Information Covered / Important Definitions
Personal information of Louisiana residents.
Definition includes (i) passport number and (ii) biometric data. "Biometric data" means data generated by automatic measurements of an individual's biological characteristics, such as fingerprints, voice print, eye retina or iris, or other unique biological characteristic that is used by the owner or licensee to uniquely authenticate an individual's identity when the individual accesses a system or account.
“Security Breach” means the compromise of the security, confidentiality, or integrity of computerized data that results in, or there is a reasonable likelihood to result in, the unauthorized acquisition of and access to personal information maintained by an agency or person.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person or legal entity that owns or licenses computerized data that includes personal information.
Third party recipients:
Any covered entity that maintains computerized data that includes personal information that the covered entity does not own must notify the owner or licensee of the information following discovery of a security breach.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay but not later than sixty (60) days from the discovery of the breach, unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement and the person or agency shall provide the attorney general the reasons for the delay in writing within the sixty (60) day notification period).
- Substitute notice is available by means prescribed in the statute if costs to exceed $100,000, affected class exceeds 100,000 persons, or covered entity does not have sufficient contact information.
- Notice not required if the covered entity responsible for the data concludes after a reasonable investigation that there is no reasonable likelihood of harm to residents of Louisiana. The person or business shall retain a copy of the written determination and supporting documentation for five years from the date of discovery of the breach.
A covered entity must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure and must take all reasonable steps to destroy or arrange for the destruction of the records within its custody or control containing personal information that is no longer to be retained by the person or business.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted or redacted.
Exemption for good faith acquisition of personal information by an employee or agent of the covered entity for the purposes of the covered entity, so long as personal information is not used or subject to further unauthorized disclosure.
Covered entity deemed in compliance with the Louisiana statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Louisiana statute.
Financial institutions subject to and in compliance with federal interagency guidelines are exempt.
Notification to Regulator / Waiver
Consumer Protection Section of attorney general must be notified of a security breach within ten (10) days of distribution of notice to affected Louisiana citizens.
Notice must include details of breach and names of all Louisiana citizens affected by the breach.
A determination of no likelihood of harm:
Does not require notification to attorney general.
Civil action may be instituted to recover actual damages.
Failure to provide timely notice punishable by a fine not to exceed $5,000 per violation. Notice to state attorney general will be “timely” if received within ten (10) days of distribution of notice to Louisiana citizens. Each day notice is not received by attorney general is deemed a separate violation.
Private Cause of Action / Enforcement
Private Cause of Action: Yes.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.