Arkansas Data Breach Notification Package

(Prepared in conformity with the Arkansas Personal Information Protection Act (“PIPA”), Ark. Code Ann. § 4-110-101 et seq.)

[// GUIDANCE: This template provides BOTH (A) the Attorney General notice and (B) the consumer notice required under Arkansas law. Delete inapplicable language and complete all bracketed placeholders before issuance. Ensure that any law-enforcement hold has been lifted prior to sending notices. Retain copies of all final notices for a minimum of five (5) years for regulatory audit purposes.]

TABLE OF CONTENTS

1. Part A – Attorney General Notification Letter
2. Part B – Consumer Notification Letter
3. Appendix A – Key Definitions & Statutory References (for internal use)

PART A – ARKANSAS ATTORNEY GENERAL NOTIFICATION LETTER

[LETTERHEAD OF DATA HOLDER]
[Street Address] • [City, State ZIP] • [Telephone] • [Email]

[Date]

Via Certified Mail and E-Mail
The Honorable [Name]
Office of the Arkansas Attorney General
Attn: Consumer Protection Division
323 Center Street, Suite 200
Little Rock, Arkansas 72201

Re: Data Security Incident Notice – Ark. Code Ann. § 4-110-105

Dear Attorney General [Name]:

1. Background of Incident
   On [Discovery Date], [Company Name] (“Company”) identified unauthorized access to its [system/network/physical files]. A forensic investigation conducted by [Forensic Firm] determined that from approximately [Breach Start Date] to [Breach End Date] an unknown actor accessed and exfiltrated certain files containing personal information (“PI”) pertaining to Arkansas residents.

2. Number of Impacted Arkansas Residents
   The investigation confirms that PI relating to approximately [###] Arkansas residents was, or is reasonably believed to have been, acquired without authorization.

3. Categories of Personal Information Involved
   The affected data elements include one or more of the following:
   • [Social Security number]
   • [Driver’s license / State identification number]
   • [Financial account number / credit or debit card number in combination with required access code]
   • [Medical information / health insurance policy number]
   • [Biometric data]
   (collectively, “Impacted Data”).

4. Timing & Method of Consumer Notice
   Consistent with Ark. Code Ann. § 4-110-105(b)–(c), written notice to affected Arkansas residents will be distributed on or before [Date – must be no later than the same day this letter is transmitted], via first-class U.S. mail. Substitute notice under § 4-110-105(e) is not anticipated. A sample consumer notice is enclosed as Exhibit 1.

5. Consumer Reporting Agency Notice
   Because the incident involves more than 1,000 individuals nationwide, Company is contemporaneously providing notice to the nationwide consumer reporting agencies pursuant to § 4-110-105(f).

6. Remediation & Security Enhancements
   • Immediately isolated impacted servers and instituted a mandatory password reset.
   • Implemented multi-factor authentication enterprise-wide.
   • Engaged [Credit-Monitoring Vendor] to provide [12/24] months of complimentary identity theft protection to affected individuals.
   • Conducting employee re-training on data-security best practices.

7. Point of Contact
   Please direct any questions to:
   [Name, Title]
   [Toll-Free Number] • [Dedicated Breach Email]

Company appreciates the Attorney General’s attention to this matter and remains available to provide additional information as requested.

Respectfully submitted,

[AUTHORIZED SIGNATORY]
[Name]
[Title]
[Company Name]

Enclosures: Exhibit 1 – Form Consumer Notice

PART B – CONSUMER NOTIFICATION LETTER

[LETTERHEAD OF DATA HOLDER]
[Street Address] • [City, State ZIP] • [Toll-Free Number] • [Dedicated Breach Email]

[Date]

[Recipient Name]
[Street Address]
[City, State ZIP]

Notice of Data Security Incident

Dear [Recipient Name]:

1. What Happened
   On [Discovery Date], we learned that an unauthorized party gained access to certain Company systems between [Breach Start Date] and [Breach End Date]. Upon discovery, we secured the environment and began a thorough investigation with leading cybersecurity professionals.

2. What Information Was Involved
   The investigation determined that the following personal information relating to you may have been involved: [specific data elements]. At present, we have no evidence of fraud or identity theft arising from this incident.

3. What We Are Doing
   • Reporting. We notified the Arkansas Attorney General and the nationwide consumer reporting agencies as required by law.
   • Protection Services. We have arranged [12/24] months of complimentary credit monitoring and identity-theft protection services through [Vendor Name]. Your unique enrollment code and instructions appear below.
   • Security Enhancements. Steps have been taken to strengthen system security, including [describe].

4. What You Can Do
   We encourage you to:
   a. Enroll in the complimentary protection services by [Enrollment Deadline].
   b. Review the enclosed “Information about Identity Theft Protection” for guidance on obtaining free credit reports, placing fraud alerts, and instituting a security freeze under Ark. Code Ann. § 4-110-105(d).
   c. Remain vigilant by reviewing account statements and credit reports for unauthorized activity.

5. Enrollment Instructions
   • Visit: [URL]
   • Enter your enrollment code: [CODE]
   • Deadline: [Date]

6. For More Information
   If you have questions, please call our dedicated, toll-free hotline at [Number] between [Hours & Time-Zone], Monday through Friday, excluding holidays, or email us at [Email].

We regret any inconvenience or concern this incident may cause and remain committed to safeguarding your personal information.

Sincerely,

[AUTHORIZED SIGNATORY]
[Name]
[Title]
[Company Name]

Enclosures: “Information about Identity Theft Protection”

APPENDIX A – KEY DEFINITIONS & STATUTORY REFERENCES

[// GUIDANCE: For internal drafting reference only; remove before issuing final letters.]

• “Breach of the security of the system” – The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI, excluding certain good-faith acquisitions by employees (§ 4-110-103(1)).
• “Personal information” – An Arkansas resident’s first name or first initial and last name in combination with one or more specified data elements when either the name or the data element is not encrypted or redacted (§ 4-110-103(7)).
• Timing of notice – “In the most expedient time and manner possible and without unreasonable delay” subject to law-enforcement needs and measures necessary to restore system integrity (§ 4-110-105(b)).

[// GUIDANCE:
1. Verify that substitute notice criteria (cost > $250k, > 500k persons, or insufficient contact info) do not apply.
2. Retain forensic report and vendor contracts to demonstrate reasonable security and mitigation actions.
3. If issuing electronic notices, confirm compliance with the federal E-SIGN Act and Ark. Code Ann. § 4-110-105(c)(2)(B).
4. Preserve privilege by routing drafts through counsel and marking “CONFIDENTIAL – ATTORNEY–CLIENT PRIVILEGED” where appropriate.]

© 2025 [Firm Name]. All rights reserved. This template is provided for attorney use only and does not constitute legal advice. Customization and jurisdictional review are required prior to deployment.