Arkansas passed a bill amending security breach disclosure requirements. Under the bill, a person or business that owns or licenses (“owner or licensee”) personal information about Arkansas residents must notify the attorney general in the event a security breach affects more than 1,000 Arkansas residents. The attorney general must be notified at the same time the security breach disclosure is provided to the affected Arkansas residents or within 45 days after the person or business determines that there is a reasonable likelihood of harm to Arkansas residents, whichever occurs first. The bill also requires an owner or licensee to retain a copy of the written determination of a security breach, along with supporting documentation, for 5 years. In addition, the bill amends the definition of “personal information” to include “biometric data” (e.g., fingerprints, faceprint, retinal or iris scan, DNA, etc…). The bill becomes effective July 1, 2019.
See Arkansas State Legislature website for the full text of the Statutes:
http://www.arkleg.state.ar.us/assembly/2019/2019R/Bills/HB1943.pdf
