Required Reporting of Cyber Security Incidents to Legislative Audit

Memo Information

Memo Number

RT-22-001

Memo Date

7/29/2021

Memo Type

Regulatory

Unit

Research & Technology

Regulatory Authority

ACT 260

Response Required

Attention

Federal Programs; Superintendents; Assistant Superintendent; Principals; Technology Coordinators; Test Coordinators; General Business Managers; Curriculum Coordinators; Bookkeepers; School Counselors; Equity Coordinators (Disability/Race/Gender/National Origin); Child Nutrition Directors/Managers; Data Stewards (SIS; eSchool; eFinance; TRIAND); District Coordinators (ALE; Homeless; ESOL; SDFS & Foster); CTE Coordinator (COOPs and regular school districts); Facilities / Maintenance Director

Primary Contact Information

Name

Larry Doss

Phone Number

501-683-8600

Larry.Doss@arklegaudit.gov

Secondary Contact/s Information

Name

Ray Girdler

Phone Number

501-683-4230

Ray.Girdler@ade.arkansas.gov

Memo Text

During the 2021 Regular Session, the Arkansas General Assembly enacted Act 260 of 2021, which requires a public entity, or contractual provider of a public entity, to disclose in writing an initial report of the known facts of a security incident to the Legislative Auditor within five (5) business days after learning of the incident. Additionally, the public entity shall provide regular updates regarding the status of the incident. A report, update, notification, or list created or maintained under this law is exempt from FOIA as a security function under Ark. Code Ann. §25-19-105(b)(11).

A link to a form for reporting security incidents will be made available on the Arkansas Legislative Audit website. https://www.arklegaudit.gov/

Attachments

ACT_260_092545.pdf