Arkansas Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Arkansas requires businesses and government agencies to notify residents when a data breach exposes their personal information. The state's Personal Information Protection Act (Ark. Code Ann. 4-110-101 et seq.) sets the rules for who must report, what triggers a notification, and how quickly affected individuals must be told.

The law applies to any person, business, or state agency that acquires, owns, or licenses computerized data containing personal information about Arkansas residents. If a breach occurs and there is a reasonable likelihood of harm, the clock starts ticking.

What the Arkansas Personal Information Protection Act Covers

Arkansas enacted its data breach notification law in 2005 as part of the Personal Information Protection Act (PIPA). The law has been amended several times since then, most significantly through Act 1030 of 2019, which expanded the definition of personal information to include biometric data and other categories.

PIPA serves two main functions. First, it requires any entity handling the personal information of Arkansas residents to implement reasonable security procedures and practices (Ark. Code Ann. 4-110-104). Second, it mandates notification to affected individuals and, in certain cases, the Attorney General when a breach compromises that data.

The law covers computerized data only. Paper records are not included in the statute's scope.

How Arkansas Defines Personal Information

Under Ark. Code Ann. 4-110-103, personal information means an individual's first name (or first initial) and last name combined with one or more of the following data elements, when neither the name nor the data element is encrypted or redacted:

• Social Security number
• Driver's license or Arkansas identification card number
• Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to the account
• Medical information, meaning individually identifiable information about a person's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
• Biometric data, meaning data generated by automatic measurements of biological characteristics such as fingerprints, faceprints, retinal or iris scans, hand geometry, voiceprint analysis, DNA, or any other unique biological characteristic used to authenticate an individual's identity

Act 1030 of 2019 added biometric data to this list. The same amendment also added health insurance policy numbers or subscriber identification numbers in combination with any unique identifier used by a health insurer.

Online account credentials also qualify as personal information when an email address is combined with a password or security question and answer that would permit access to an online account.

What Triggers a Breach Notification

A "breach of the security of the system" under Arkansas law means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business (Ark. Code Ann. 4-110-103).

Not every security incident triggers notification. The law includes two key carve-outs:

Good-faith exception. If an employee or agent of the business acquires personal information in good faith for legitimate business purposes, and the data is not further used improperly or subject to additional unauthorized disclosure, no notification is required.

Harm threshold. A business is not required to notify affected individuals if, after a reasonable investigation, it determines there is no reasonable likelihood of harm to consumers. This investigation must be documented, and the entity must retain a written record of its determination for five years.

Notification Timeline and Requirements

When to Notify

Arkansas does not set a specific number of days for notification. Instead, the statute requires disclosure "in the most expedient time and manner possible and without unreasonable delay" (Ark. Code Ann. 4-110-105). The timeline accounts for the time needed to determine the scope of the breach and to restore the reasonable integrity of the data system.

Law enforcement may request a delay in notification if immediate disclosure would impede a criminal investigation. The notification must go out as soon as law enforcement determines that disclosure will no longer compromise the investigation.

How to Notify

The statute permits two primary methods of direct notification:

1. Written notice sent to the individual's last known mailing address
2. Electronic notice consistent with the requirements of the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act)

Substitute Notice

When direct notification is not feasible, substitute notice is available if any of the following conditions exist:

• The cost of providing notice would exceed $250,000
• The number of affected individuals exceeds 500,000
• The business does not have sufficient contact information for affected individuals

Substitute notice requires all three of the following steps:

1. Email notification to available email addresses
2. Conspicuous posting on the business's website
3. Notification to statewide media

Attorney General Notification

When a breach affects more than 1,000 Arkansas residents, the business must notify the Arkansas Attorney General. This notification must occur at the same time as individual notifications or within 45 days after the business determines there is a reasonable likelihood of harm to customers, whichever comes first.

The AG may also request a copy of the written determination of the breach and all supporting documentation. If the AG makes this request, the business must provide the materials within 30 days.

Encryption Safe Harbor

Arkansas provides a clear encryption safe harbor. If the personal information involved in the breach was encrypted or redacted at the time of the incident, notification is not required under the statute. This applies regardless of the number of records affected or the type of data involved.

The law does not specify particular encryption standards or algorithms. However, the encryption must render the data unreadable or unusable. If an encryption key is also compromised in the breach, the safe harbor likely does not apply, as the data would no longer be effectively protected.

