(a)
- (1) A licensee shall institute and utilize all reasonably necessary and prudent procedures and measures to protect a loan applicant’s or borrower’s financial information and Social Security number.
- (2) Any unauthorized disclosure or breach of a loan applicant’s or borrower’s financial information or Social Security number shall be reported by the licensee from whom the information was obtained to the Securities Commissioner within two (2) business days following the date on which the licensee either discovered or, in the exercise of reasonable diligence, should have discovered the unauthorized disclosure or breach.
- (3) The licensee shall use reasonable diligence to notify the applicant or borrower and all other affected persons of the unauthorized disclosure or breach within a reasonable time following the disclosure or breach.
- (b) Upon a licensee's discovery of a breach of the security of their system as defined in Arkansas Code § 4-110-103(1), the licensee shall immediately provide to the commissioner a copy of any notification which the licensee is required to give under the Arkansas Personal Information Protection Act, located at Arkansas Code §§ 4-110-101 — 4-110-108.