Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Louisiana governor amends data breach notification law; passes security freeze legislation

Privacy/Cyber Risk & Data Security State Issues State Legislation Security Freeze Data Breach

Privacy, Cyber Risk & Data Security

On May 20, the Louisiana governor signed SB361 to amend the state’s existing data breach notification law. The amendments require entities conducting business in the state or that own or license computerized data to (i) “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure,” and (ii) take “all reasonable steps” to destroy documents containing personal information once they no longer need to be retained. Key amendment highlights are as follows:

  • revises definitions, which include (i) defining “breach of the security of the system” to now apply to “the compromise… of computerized data that results in, or there is a reasonable likelihood to result in. . .” unauthorized acquisition and access; and (ii) revising the definition of “personal information” to include residents of the state, and include passport numbers and biometric data;
  • requires entities to notify affected individuals within 60 days of the discovery of a data breach—pending the needs of law enforcement—and further stipulates that if a determination is made to delay notification, the Attorney General must be notified in writing within the 60-day period to receive an extension of time;
  • provides that substitute notification—consisting of email notification, a notice posted to the entity’s website, and notifications to major statewide media—may be provided should the entity demonstrate that (i) the cost of the notification would exceed $100,000; (ii) the affected class of persons exceeds 100,000; or (iii) the entities lack sufficient contact information; and
  • states that violations of the Database Security Breach Notification Law constitute an unfair act or practice.

The amendments take effect August 1.

Separately, on May 15, the governor signed SB127, which prohibits credit reporting agencies from charging a fee for placing, reinstating, temporarily lifting, or revoking a security freeze. The bill became effective upon signature by the governor.