Reasonable Security Requirements

Beyond breach notification, Ark. Code Ann. 4-110-104 requires all businesses and individuals that acquire, own, or license personal information about Arkansas residents to:

• Implement and maintain reasonable security procedures and practices appropriate to the nature of the information
• Protect personal information from unauthorized access, destruction, use, modification, or disclosure
• Properly destroy records containing personal information that are no longer needed, by shredding, erasing, or otherwise making the data unreadable

The statute does not define what constitutes "reasonable" security measures, leaving this to be evaluated based on the circumstances.

Penalties and Enforcement

Civil Enforcement

Violations of the Personal Information Protection Act are enforceable by the Arkansas Attorney General under the Arkansas Deceptive Trade Practices Act (Ark. Code Ann. 4-88-101 et seq.), as specified in Ark. Code Ann. 4-110-108. Available remedies include:

• Civil penalties of up to $10,000 per violation
• Injunctive relief to stop ongoing violations
• Restitution for consumers who suffered financial harm
• Recovery of attorney's fees and investigation costs

Criminal Penalties

Willful and knowing violations of the Personal Information Protection Act constitute a Class A misdemeanor under Arkansas law. A Class A misdemeanor carries up to one year in jail and fines up to $2,500.

Insurance Entities

Businesses engaged in the insurance industry face additional consequences. Violations may result in penalties of up to $5,000 per violation or suspension or revocation of the entity's insurance license.

No Explicit Private Right of Action

The statute does not create an explicit private right of action for individuals affected by a data breach. Consumers cannot sue businesses directly under PIPA for failing to notify them. However, affected individuals may have claims under other legal theories, such as negligence, if they can demonstrate actual harm from the breach.

Recent AG Enforcement Actions

The Arkansas Attorney General's office has become increasingly active in data breach enforcement in recent years.

In 2024, Attorney General Tim Griffin launched an investigation into Change Healthcare (a unit of UnitedHealth Group) after a massive cyberattack compromised medical and personal information. The AG specifically cited the Personal Information Protection Act and the Deceptive Trade Practices Act in the investigation, noting that Change Healthcare had failed to provide timely individual notice to affected consumers.

Arkansas also participated in a multistate settlement with Marriott International in October 2024 over data breaches affecting millions of guests. Arkansas received $804,965 as part of that settlement.

Interaction with Federal Laws

Arkansas's breach notification law includes exemptions for entities already subject to more protective federal or state requirements:

• HIPAA-covered entities that comply with the Health Insurance Portability and Accountability Act's breach notification requirements are generally considered in compliance with Arkansas law, provided federal protections are equal to or greater than state requirements.
• Financial institutions regulated under the Gramm-Leach-Bliley Act (GLBA) may satisfy their obligations under federal law, though they should confirm compliance with any additional state-specific requirements.
• Entities with their own notification procedures that maintain an information security policy consistent with the statute's timing requirements are deemed in compliance if they notify affected persons according to their internal policies.

How Arkansas Compares to Neighboring States

Arkansas's "most expedient time" standard contrasts with states that set firm deadlines. Missouri, for example, does not mandate AG notification for large breaches the way Arkansas does. Tennessee and Mississippi both have similar "most expedient" standards but differ in their definitions of personal information.

Arkansas's inclusion of biometric data, medical information, and health insurance identifiers puts it among the more comprehensive state definitions, though it still falls short of states like Illinois, which has a standalone biometric privacy law (BIPA) with a private right of action.

For a broader overview of how Arkansas protects consumer data, see the parent guide on Arkansas Data Privacy Laws.

More Arkansas Laws

• Arkansas AI Meeting Recording Laws
• Arkansas Alimony Laws
• Arkansas At-Will Employment Laws
• Arkansas Car Accident Laws
• Arkansas Car Seat Laws
• Arkansas Child Custody Laws
• Arkansas Child Support Laws
• Arkansas Common Law Marriage Laws
• Arkansas Deepfake Laws
• Arkansas Divorce Laws
• Arkansas Dog Bite Laws
• Arkansas Emancipation Laws
• Arkansas Expungement Laws
• Arkansas Hit and Run Laws
• Arkansas Landlord-Tenant Laws
• Arkansas Lemon Laws

This article provides general legal information about Arkansas data breach notification requirements under the Personal Information Protection Act. It is not legal advice. If your business has experienced a data breach or you believe your personal information has been compromised, consult an attorney for advice specific to your situation.