Arkansas Code
Chapter 110 - Personal Information Protection Act
§ 4-110-103. Definitions

As used in this chapter:
(1)
(A) “Breach of the security of the system” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business.
(B) “Breach of the security of the system” does not include the good faith acquisition of personal information by an employee or agent of the person or business for the legitimate purposes of the person or business if the personal information is not otherwise used or subject to further unauthorized disclosure;

(2)
(A) “Business” means a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this state, any other state, the United States, or of any other country or the parent or the subsidiary of a financial institution.
(B) “Business” includes:
(i) An entity that destroys records; and
(ii) A state agency;


(3) “Customer” means an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business;
(4) “Individual” means a natural person;
(5) “Medical information” means any individually identifiable information, in electronic or physical form, regarding the individual's medical history or medical treatment or diagnosis by a healthcare professional;
(6) “Owns or licenses” includes, but is not limited to, personal information that a business retains as part of the internal customer account of the business or for the purpose of using the information in transactions with the person to whom the information relates;
(7) “Personal information” means an individual's first name or first initial and his or her last name in combination with any one (1) or more of the following data elements when either the name or the data element is not encrypted or redacted:
(A) Social Security number;
(B) Driver's license number or Arkansas identification card number;
(C) Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account;
(D) Medical information; and
(E)
(i) Biometric data.
(ii) As used in this subdivision (7)(E), “biometric data” means data generated by automatic measurements of an individual's biological characteristics, including without limitation:
(a) Fingerprints;
(b) Faceprint;
(c) A retinal or iris scan;
(d) Hand geometry;
(e) Voiceprint analysis;
(f) Deoxyribonucleic acid (DNA); or
(g) Any other unique biological characteristics of an individual if the characteristics are used by the owner or licensee to uniquely authenticate the individual's identity when the individual accesses a system or account;



(8)
(A) “Records” means any material that contains sensitive personal information in electronic form.
(B) “Records” does not include any publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number; and

(9) “State agencies” or “state agency” means any agency, institution, authority, department, board, commission, bureau, council, or other agency of the State of Arkansas supported by cash funds or the appropriation of state or federal funds.