Louisiana Database Security Breach Notification Law
La. Rev. Stat. § 51:3071 - § 51:3077
La. Admin. Code tit. 16, pt. III, § 701
SUMMARY:
EFFECTIVE. January 1, 2006
WHO DOES THIS LAW APPLY TO. (1) Any person or entity (including State agencies or political subdivisions) that conducts business in Louisiana and owns or licenses computerized data that includes Personal Information of state residents; and (2) any person or entity maintaining information on state residents that includes Personal Information.
WHAT IS A BREACH. An unauthorized acquisition of and access to computerized data that compromises the security, integrity, or confidentiality of Personal Information maintained by a person, agency, or business which causes or is reasonably likely to cause substantial economic loss to an individual. A good faith acquisition of Personal Information by an employee or agent of the owner for internal purposes only is not a breach, if it is not used for, or subject to, further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted or redacted:
-
Social Security Number.
-
Driver’s license number.
-
Passport number.
-
Biometric data that includes data generated by automatic measurements of an individual's biological characteristics, such as fingerprints, voice print, eye retina, or iris, or other unique biological characteristic that is used by the owner or licensee to uniquely authenticate an individual's identity when the individual accesses a system or account.
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
Personal Information does not include publicly available information, or information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the affected Louisiana residents. No notification is required if, after a reasonable investigation, the person, agency, or business determines that there is no reasonable likelihood of harm to customers. Also, entity shall provide written notice detailing the breach of the security of the system to the Consumer Protection Section of the Attorney General’s Office. The notice shall include the names of all LA citizens affected by the breach. The notice to the state AG shall be timely if received within 10 days of distribution of notice to LA citizens. Each day notice is not received by the state AG shall be deemed a separate violation.
EXCEPTION. This Section does not apply to the following:
-
A person, agency or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this section, is considered in compliance with this Section if the affected Louisiana individuals are notified by the person, agency, or business in accordance with its policies.
-
A financial institution that is subject to, and in compliance with, the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, issued on March 7, 2005, by the Federal Reserve System, the FDIC, the office of the comptroller of the currency and the office of thrift supervision, and any revisions to such guidance, shall be considered in compliance with this Section.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person, agency, or business first becomes aware of an incident of unauthorized acquisition but not later than 60 days from discovery of the breach. The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with the needs of law enforcement, or any measures necessary to determine the nature and scope of the breach, to prevent any further disclosures and to restore the reasonable integrity of the data system. Notification may be delayed if it will impede a criminal investigation. In that instance, notification will be made following clearance by law enforcement and notice shall be provided to the attorney general with the reasons for the delay in writing within the 60-day notification period.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic (if it is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person, agency, or business can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person, agency, or business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person, agency, or business, if an internet site is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person, agency, or business maintains computerized data that includes Personal Information that it does not own, then the person, agency or business shall notify the owner or licensee of the information upon discovery of a breach. The person, agency or business that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. A civil lawsuit may be brought to recover actual damages resulting from failure to timely disclose a breach which results in disclosure of an individual’s Personal Information.
PRIVATE RIGHT OF ACTION. Yes, to include recovery of actual damages.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. La. R.S. 51:3074(B). Any person that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information shall take all reasonable steps to destroy or arrange for the destruction of the records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
LEGISLATIVE UPDATES.
S.B. 205 – Signed into law on 7/12/2005, Effective 1/1/2006.
S.B. 361 – Signed into law on 5/16/2018, Effective 8/1/2018.
For more information, see here: https://legis.la.gov/Legis/Law.aspx?p=y&d=322027
AND
https://www.doa.la.gov/media/t4ojmm4j/16.pdf
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.