Stricken language would be deleted from and underlined language would be added to present law.
Act 656 of the Regular Session
*LGL101* 04-08-2025 10:50:55 LGL101
State of Arkansas As Engrossed: S4/8/25 1
95th General Assembly A Bill 2
Regular Session, 2025 HOUSE BILL 1666 3
4
By: Representative S. Meeks 5
By: Senator K. Hammer 6
7
For An Act To Be Entitled 8
AN ACT TO AMEND THE LAW CONCERNING THE ARKANSAS SELF -9
FUNDED CYBER RESPONSE PROGRAM; AND FOR OTHER 10
PURPOSES. 11
12
13
Subtitle 14
TO AMEND THE LAW CONCERNING THE ARKANSAS 15
SELF-FUNDED CYBER RESPONSE PROGRAM. 16
17
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF ARKANSAS: 18
19
SECTION 1. Arkansas Code § 21 -2-803 is amended to read as follows: 20
21-2-803. Definitions. 21
As used in this subchapter: 22
(1) “County” means any county of this state; 23
(2) “Cyber response contact” means a person or entity designated 24
by the Arkansas Cyber Response Board to be the initial contact for a 25
participating governmental entity that is the subject of a cyberattack; 26
(3)(A) “Cyber response panel” means a group of entities, each of 27
which has been procured through state procurement and approved by the board, 28
which can be activated by the cyber response contact to assist the 29
participating governmental entity with forensic analysis, restoration 30
guidance, and other board -authorized assistance following a cyberattack. 31
(B) “Cyber response panel” may include an entity that is 32
owned or managed by the government; 33
(4) “Higher education entity” means a: 34
(A) State-supported college, university, technical 35
college, community college, or other institution of higher education; or 36 As Engrossed: S4/8/25 HB1666
2 04-08-2025 10:50:55 LGL101
(B) Department, division, or agency of a state institution 1
of higher education; 2
(5)(4) “Money” means: 3
(A) Currency, coins, and bank notes in current use and 4
having a face value; and 5
(B) Travelers' checks, register checks, and money orders 6
held for sale to the general public; 7
(6)(5) “Municipality” means: 8
(A) A city of the first class; 9
(B) A city of the second class; or 10
(C) An incorporated town; 11
(7)(6) “Participating governmental entity” means a: 12
(A) County; 13
(B) Municipality; or 14
(C) School district; 15
(8)(7) “Property other than money and securities” means any 16
tangible property, other than money and securities, that has intrinsic value; 17
and 18
(9)(8) “School district” means a school district or open -19
enrollment public charter school in this state. 20
21
SECTION 2. Arkansas Code § 21 -2-804(a), concerning the establishment 22
of the Arkansas Self -Funded Cyber Response Program, is amended to add an 23
additional subdivision to read as follows: 24
(4) The program shall be: 25
(A) Secondary to any insurance a participating 26
governmental entity may have; and 27
(B) Used to reimburse a participating governmental entity 28
for losses as detailed in this subchapter. 29
30
SECTION 3. Arkansas Code § 21 -2-804(e), concerning the scope of 31
coverage of the Arkansas Self -Funded Cyber Response Program, is repealed. 32
(e) A participating governmental entity is legally liable for damages 33
as a result of: 34
(1) The deprivation or violation of a civil right of an 35
individual by a public official or public employee; or 36 As Engrossed: S4/8/25 HB1666
3 04-08-2025 10:50:55 LGL101
(2) The tortious conduct of a public official or public employee. 1
2
SECTION 4. Arkansas Code § 21 -2-805(a)(2), concerning the Arkansas 3
Cyber Response Board, is amended to read as follows: 4
(2) The member under subdivision (a)(1)(F) (a)(1)(E) of this 5
section shall be a nonvoting board member. 6
7
SECTION 5. Arkansas Code § 21 -2-805(b), concerning the Arkansas Cyber 8
Response Board, is amended to read as follows: 9
(b) The board shall: 10
(1)(A) Establish a definition of a cyberattack that will be 11
covered under the Arkansas Self -Funded Cyber Response Program based on 12
industry standards. 13
(B) The definition of a cyberattack established under 14
subdivision (b)(1)(A) of this section shall be reviewed annually and updated 15
as necessary by the board; 16
(2) Establish minimum cybersecurity standards for participating 17
governmental entities; 18
(3) Determine a maximum amount of program coverage, not to exceed 19
fifty thousand dollars ($50,000), for participating governmental entities 20
that have not met the minimum cybersecurity standards established by the 21
board under this section; 22
(4) Create a cyber response panel; 23
(5)(A)(4)(A) Designate a cyber response contact. 24
(B) The cyber response contact may select an entity from the 25
cyber response panel to assist with forensic analysis, restoration guidance, 26
and other board-authorized assistance to the participating governmental 27
entity. 28
(C) The cyber response contact shall provide to the board: 29
(i) Prompt notice detailing the cyberattack; and 30
(ii) A detailed report of the action that is being 31
taken; and 32
(6)(5) Promulgate rules and procedures regarding utilization of 33
the program by participating governmental entities to generally align with 34
the following procedures: 35
(A) Upon discovery of a cyberattack, a participating 36 As Engrossed: S4/8/25 HB1666
4 04-08-2025 10:50:55 LGL101
governmental entity shall notify the cyber response contact designated by the 1
board; 2
(B)(i) The cyber response contact shall make a determination 3
of program coverage in consultation with the board, if feasible. 4
(ii) If consultation with the board is not feasible 5
under subdivision (b)(6)(B)(i) (b)(5)(B)(i) of this section due to the timing 6
of the cyberattack, then the cyber response contact shall review and evaluate 7
criteria established by the board to make a determination of program 8
coverage.; 9
(C) The cyber response contact shall notify the board once 10
the cyber response contact has made a determination of program coverage; and 11
(D) Any other procedures that the board deems necessary to 12
carry out this subchapter. 13
14
/s/S. Meeks 15
16
17
APPROVED: 4/16/25 18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36