Louisiana Data Breach Notification Statute Summary

Most expedient time possible without unreasonable delay, but no later than 60 days from discovery of the breach.

Yes – Attorney General’s Consumer Protection Section.

Subject Entities

Applies to individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information. Applicable exemptions are set forth below.

Definition of Personal Information

First name or first initial and last name, in combination with one or more of the following unencrypted and unredacted data elements:

• Social Security number;
• Driver’s license number or state identification card number;
• Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account;
• Passport number; or
• Biometric data generated by automatic measurements of an individual’s biological characteristics including fingerprints, voice print, eye retina, iris, or other unique biological characteristic used to authenticate an individual’s identity for access to a system or account.

Definition of Breach

Compromise of the security, confidentiality, or integrity of computerized data that results in, or is reasonably likely to result in, the unauthorized acquisition of and access to personal information, excluding certain good faith acquisitions.

Type of Data Covered

Electronic.

Encryption Safe Harbor

Statute does not apply to personal information that is encrypted or redacted.

Risk of Harm Analysis

Notification not required if, after a reasonable investigation, the entity determines that there is no reasonable likelihood of harm to residents. The subject entity must retain written determination and supporting documentation of the risk of harm analysis for five years.

Consumer Notice Requirements

Timing: Must be made in the most expedient time possible without unreasonable delay but not later than 60 days from discovery of the breach, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the system. If notification is delayed in order to determine the scope of the breach, prevent further disclosures, and restore the system’s reasonable integrity, the subject entity shall provide the Attorney General the reasons for the delay in writing within the 60 day notification period, who shall allow a reasonable extension of time for notification.

Method: Written notice, or electronic notice if consistent with the provisions regarding electronic records and signatures set forth in E-SIGN. Substitute notice is available under certain circumstances.

Substitute Notice Requirements

Substitute notice may be provided if the cost of providing notice would exceed $100,000, or the affected class of persons to be notified exceeds 100,000, or the entity does not have sufficient contact information. Substitute notice must include:

• Email notice when the entity has email addresses for the subject residents;
• Conspicuous posting of the notice on the entity’s Internet Web site, if the it maintains one; and
• Notification to major statewide media.

Delayed Notice Requirements

Notification may be delayed if law enforcement determines that notice will impede a criminal investigation. If notification is delayed per law enforcement request, the subject entity shall provide the Attorney General the reasons for the delay in writing within the 60 day notification period, who shall allow a reasonable extension of time for notification.

Government Notice Requirements

If notice to residents is required, the entity must notify the Consumer Protection Section of the Attorney General’s office, including names of all Louisiana citizens affected by the breach. Notice to the Attorney General’s office will be “timely” if received within 10 days of notice to residents.

Licensees subject to the Insurance Data Security Law (La. Rev. Stat. §§ 22:2501 – 2511) must notify the insurance commissioner without unreasonable delay but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of the subject entity has occurred when either of the following have occurred:

• Louisiana is the licensee’s domicile or home state and the cybersecurity event has reasonable likelihood of materially harming either a Louisiana consumer or any material part of the normal operations of the subject entity; or
• The subject entity reasonably believes that the nonpublic information involved is for two hundred fifty or more Louisiana consumers and that either of the following have occurred:
  • A cybersecurity event affecting the subject entity of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law; or
  • A cybersecurity event that has a reasonable likelihood of materially harming any of the following:
    • Any Louisiana consumer; or
    • Any material part of the normal operations of the subject entity.

Third Party Notice Requirements

An entity that maintains personal information that it does not own must notify the owner or licensee if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person as a result of a security breach.

Potential Penalties

Violations may result in damages, civil penalties, or other remedies. Violations may also be deemed to be unfair acts or practices under Louisiana law. Failure to timely notify the Attorney General is punishable by a fine up to $5,000 per violation. Each day notice is not received by the Attorney General shall be deemed a separate violation.

Notification Requirements for Government Agencies

Please see the statute for specific requirements and/or penalties for applicable government agencies.

Related Laws

Please see La. Admin. Code, tit. 16, pt. III, § 701 for additional information regarding required notice to the Louisiana Attorney General.

Exemptions

An entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information and whose procedures are otherwise consistent with timing requirements of this section is deemed to be in compliance with the notification requirements of this section if the entity notifies residents in accordance with its policies in the event of a breach.