top of page

Arkansas Code Annotated § 4-110-101 et seq

Enacted:  3.31.2005

Type of Data Covered: Computerized or electronic data that is unencrypted. See §4-110-103. 

​

Is Breach Defined?

Yes! §4-110-103(1)(a)-(b) states that a breach is unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business and does not include good faith acquisition by an employee or agent of the person/business for legitimate purposes as long as the data is not subject to further disclosure. 

​

​

When is notice required?

​

Notice is required after the breach is discovered, the scope has been determined, and the integrity of the system has been restored. See §4-110-105(a)(1). The "most expedient time and manner possible and without unreasonable delay" language is used in Arkansas, much like it is in Arizona and others. See §4-110-105(a)(2). We also find another delay exemption for pending law enforcement investigations. See §4-110-105(c). Written notice, electronic mail notice, and substitute notice may all be used depending on circumstances. See §4-110-105(e). Arkansas also allows persons and business to institute their own notification systems as long as they comply with the standards in the statute. See §4-110-105(f).

​

What are the penalties for non-compliance?

​

§4-110-108 says "Any violation of this chapter is punishable by action of the Attorney General under the provisions of §4-88-101," which is the chapter on Deceptive Trade Practices in Arkansas Business & Commercial Law. The Attorney General may bring claims and penalties are not to exceed $10,000 per violation under §4-88-113(a)(3). There is a limited private right of action found in §4-88-113(f), but showing actual financial loss may be difficult.

bottom of page