WeVote

Bill

Bill

HB 1666

Bonds; authorize issuance to assist Town of Fayette with various projects.

2025 Regular Session Introduced by Jeffery Harness

The bill prioritizes insurance, making the cyber response program secondary to any private coverage and detailing new rules, panel procurement, and standards for cyber responses.

Died In Committee
0
WeVote Research Nonpartisan
Bill Summary · HB 1666

Summary — HB 1666 (Arkansas, 95th General Assembly, 2025 session)

Note on source material and status
- The text provided for HB 1666 is primarily an Arkansas bill that amends the Arkansas Self‑Funded Cyber Response Program (Ark. Code § 21‑2‑803 et seq.).
- The packet also contains inconsistent/duplicative metadata (including references to other states’ HB 1666, mixed legislative actions, and conflicting status lines). Because of those conflicts, the bill’s procedural status is unclear from the materials supplied. Verify final status using the Arkansas General Assembly website or official session law records before relying on enactment information.

Purpose and intent
- To revise and clarify the statutory framework for the Arkansas Self‑Funded Cyber Response Program (a state program that assists participating governmental entities after cyberattacks). The amendments update definitions, clarify program priority relative to insurance, limit certain coverages, refine board membership and duties, and set procedural requirements for activation and coverage determinations.

Key provisions and changes
- Definitions (Ark. Code § 21‑2‑803):
- Adds/clarifies terms such as “cyber response contact,” “cyber response panel,” and “higher education entity.”
- Adjusts ordering and minor language in existing definitions (e.g., “money,” “property other than money and securities,” and the list of participating governmental entities).
- Program priority and use (amend § 21‑2‑804(a)):
- Explicitly makes program benefits secondary to any insurance a participating governmental entity may have.
- States program funds are to be used to reimburse participating governmental entities for losses as detailed in the subchapter.
- Coverage limitations (amend § 21‑2‑804(e), as presented):
- Removes (repeals) certain coverage language; the draft indicates the program will not cover legal liability for damages arising from deprivation or violation of an individual’s civil rights by public officials/employees, or tortious conduct of public officials/employees. (Text is fragmented; verify exact repeal language.)
- Cyber Response Board membership (amend § 21‑2‑805(a)(2)):
- Changes a specified member’s voting status to nonvoting (reference to relettered subdivisions).
- Board powers and procedures (amend § 21‑2‑805(b)):
- Directs the board to define “cyberattack” (aligned with industry standards) and review that definition annually.
- Requires the board to set minimum cybersecurity standards for participating entities.
- Allows the board to set a maximum program coverage amount for entities that fail to meet the minimum standards — capped at $50,000.
- Requires creation of a procured, approved “cyber response panel” of vendors/contractors and designation of a “cyber response contact” for each participating entity. The contact may select panel members to assist with forensic analysis, restoration, and board‑authorized assistance.
- Requires the cyber response contact to provide prompt notice and a detailed action report to the board.
- Directs the board to promulgate rules for program utilization describing notification, coverage determination procedures (consultation with the board when feasible), and other necessary processes.

Who is affected
- Participating governmental entities (as defined) — counties, municipalities (cities/towns), and school districts — would be governed by the revised program rules. (The draft introduces a “higher education entity” definition, but the participating governmental entity list appears unchanged; confirm whether higher education entities are added as eligible participants.)
- Vendors and firms on the cyber response panel (including government‑owned/managed entities if so procured) could see new procurement and activation roles.
- The Arkansas Cyber Response Board’s composition and operational duties would change modestly (including at least one nonvoting member and expanded rulemaking responsibilities).

Fiscal/operational impacts (high level)
- Establishing/maintaining a procured cyber response panel, annual reviews of standards, and administrative procedures may impose administrative costs on the board or relevant state agencies.
- Making the program secondary to insurance may shift initial claim costs to insured entities or private insurers and could reduce program payouts; the statutory $50,000 cap for noncompliant entities limits potential program exposure.

Procedural/timeline notes
- The draft contains multiple sectional amendments (21‑2‑803, 21‑2‑804, 21‑2‑805). Implementation would proceed through the board’s rulemaking and panel procurement processes once the statute is effective.
- Because the supplied materials include inconsistent legislative action notes, confirm the final enacted language and effective date from official Arkansas session law or the Secretary of State.

Recommended verification
- Check the Arkansas General Assembly bill tracker and the Arkansas Code for the final, enrolled version and the bill’s effective date. Confirm whether higher education entities are intended to be participants (text in the draft is ambiguous).

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.