If a breach affects more than 1,000 residents of Arkansas, regulatory reporting to the Attorney General is required and must be completed at the same time as consumer notification or within 45 days of breach determination. There are specific considerations when determining if a breach is reportable. Notifications may only be given by specific methods. Organizations must maintain supporting documents for any breach of security incidents for five years.

If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

Organizations may be fined or penalized for Vendor violations. Penalties may include liability for any monetary judgments, and right of action by the customers to recover actual damages or suspension of authorization to do business in Arkansas. Violations are punishable by the action of the Attorney General for Deceptive Trade Practices.

A legal entity engaged in the business of insurance must provide consumer notification and regulatory reporting to the Insurance Commissioner without unreasonable delay.

A person or organization that acquires, owns, or licenses personal information about an Arkansas resident must implement and maintain reasonable security procedures and practices to protect personal information.

Vendors that experience a breach must notify the Organization within 10 days of determining a breach occurred. Vendors must cooperate with Organizations and provide all necessary information about a breach incident. Vendors who fail to inform an Organization of a breach will face fines and penalties. Vendors may contract with Organizations to handle any required consumer notifications and/or regulatory reporting following a breach of security, however, Organizations are ultimately responsible to ensure consumer notification and/or regulatory reporting is complete when necessary.