Arkansas Personal Information

Protection Act

Arkansas House Bill 1943 (HB 1943), passed in the spring of 2019, became effective in August of 2019. This legislation revises and amends the Arkansas Personal Information Protection Act. Under the revised Arkansas Personal Information Protection Act, the definition of “personal information” has been expanded; as have data breach notification requirements.

What Was Included in the Arkansas Personal Information Protection Act Before it Was Amended?

The Arkansas Personal Information Protection Act requires persons and businesses to take reasonable steps to destroy or arrange for the destruction of customer records within their (the persons or businesses’) custody or control. Persons and businesses must destroy customer records if those records contain personal information that the person or business is to no longer retain.

The Arkansas Personal Information Protection Act also requires that a person or business that acquires, owns, or licenses personal information about an Arkansas resident:

• Implement and maintain reasonable security procedures and practices, that are
• Appropriate to the nature of the information, to protect 
• Personal information,
• From unauthorized access, destruction, use, modification, or disclosure.

With respect to breach notification, the Arkansas Personal Information Protection Act requires that any person or business that acquires, owns, or licenses computerized data that includes personal information, must disclose certain breaches of the security of the system. Breaches of the security system must be disclosed to any resident of Arkansas whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

In addition, persons or businesses maintaining computerized data containing personal information that the person or business does not own, must notify the owner or licensee of the information of a breach, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. 

Amended Arkansas Personal Information Protection Act Data Security Requirements

Before the amendments to the Arkansas Personal Information Protection Act, personal information was defined as:

• An individual’s first name or first initial and his or her last name in combination with any one (1) or more of the following data elements when either the name or the data element is not encrypted or redacted:
  • Social Security number;
  • Driver’s license number or Arkansas identification;
  • Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; and
  • Medical information.

The Arkansas Personal Information Protection Act has been amended by adding biometric data to the definition of personal information.

Under the amended Arkansas Personal Information Protection Act, biometric data is defined as data generated by automatic measurements of an individual’s biological characteristics, including (but not limited to):

• Fingerprints;
• Faceprint;
• A retinal or iris scan;
• Hand geometry;
• Voiceprint analysis;
• DNA; or
• Any other unique biological characteristics of an individual if the characteristics are used by an owner or licensee (someone who has a license) of personal information to uniquely authenticate the individual’s identity when the individual accesses a system or account.

Amended Arkansas Personal Information Protection Act Breach Notification Requirements

The amended Arkansas Personal Information Protection Act adds a breach notification requirement to those listed above.

The new requirement is as follows:

• If a breach of the security of a system affects the personal information of more than 1,000 individuals, the person or business required to make a disclosure of the breach must also:
  • At the same time, or within 45 days after the person or business determines that there has been a reasonable likelihood of harm to customers, whichever occurs first, disclose the security breach to the Arkansas Attorney General.

The amended Arkansas Personal Information Protection Act does not apply to a person or business that is regulated by a state or federal law that provides greater protection to personal information, and at least as thorough disclosure requirements for breaches of the security of personal information, than that provided by the Arkansas Personal Information Protection Act. Arkansas law deems compliance with the state or federal law, to be compliance with the amended Arkansas Personal Information Protection Act.