Securing the Personal Data of Citizens within Arkansas
Ark. Code §§ 4-110-101 is a data and security breach notification law that passed in the U.S. state of Arkansas in 2016. Ark. Code §§ 4-110-101 establishes the requirements that businesses and organizations within the state of Arkansas must adhere to in the event that said entities experience a data breach or other related security incident that leads to the unauthorized disclosure of personal information. Moreover, Ark. Code §§ 4-110-101 also establishes the penalties that businesses and organizations within Arkansas stand to face should they fail to comply with the various provisions that were set forth in the law.
How is a data breach defined?
Under Ark. Code §§ 4-110-101, a data breach is defined as “unauthorized access or acquisition that compromises security or confidentiality of covered information. This definition excludes information acquired or accessed in good faith by employees or agents.” What’s more, as it concerns the application and scope of the law, “in the state of Arkansas, data breach laws apply to any individual or business that acquires, owns, licenses, or maintains covered information. Non-commercial entities may be subject to different requirements, and some entities may be exempt from some or all of the requirements.” Furthermore, personal information that has been redacted or encrypted is not covered under Ark. Code §§ 4-110-101, unless the encryption key has not been accessed or acquired. To this point, the following categories of personal information are covered under the law:
- First and last names.
- Social security numbers.
- Driver’s license or state identification card numbers.
- Financial account numbers.
- Credit or debit card numbers, as well as any security or access code numbers that are needed to use said cards.
- Medical or healthcare information.
What are the requirements for businesses and organizations?
Under Ark. Code §§ 4-110-101, businesses and organizations that experience a data breach or related security incident are responsible for providing all affected consumers within the state of Arkansas with written notice. These notices must provide affected citizens with information detailing the categories of personal information that were disclosed as a result of the breach, any measures that the business or organization in question has undergone in order to determine the scope and severity of the breach, as well as any efforts that have been taken to restore the reasonable integrity of the data system under which the breach occurred. Additionally, Arizona consumers must be provided with these notices “in the most expedient time and manner possible and without unreasonable delay.”
Alternatively, businesses and organizations within Arkansas are permitted to provide consumers with substitute notices concerning data breach incidents, under certain circumstances. Such circumstances include instances in which the “cost of providing notice would exceed two hundred fifty thousand dollars ($250,000)”, “the affected class of persons to be notified exceeds five hundred thousand”, or “the person or business does not have sufficient contact information.” Ark. Code §§ 4-110-101 also mandates that businesses and organizations provide electronic mail notices in instances where an individual or business entity has an electronic mail address, notify the statewide media, as well conspicuously post “the notice on the website of the person or business if the person or business maintains a website.”
What are the punishments for violating Ark. Code §§ 4-110-101?
In terms of the enforcement of Ark. Code §§ 4-110-101, the provisions set forth in the law are enforced by the Arkansas Attorney General. Subsequently, individuals, businesses, and organizations that fail to comply with said provisions are subject to both civil and criminal penalties under the law. To illustrate the scope and severity of the punishments that can be imposed as a result of violating Ark. Code §§ 4-110-101, an employee of the Arkansas Department of Human Services or DHS was terminated from her position in 2017 after she reportedly emailed personal information concerning more than 26,000 medical beneficiaries to her personal email address. As a result, the Arkansas DHS pursued criminal charges, and was forced to provide notice to all citizens within the state that were affected as a result of the data breach.
As data breaches and other related security incidents are all but inevitable due to the massive role that digital and electronic communication currently plays in the world today, laws such as Ark. Code §§ 4-110-101 are imperative to protecting the personal information of American citizens. As federal lawmakers continue to mull over the passing of federal comprehensive data protection and personal privacy laws, such as the EU’s General Data Protection Regulation, state laws such as Ark. Code §§ 4-110-101 represent the primary means by which the average American citizen can protect themselves against identity theft and other nefarious activities that can result after a data breach has occurred.