Ask Reggi Your Question Now
Can you summarize 4 ARCO Chapter 110?
Consumer Protection > Personal Information Protection Act
Short Summary
The Personal Information Protection Act, also known as the ‘Personal Information Protection Act’, aims to ensure the protection of sensitive personal information about Arkansas residents. The Act requires individuals, businesses, and state agencies that acquire, own, or license personal information about Arkansas citizens to provide reasonable security for the information. It specifically governs the breach of security of computerized data that compromises the security, confidentiality, or integrity of personal information. The Act defines ‘breach of the security of the system’ as the unauthorized acquisition of such data, excluding good faith acquisition by an employee or agent for legitimate purposes. The Act applies to businesses, financial institutions, entities that destroy records, and state agencies. It defines ‘customer’ as an individual who provides personal information for purchasing, leasing a product, or obtaining a service. ‘Individual’ refers to a natural person, and ‘medical information’ includes individually identifiable information regarding medical history or treatment. ‘Owns or licenses’ includes personal information retained by a business for customer accounts or transactional purposes. ‘Personal information’ includes an individual’s name in combination with certain data elements such as Social Security number, driver’s license number, account number, credit card number, or biometric data. ‘Biometric data’ refers to data generated by automatic measurements of biological characteristics used for authentication purposes. The Act requires businesses to take reasonable steps to destroy customer records containing personal information that is no longer to be retained. It also mandates the implementation and maintenance of reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure. In the event of a breach, the Act requires the disclosure of the breach to affected Arkansas residents in a timely manner, and if the breach affects more than 1,000 individuals, it must also be disclosed to the Attorney General. The Act provides various methods of notification and allows for delayed notification in certain circumstances. Compliance with state or federal laws providing greater protection and disclosure requirements is deemed compliance with this Act. Any waiver of a provision of this Act is void and unenforceable. Violations of this Act are punishable by action of the Attorney General.
Whom does it apply to?
The Act applies to businesses, including financial institutions, as well as entities that destroy records and state agencies.
What does it govern?
The Personal Information Protection Act governs the breach of security of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business.
What are exemptions?
The provisions of this chapter do not apply to a person or business that is regulated by a state or federal law that provides greater protection to personal information and at least as thorough disclosure requirements for breaches of the security of personal information than that provided by this chapter.
What are the Penalties?
Any violation of this chapter is punishable by action of the Attorney General under the provisions of 4-88-101 et seq.
Jurisdiction
Arkansas