Mandated Timeframe for Breach Reporting and/or Consumer Notification
Without unreasonable delay
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Third Party: Specific Obligations
Third Party: Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach and notification laws up to $10,000
Third Party Management
None to minimal
Other penalties include liability for any monetary judgements, and right of action by the customers to recover actual damages, suspension of authorization to do business in Arkansas.
There are specific considerations when determining if a breach is reportable.
Notifications may only be given by specific methods.
A person or business that acquires, owns, or licenses personal information about an Arkansas resident must implement and maintain reasonable security procedures and practices to protect the personal information.
A legal entity engaged in the business of insurance must provide notification of a data breach to the Insurance Commissioner in the most expedient time and manner possible and without unreasonable delay.
If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification, but the vendor is still required to cooperate.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
Arkansas Code § 4-110-101 Personal Information Protection Act
Arkansas Code § 4-110-104 Protection of personal information
Arkansas Code § 4-110-105 Disclosure of security breaches
Arkansas Code § 4-110-108 Penalties
Arkansas Code § 23-61-113 Disclosure of nonpublic personal information