Arkansas Code Annotated § 4-110-101 et seq
Enacted: 3.31.2005
Type of Data Covered: Computerized or electronic data that is unencrypted. See §4-110-103.
​
Is Breach Defined?
Yes! §4-110-103(1)(a)-(b) states that a breach is unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business and does not include good faith acquisition by an employee or agent of the person/business for legitimate purposes as long as the data is not subject to further disclosure.
​
​
When is notice required?
​
Notice is required after the breach is discovered, the scope has been determined, and the integrity of the system has been restored. See §4-110-105(a)(1). The "most expedient time and manner possible and without unreasonable delay" language is used in Arkansas, much like it is in Arizona and others. See §4-110-105(a)(2). We also find another delay exemption for pending law enforcement investigations. See §4-110-105(c). Written notice, electronic mail notice, and substitute notice may all be used depending on circumstances. See §4-110-105(e). Arkansas also allows persons and business to institute their own notification systems as long as they comply with the standards in the statute. See §4-110-105(f).
​
What are the penalties for non-compliance?
​
§4-110-108 says "Any violation of this chapter is punishable by action of the Attorney General under the provisions of §4-88-101," which is the chapter on Deceptive Trade Practices in Arkansas Business & Commercial Law. The Attorney General may bring claims and penalties are not to exceed $10,000 per violation under §4-88-113(a)(3). There is a limited private right of action found in §4-88-113(f), but showing actual financial loss may be difficult.