Legislative Alert: Arkansas Amends Personal Information Protection Act
On April 15, 2019, Arkansas Governor Asa Hutchinson signed House Bill 1943 into law (now referred to as Act 1030), amending the Personal Information Protection Act, Arkansas Code § 4-110-101 et seq.
Act 1030 expands the definition of “personal information” as used in the Personal Information Protection Act and also introduces key new requirements that relate to data breach notification. Entities subject to the Arkansas statute should be aware of the following:
Biometric Data as Personal Information: In enacting Act 1030, Arkansas joins an increasing number of states that define “personal information” to include biometric data. Act 1030, amending Arkansas Code § 4-110-103(7), defines “biometric data” as “data generated by automatic measurements of an individual’s biological characteristics.” This includes, without limitation, the following types of data:
- A retinal or iris scan;
- Hand geometry;
- Voiceprint analysis;
- DNA; or
- Any other unique biological characteristics of an individual if the characteristics are used by the owner or licensee to uniquely authenticate the individual’s identity when the individual accesses a system or account.
Attorney General Notification: In its current form, the Personal Information Protection Act does not require disclosure of a breach to the Arkansas Attorney General. Act 1030 amends Arkansas Code § 4-110-105(b) and mandates that if a security breach affects more than 1,000 individuals, the entity required to disclose the breach must also disclose it to the Attorney General. This must be effectuated at the same time that the security breach is disclosed to an affected individual or within 45 days after the entity determines that there is a reasonable likelihood of harm to customers, whichever occurs first.
Written Determination of Breach: Act 1030 requires an entity that has experienced a breach to retain a copy of the written determination thereof and supporting documentation for five years from the date of determination of the breach. Act 1030 enables the Arkansas Attorney General to submit a request for the written determination and, upon such request, requires an entity to provide a copy with supporting documentation within 30 days. The determination and documentation retained are confidential.
Act 1030 is expected to take effect on July 24, 2019.
Businesses and organizations inside and outside Arkansas should routinely review their policies and procedures for compliance with revised statutory frameworks. Lewis Brisbois can help develop incident response plans fitted to your organization’s needs to ensure your business is prepared to respond quickly and effectively to a data breach, privacy violation, or other cyber incident.
 Certain industries separately require that breaches be reported to respective regulators, such as the Arkansas Securities Commissioner and the Arkansas Insurance Commissioner.