Arkansas Code Annotated § 4-110-101 et seq
Type of Data Covered: Computerized or electronic data that is unencrypted. See §4-110-103.
Is Breach Defined?
Yes! §4-110-103(1)(a)-(b) states that a breach is unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business and does not include good faith acquisition by an employee or agent of the person/business for legitimate purposes as long as the data is not subject to further disclosure.
When is notice required?
Notice is required after the breach is discovered, the scope has been determined, and the integrity of the system has been restored. See §4-110-105(a)(1). The "most expedient time and manner possible and without unreasonable delay" language is used in Arkansas, much like it is in Arizona and others. See §4-110-105(a)(2). We also find another delay exemption for pending law enforcement investigations. See §4-110-105(c). Written notice, electronic mail notice, and substitute notice may all be used depending on circumstances. See §4-110-105(e). Arkansas also allows persons and business to institute their own notification systems as long as they comply with the standards in the statute. See §4-110-105(f).
What are the penalties for non-compliance?
§4-110-108 says "Any violation of this chapter is punishable by action of the Attorney General under the provisions of §4-88-101," which is the chapter on Deceptive Trade Practices in Arkansas Business & Commercial Law. The Attorney General may bring claims and penalties are not to exceed $10,000 per violation under §4-88-113(a)(3). There is a limited private right of action found in §4-88-113(f), but showing actual financial loss may be difficult.