Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- up to $10,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Other penalties include liability for any monetary judgments, and right of action by the customers to recover actual damages, or suspension of authorization to do business in Arkansas.
  • A person or business that acquires, owns, or licenses personal information about an Arkansas resident must implement and maintain reasonable security procedures and practices to protect personal information.
  • If a breach affects more than 1,000 residents of Arkansas, regulatory reporting to the Attorney General is required and must be completed at the same time as consumer notification or within 45 days of breach determination.
  • There are specific considerations when determining if a breach is reportable.
  • Notifications may only be given by specific methods.
  • Businesses must maintain supporting documents for any breach of security incidents for five years.
  • If a vendor is breached, they must report it to the data owner immediately. The data owner will be responsible to complete the regulatory reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
  • A legal entity engaged in the business of insurance must provide consumer notification and regulatory reporting to the Insurance Commissioner without unreasonable delay.
Statutes and Laws
    • Arkansas Code § 4-110-101 Personal Information Protection Act
    • Arkansas Code § 4-110-104 Protection of Personal Information
    • Arkansas Code § 4-110-105 Disclosure of Security Breaches
    • Arkansas Code § 4-110-108 Penalties
    • Arkansas Code § 4-88-105 Consumer Protection Division
    • Arkansas Code § 23-61-113 Insurance; Disclosure of Nonpublic Personal Information
BAck to map