Ark. Issues Reminder of Responsibility to Protect Customer Information

January 18, 2006

The Arkansas Insurance Department issued Bulletin No. 1-2006 to remind insurers and other insurance professionals of their responsibility to protect their customers’ personal information.

According to the department, the purpose of Act 1526 of 2005 (“Act”), codified as Ark. Code Ann. §§ 4-110-101, et seq. is to ensure that Arkansans’ sensitive personal information is protected. The Act requires all persons or businesses to take all reasonable steps to destroy such information that is not to be retained.

“Business” includes “a financial institution organized, chartered, or holding a license or authorization certificate under the law of this state, or any other state, the United States, or of any other country or the parent or subsidiary of a financial institution.” Ark. Code Ann. § 4-110-103(2)(A).

The destruction of customers’ personal information must be accomplished so that the information is unreadable and undecipherable. Businesses must also, with some exceptions, inform customers when there has been a breach of security. This means that “any resident of Arkansas whose unencrypted [computerized] personal information was, or is reasonably believed to have been, acquired by an unauthorized person” must be notified if one of the exceptions in Act 1526 does not apply.

The Act contains an exemption for persons or businesses that are regulated by state or federal law that provides greater protection for personal information and at least as thorough disclosure requirements for security breaches as are provided by the Act.

Arkansas Insurance Department Rule and Regulation 77, “Standards for Safeguarding Customer Privacy” was promulgated pursuant to the federal Gramm-Leach-Bliley Act and Ark. Code Ann. § 23-63-113.

Rule 77 does not save department licensees from having to comply with the Act, because Rule 77 does not apply to all persons/business, while the Act does. Also, Rule 77 does not provide greater protection and at least as thorough disclosure requirements as the Act; for instance, Rule 77 has no disclosure requirements for breaches of security.

The Arkansas Insurance Department urged all persons and businesses, as defined in the Act, to take steps to ensure that they are meeting all of the Act’s requirements, lest they be subject to penalties. The Arkansas Attorney General is charged with enforcement of the Act.

The text of the Act can be found at www.arkleg.state.ar.us/. The statutes can be found at the State of Arkansas Web site: www.state.ar.us/.

All carriers are instructed to provide copies of this Bulletin to their appointed producers.