Cybersecurity State Laws

Act 504

This law directs public entities, including the department, public school districts, public school district boards of directors, open-enrollment public charter schools, and institutions of higher education, to create technology resources policies. The policies define the authorized use of technology resources and cybersecurity policies for those technology resources based on the standards and guidelines set by the State Cyber Security Office. This also includes developing training programs to implement those policies. (effective August 1, 2023)

Act 510

This law clarifies that an agency or school district's policies and guidelines that are related to cybersecurity incidents and cyberattacks are not rules under the APA, are not subject to the Arkansas FOIA, and are not subject to ALC review. This law establishes a new section that exempts meetings of the Joint Committee on Advanced Communications and Information Technology that are related to a cybersecurity incident involving or a cyberattack on an agency or a school district from the FOIA's open meetings requirement and clarifies that all information discussed in those meetings is confidential. (effective August 1, 2023)

Act 846

This law creates the Arkansas Self-Funded Cyber Response Program to provide coverage for damages/losses caused by a cyberattack committed against a participating government entity. Public school districts and public charter schools must participate in the program, and the State or a higher education entity may choose to join at any time. The Arkansas Cyber Response Board will be created to establish cyberattack definitions, minimum cybersecurity criteria, and procedures for responding after a cyberattack. Cyber Response Program coverage includes actual losses to an amount not to exceed $100,000 as determined by the Cyber Response Board. (effective August 1, 2023)