Type of Data Covered | Deadline for Notification | Government Notice |
Electronic. | No later than 3 business days from a determination that a cybersecurity event occurred. | Yes – Notify Insurance Commissioner. |
Subject Entities |
Applies to any person or nongovernmental entity that is licensed, authorized to operate, or registered or required to be licensed, authorized, or registered or required to be licensed pursuant to Louisiana’s insurance laws. A licensee is exempt if it meets any of the following requirements:
A licensee that is a financial institution is also exempt if it notifies affected Louisiana residents in a manner consistent with GLBA requirements and notifies the Commissioner in a manner consistent with and at the same time that federal regulatory authorities are notified. |
Security Standard |
|
Type of Data Covered |
Electronic. |
Definitions |
A “Cybersecurity event” means an event resulting in unauthorized access to or disruption or misuse of an information system or nonpublic information stored on an information system. “Nonpublic information” means electronic information that is not publicly available information and is any of the following:
|
Methods of Compliance |
Written Information Security Program requirements:
Risk Assessment requirements:
Based on the risk assessment, a subject entity must:
Incident Response Plan requirements: As a part of its information security program, a subject entity must establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the subject entity’s information systems, or the continuing functionality of any aspect of the subject entity’s business or operations. The Incident Response Plan must address:
(Effective August 1, 2022) Regarding third-party service providers, a licensee must:
If a subject entity has a board of directors, the board or an appropriate committee of the board shall, at a minimum require the subject entity’s executive management or delegates to:
|
Government Notice Requirements |
Licensees must notify the Insurance Commissioner without unreasonable delay but in no event later than three (3) business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of the licensee has occurred when either of the following have occurred:
|
Government Reporting |
An insurer domiciled in Louisiana must submit a written report by February 15 every year certifying its compliance with the required information security standards. It must maintain for examination all records, schedules, and data supporting the certificate for a period of five years. If a Louisiana-domiciled insurer identifies areas, systems, or processes that require material improvement, update, or redesign, it must document the identification and the remediation efforts planned and underway to address the areas, systems, or processes, and make such documentation available for inspection by the Insurance Commissioner. |
Last updated: January 2024