Louisiana Information Security Standards Summary

La. Rev. Stat. §§ 51:3074

Subject Entities

Applies to all individuals, business, governmental agencies, and any other entities that otherwise handle personal information under the statute.

Security Standard

Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Disposal/Destruction Standard

Must take reasonable steps to destroy or arrange for the destruction of any records within its custody or control containing personal information when such entity no longer intends to maintain or possess such records. Destruction must be by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.

Type of Data Covered

Electronic.

Definitions

“Personal information” means a resident’s first name or first initial and last name, in combination with one or more of the following unencrypted and unredacted data elements:

• Social Security number;
• Driver’s license number or state identification card number;
• Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account;
• Passport number; or
• Biometric data.

Methods of Compliance

 Statute does not define “reasonable procedures and practices” or “reasonable care” to protect personal information from unauthorized access, destruction, use, modification or disclosure. Compliance with Massachusetts information security standard recommended.

Enforcement and Penalties

Individuals who suffer actual damages from a failure to timely disclose a breach may bring a civil action.
Violations may also be deemed to be unfair acts or practices under Louisiana law.