Securing the Personal Data of Citizens within Arkansas

January 25, 2022 | 4 minutes read
Securing the Personal Data of Citizens within Arkansas

Ark. Code §§ 4-110-101 is a data and security breach notification law that passed in the U.S. state of Arkansas in 2016. Ark. Code §§ 4-110-101 establishes the requirements that businesses and organizations within the state of Arkansas must adhere to in the event that said entities experience a data breach or other related security incident that leads to the unauthorized disclosure of personal information. Moreover, Ark. Code §§ 4-110-101 also establishes the penalties that businesses and organizations within Arkansas stand to face should they fail to comply with the various provisions that were set forth in the law.

How is a data breach defined?

Under Ark. Code §§ 4-110-101, a data breach is defined as “unauthorized access or acquisition that compromises security or confidentiality of covered information. This definition excludes information acquired or accessed in good faith by employees or agents.” What’s more, as it concerns the application and scope of the law, “in the state of Arkansas, data breach laws apply to any individual or business that acquires, owns, licenses, or maintains covered information. Non-commercial entities may be subject to different requirements, and some entities may be exempt from some or all of the requirements.” Furthermore, personal information that has been redacted or encrypted is not covered under Ark. Code §§ 4-110-101, unless the encryption key has not been accessed or acquired. To this point, the following categories of personal information are covered under the law:

What are the requirements for businesses and organizations?

Under Ark. Code §§ 4-110-101, businesses and organizations that experience a data breach or related security incident are responsible for providing all affected consumers within the state of Arkansas with written notice. These notices must provide affected citizens with information detailing the categories of personal information that were disclosed as a result of the breach, any measures that the business or organization in question has undergone in order to determine the scope and severity of the breach, as well as any efforts that have been taken to restore the reasonable integrity of the data system under which the breach occurred. Additionally, Arizona consumers must be provided with these notices “in the most expedient time and manner possible and without unreasonable delay.”

Alternatively, businesses and organizations within Arkansas are permitted to provide consumers with substitute notices concerning data breach incidents, under certain circumstances. Such circumstances include instances in which the “cost of providing notice would exceed two hundred fifty thousand dollars ($250,000)”, “the affected class of persons to be notified exceeds five hundred thousand”, or “the person or business does not have sufficient contact information.” Ark. Code §§ 4-110-101 also mandates that businesses and organizations provide electronic mail notices in instances where an individual or business entity has an electronic mail address, notify the statewide media, as well conspicuously post “the notice on the website of the person or business if the person or business maintains a website.”

What are the punishments for violating Ark. Code §§ 4-110-101?

In terms of the enforcement of Ark. Code §§ 4-110-101, the provisions set forth in the law are enforced by the Arkansas Attorney General. Subsequently, individuals, businesses, and organizations that fail to comply with said provisions are subject to both civil and criminal penalties under the law. To illustrate the scope and severity of the punishments that can be imposed as a result of violating Ark. Code §§ 4-110-101, an employee of the Arkansas Department of Human Services or DHS was terminated from her position in 2017 after she reportedly emailed personal information concerning more than 26,000 medical beneficiaries to her personal email address. As a result, the Arkansas DHS pursued criminal charges, and was forced to provide notice to all citizens within the state that were affected as a result of the data breach.

As data breaches and other related security incidents are all but inevitable due to the massive role that digital and electronic communication currently plays in the world today, laws such as Ark. Code §§ 4-110-101 are imperative to protecting the personal information of American citizens. As federal lawmakers continue to mull over the passing of federal comprehensive data protection and personal privacy laws, such as the EU’s General Data Protection Regulation, state laws such as Ark. Code §§ 4-110-101 represent the primary means by which the average American citizen can protect themselves against identity theft and other nefarious activities that can result after a data breach has occurred.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »