Mandated Timeframe for Breach Reporting and/or Consumer Notification
Without unreasonable delay
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach and notification laws:
- up to $10,000
None to minimal
Other penalties include liability for any monetary judgments, and right of action by the customers to recover actual damages, or suspension of authorization to do business in Arkansas.
A person or business that acquires, owns, or licenses personal information about an Arkansas resident must implement and maintain reasonable security procedures and practices to protect personal information.
If a breach affects more than 1,000 residents of Arkansas, regulatory reporting to the Attorney General is required and must be completed at the same time as consumer notification or within 45 days of breach determination.
There are specific considerations when determining if a breach is reportable.
Notifications may only be given by specific methods.
Businesses must maintain supporting documents for any breach of security incidents for five years.
If a vendor is breached, they must report it to the data owner immediately. The data owner will be responsible to complete the regulatory reporting and consumer notification.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
A legal entity engaged in the business of insurance must provide consumer notification and regulatory reporting to the Insurance Commissioner without unreasonable delay.
Statutes and Laws
Arkansas Code § 4-110-101 Personal Information Protection Act
Arkansas Code § 4-110-104 Protection of Personal Information
Arkansas Code § 4-110-105 Disclosure of Security Breaches