New Reporting Requirements Under Arkansas’ Data Breach Law

by Michelle Anderson on May 22, 2019

Arkansas has updated its breach notification law to expand the definition of “personal information” and to require notifying the Arkansas Attorney General when a breach involves more than 1,000 individuals’ personal information. On April 15, 2019, Governor Asa Hutchinson signed HB 1943, and the amendments go into effect on July 23, 2019.

Personal Information

The amendments add “biometric data” to the statute’s definition of “personal information.” Biometric data includes fingerprints, faceprint, a retinal or iris scan, hand geometry, voiceprint analysis, DNA, or any other unique biological characteristics of an individual if the characteristics are used by the owner or licensee to uniquely authenticate the individual’s identity when the individual accesses a system or account.

Reporting Requirements

If a breach affects 1,000 or more individuals and the data owner is required to report the breach to individuals under the breach notification law, then the data owner must disclose the security breach to the Arkansas Attorney General at the later of (i) the same time the security breach is disclosed to affected individuals or (ii) within 45 days after the person or business determines that there is a reasonable likelihood of harm to customers.

Security Breach Record Retention Requirements

In addition, the person or business that suffers a security breach must retain a copy of the written determination of the breach, as well as any supporting documentation, for five years from the date of determination of the breach. If the Attorney General submits a written request for the written determination of the breach, the person or business must send a copy of the determination and supporting documentation to the Attorney General no later than 30 days after the receipt of the request. Importantly, the determination and documentation are to remain confidential and are not subject to public disclosure laws.