Surprising some with its quick journey from filing to enrollment then approval by the governor – less than 30 days – a new State Insurance Department General Omnibus Bill goes into effect in Arkansas on August 1, 2017.

Among its many provisions, Senate Bill 247 (now Act 283) added a requirement to notify the insurance commissioner if notification was required under the state’s general breach notification statute § 4-110-105, (Disclosure of security breaches).

Amending Arkansas Code § 23-61-113, Act 283 specifies a regulated entity’s notification obligations to be:

  • Providing notification of a data breach to the commissioner in the same time and manner as required under § 4-110-105; and
  • Complying with all requirements for disclosure and notification of a data breach as required under § 4-110-105.

This new notification obligation applies to entities described as:

All licensed insurers, health maintenance organizations, or other insuring health entities regulated by the commissioner, producers, and other persons licensed or required to be licensed, authorized or required to be authorized, or registered or required to be registered by the commissioner.

Regulated entities also include:

Legal entities engaged in the business of insurance, including without limitation an individual, corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd’s insurer, fraternal benefit society, agent, broker, and adjuster.


Arkansas Senate Bill 247, Act 283

Click here to review the full text of this law.

Looking for additional reading? It is interesting to note that this act has not been largely covered by news outlets or in the usual privacy industry and legal resources.

What the new breach notification requirement in Arkansas means for privacy and security teams

If notification to Arkansas residents is required by the Arkansas general breach notification statute, a regulated entity (insurer, et al.) is required to notify the insurance commissioner in the same time and manner. This creates an additional layer of complexity when assessing an incident and determining notification obligations within Arkansas.

If you’re a RADAR customer, the RADAR regulatory team continuously tracks changes in data breach notification laws for you and ensures that any regulatory changes in data breach notification regulations are applied in RADAR prior to enforcement. Summaries of all data breach notification statutes, including Arkansas Act 283, are available for reference within the RADAR Law Overviews.

Related reading: