|Personal Information Protection Act|
|CITATION||Ark. Code § 4-110-105 et seq.|
|SUMMARY||Encourages those that acquire, own, or license personal information to provide reasonable security for the information. Includes data destruction and security procedure requirements. A person or business shall take all reasonable steps to destroy or arrange for the destruction of a customer's records within its custody or control containing personal information which is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means. A person or business that acquires, owns, or licenses personal information about an Arkansas resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.|
The law covers ‘Personal Information’ which is defined as an individual’s first name or first initial and his or her last name in combination with any one (1) or more of the following data elements when either the name or the data element is not encrypted or redacted:
Excludes data that is redacted or secured by other methods rendering data unreadable or unusable from notification obligations.
|INDUSTRY||Applies to any business, however organized, and whether or not organized to operate for a profit, including a financial institution organized, chartered or holding a license or authorization under the laws of Arkansas or any other state or any other country. Applies to any state agency or an entity that destroys records.|
|PENALTIES||The Act only allows civil actions by the State Attorney General under § 4-88-101.|