Arkansas’s New Breach Reporting Requirements Go Into Effect This Month

Written by: Anthony E. Stewart, Esq.

Earlier this year, Arkansas Governor Asa Hutchinson signed HB 1943, which amends the Personal Information Protection Act.  It goes into effect on July 23, 2019.  The new law expands the definition of ‘personal information,’ imposes additional reporting obligations, and enacts specific retention requirements.  It continues to apply to any business that acquires, owns, or licenses the personal information of an Arkansas resident.

Personal Information

Arkansas will be expanding the types of data considered ‘personal information’ and thus subject to the Personal Information Protection Act.  Currently, the Act covers unencrypted and unredacted data that contains an individual’s name in combination with one or more of the following data elements: (1) social security number; (2) driver’s license or identification card number; (3) financial account information; or (4) medical information.

In three weeks, the Act will also cover records that contain an individual’s first name or first initial and his or her last name in combination with biometric data that is not encrypted.  The Act will define ‘biometric data’ as data generated by automatic measures of an individual’s biological characteristics.  These characteristics include, but are not limited to, (1) fingerprints; (2) faceprint; (3) retina or iris scan; (4) hand geometry; (5) voiceprint analysis; (6) DNA; or (7) any other unique biological characteristics if the characteristics are used to uniquely authenticate an individual’s identity when he or she accesses a system or account.

Reporting Obligations

Like a growing number of other states, Arkansas will now require businesses, in certain situations, to notify the state Attorney General of a security breach.  If a reportable security breach affects the personal information of more than 1,000 individuals, the business must disclose the security breach to the Attorney General within 45 days after it has determined that there is a reasonable likelihood of harm to customers.  If a business provides consumer notification before this 45-day deadline, it must disclose the security breach to the Attorney General contemporaneously with its notification to consumers.  It is important to note that this reporting obligation is triggered when 1,000 individuals – not 1,000 Arkansas residents – are affected.

Retention Requirements

Lastly, businesses will now be required to document in writing its findings when it determines that a security breach has occurred.  The written determination, as well as any supporting documentation, must be retained for five years from the date of determination of the breach.  At any time during this retention period, the Attorney General may require the business to produce a copy of this information.  If so requested, the business has 30 days to send a copy of the written determination of the breach and supporting documentation to the Attorney General. Importantly, any determination and supporting documentation will be considered confidential and will not subject to public disclosure laws.