Skip to main content


Click here to review text of state statute (see Ark. Code Title 4, Subtitle 7, Chapter 110, §§101 et seq.)

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Information Covered / Important Definitions

Information covered:

Personal information of Arkansas residents.

Definition includes medical information and biometric data.

Important definitions:

“Security Breach” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business.

“Medical Information” means any individually identifiable information regarding medical history or medical treatment or diagnosis by a health care professional.

“Biometric Data” means data generated by automatic measurements of an individual’s biological characteristics.

Covered Entities* / Third Party Recipients

Subject to statute:

Any person or business that acquires, owns, or licenses computerized data that includes personal information about Arkansas residents.

Third party recipients:

Person or business maintaining (but not owning) computerized data that includes personal information must notify owner or licensee of data of any security breach immediately following discovery of security breach.

Notice Procedures & Timing / Other Obligations

Written or electronic notice must be provided to victims of a security breach within the most expedient time and manner possible and without unreasonable delay, unless a law enforcement agency determines that such notification will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).

  • Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information.
  • Notice not required if the covered entity determines that there is no reasonable likelihood of harm to consumers.

Other obligations:

Data destruction or encryption mandatory when records with personal information are to be discarded.

Covered entities must implement and maintain reasonable security procedures and practices to protect personal information.

A person or business shall retain a copy of the written determination of a breach and supporting documentation for five (5) years from the date of determination.

Encryption Safe Harbor / Other Exemptions

Encryption Safe Harbor:

Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted.

Other exemptions:

Exemption for good faith acquisition by an employee or agent of a covered entity for a legitimate purpose so long as personal information not otherwise used or subject to further unauthorized disclosure.

Entities regulated by any state or federal law that provides greater protection to personal information and similar disclosure requirements are exempt.

A covered entity that maintains and complies with its own notification procedures as part of an information security policy that are consistent with the timing requirements of the Arkansas statute is deemed in compliance.

Notification to Regulator / Waiver

If the breach affects the personal information of more than 1,000 individuals, the person or business then the person or business is required to make a disclosure to the Attorney General within 45 days after the person or business determines that there is a reasonable likelihood of harm.

A determination of no likelihood of harm:

Does not require notification to attorney general.

waiver of the statute is void and unenforceable.


Violations are punishable under the provisions of the state deceptive trade practices laws (Ark. Code 4-88-101 et seq.).

Private Cause of Action / Enforcement

Private Cause of Action: No.

Enforcement by attorney general only.


Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive.  Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.

Click here to review text of state statute (see Ark. Code Title 4, Subtitle 7, Chapter 110, §§101 et seq.)

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Subscribe To Viewpoints