Type of Data Covered | Deadline for Notification | Government Notice |
---|---|---|
Electronic. |
Most expedient time possible without unreasonable delay, but no later than 60 days from discovery of the breach. |
Yes – Attorney General’s Consumer Protection Section. |
Subject Entities |
Applies to individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information. Applicable exemptions are set forth below. |
Definition of Personal Information |
First name or first initial and last name, in combination with one or more of the following unencrypted and unredacted data elements:
|
Definition of Breach |
Compromise of the security, confidentiality, or integrity of computerized data that results in, or is reasonably likely to result in, the unauthorized acquisition of and access to personal information, excluding certain good faith acquisitions. |
Type of Data Covered |
Electronic. |
Encryption Safe Harbor |
Statute does not apply to personal information that is encrypted or redacted. |
Risk of Harm Analysis |
Notification not required if, after a reasonable investigation, the entity determines that there is no reasonable likelihood of harm to residents. The subject entity must retain written determination and supporting documentation of the risk of harm analysis for five years. |
Consumer Notice Requirements |
Timing: Must be made in the most expedient time possible without unreasonable delay but not later than 60 days from discovery of the breach, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the system. If notification is delayed in order to determine the scope of the breach, prevent further disclosures, and restore the system’s reasonable integrity, the subject entity shall provide the Attorney General the reasons for the delay in writing within the 60 day notification period, who shall allow a reasonable extension of time for notification. Method: Written notice, or electronic notice if consistent with the provisions regarding electronic records and signatures set forth in E-SIGN. Substitute notice is available under certain circumstances. |
Substitute Notice Requirements |
Substitute notice may be provided if the cost of providing notice would exceed $100,000, or the affected class of persons to be notified exceeds 100,000, or the entity does not have sufficient contact information. Substitute notice must include:
|
Delayed Notice Requirements |
Notification may be delayed if law enforcement determines that notice will impede a criminal investigation. If notification is delayed per law enforcement request, the subject entity shall provide the Attorney General the reasons for the delay in writing within the 60 day notification period, who shall allow a reasonable extension of time for notification. |
Government Notice Requirements |
If notice to residents is required, the entity must notify the Consumer Protection Section of the Attorney General’s office, including names of all Louisiana citizens affected by the breach. Notice to the Attorney General’s office will be “timely” if received within 10 days of notice to residents. Licensees subject to the Insurance Data Security Law (La. Rev. Stat. §§ 22:2501 – 2511) must notify the insurance commissioner without unreasonable delay but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of the subject entity has occurred when either of the following have occurred:
|
Third Party Notice Requirements |
An entity that maintains personal information that it does not own must notify the owner or licensee if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person as a result of a security breach. |
Potential Penalties |
Violations may result in damages, civil penalties, or other remedies. Violations may also be deemed to be unfair acts or practices under Louisiana law. Failure to timely notify the Attorney General is punishable by a fine up to $5,000 per violation. Each day notice is not received by the Attorney General shall be deemed a separate violation. |
Notification Requirements for Government Agencies |
Please see the statute for specific requirements and/or penalties for applicable government agencies. |
Related Laws |
Please see La. Admin. Code, tit. 16, pt. III, § 701 for additional information regarding required notice to the Louisiana Attorney General. |
Exemptions |
An entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information and whose procedures are otherwise consistent with timing requirements of this section is deemed to be in compliance with the notification requirements of this section if the entity notifies residents in accordance with its policies in the event of a breach. |
Last updated: January 2024