Can I use third-party cloud storage services that collect personal information in Arkansas? What are the requirements?

Based on the documents provided, there are no specific regulations in Arkansas that prohibit the use of third-party cloud storage services that collect personal information. However, businesses that acquire, own, or license personal information about an Arkansas resident must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure ^[1.1].

If a third-party EVV system is procured and chosen by a provider or Managed Care Organization (MCO) or self-directed services vendor, it must be certified by the DHS EVV Vendor as meeting certain requirements, including having technical capabilities to receive and transmit all EVV data in a way that is compatible with the DHS EVV system and timely collecting and submitting to the DHS EVV Vendor all data required for EVV verification of a claim, including personal information ^[3.1].

If a licensee or business discloses any nonpublic personal financial information about a consumer to a nonaffiliated third party, it must provide the consumer with an initial notice, an opt-out notice, and a reasonable opportunity to opt-out of the disclosure. The consumer must not opt-out for the disclosure to occur ^[4.2].

Regarding HIPAA Privacy Requirements in the Use of Email and Facsimile Services, all email messages containing Protected Health Information (PHI) and sent by DHS staff to destinations within the state’s email system must be sent using the encrypted WebAccess email interface. Sending of email messages containing PHI to destinations outside the state’s email system is not secure and is prohibited. Faxes containing PHI must utilize a cover sheet with the word CONFIDENTIAL appearing in bold letters near the top of the form and include a statement regarding prohibition of disclosure of identifying PHI ^[5.1].

If a third-party cloud storage service is used to store personal information, the business must ensure that reasonable security procedures and practices are implemented and maintained to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Additionally, if the personal information is PHI, it must be transmitted and maintained in a secure manner, such as through encrypted email or fax with appropriate safeguards.

Furthermore, if the personal information is disposed of, the operator must destroy the personal information ^[2.1]. The leased self-service storage space cannot be used for residential purposes ^[2.2]. If there is a breach of the security of the system, the person or business that acquires, owns, or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of Arkansas whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person ^[1.2].

Therefore, to use third-party cloud storage services that collect personal information in Arkansas, businesses must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Additionally, if the personal information is PHI, it must be transmitted and maintained in a secure manner, such as through encrypted email or fax with appropriate safeguards. If the personal information is disposed of, the operator must destroy the personal information. If there is a breach of the security of the system, the person or business that acquires, owns, or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of Arkansas whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Source(s):

• [1.1] Protection of personal information.
• [2.1] Disposal of personal information — Definition.
• [3.1] Third Party Evv System Requirements
• [4.2] Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties
• [5.1] HIPAA Privacy Requirements in the Use of Email and Facsimile Services
• [2.2] Use for residential purposes.
• [1.2] Disclosure of security breaches.

Jurisdiction

Arkansas

• Privacy