Details
Definitions:
- Medical Information (MI): Any individually identifiable information regarding an individual’s medical history or medical treatment or diagnosis.
- Personal Information (PI): An individual’s first name / first initial and last name in combination with one (1) or more of the following data elements:
- Social Security number;
- Driver’s license number or state identification card number;
- Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
- Medical information; or
- Biometric data.
Methods of Compliance:
Pursuant to subsection (b) of Ark. Code §4-110-104, organizations and individuals should reasonable security procedures and practices meant to prevent unauthorized access, destruction, use, modification, or disclosure of personal information.
Exclusions:
- Health Care: N/A
- Financial: N/A
- Other: N/A
Enforcement/Penalties:
- Enforcement: Violations of statute enforceable by the Attorney General pursuant to Ark. Code 4-88-101, et seq.
- Penalties: Violations of the statute may constitute deceptive trade practices. Attorney General may seek an injunctive relief or restitution. Willful or knowing violations of statute may be subject to criminal penalties (Class A misdemeanor).
Associated Regulations:
N/A