Louisiana Strengthens Its Database Security and Privacy Laws
La. R.S. §§ 51:3071 through 51:3077 are known as Louisiana’s “Database Security Breach Notification Law.” Pursuant to La. R.S. § 51:3073(4)(a), the law aims to protect “personal information” of Louisiana residents defined as follows:
“Personal information” means the first name or first initial and last name of an individual resident of this state in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted:
- Social security number.
- Driver’s license number or state identification card number.
- Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
- Passport number.
- Biometric data. “Biometric data” means data generated by automatic measurements of an individual’s biological characteristics, such as fingerprints, voice print, eye retina or iris, or other unique biological characteristic that is used by the owner or licensee to uniquely authenticate an individual’s identity when the individual accesses a system or account.
However, “personal information” does not include “publicly available information that is lawfully made available to the general public from federal, state, or local government records.” La. R.S. § 51:3073(4)(b); La. R.S. § 51:3073(2).
“Breach of the security system” is defined as:
“Breach of the security of the system” means the compromise of the security, confidentiality, or integrity of computerized data that results in, or there is a reasonable likelihood to result in, the unauthorized acquisition of and access to personal information maintained by an agency or person. Good faith acquisition of personal information by an employee or agent of an agency or person for the purposes of the agency or person is not a breach of the security of the system, provided that the personal information is not used for, or is subject to, unauthorized disclosure.
Following discovery of a breach of a security system, any person, entity or agency that owns or licenses computerized data that includes personal information must notify any resident of the state whose personal information was or reasonably believed to have been acquired by an unauthorized person. See La. R.S. § 51:3074(C). In the event a person, business or agency maintains computerized data that includes personal information, but does not own such data, it must notify the owner or licensee of any similar breach which it knows of or reasonably believes has occurred. La. R.S. § 51:3074(D). The notification required under the preceding subsections must be made “in the most expedient time possible and without unreasonable delay but not later than sixty days from the discovery of the breach” consistent with the legitimate needs of law enforcement as outlined in the law or any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system. See La. R.S. § 51:3074(E)-(F). However, the Louisiana Attorney General is required to grant a reasonable extension of time for providing notice if the notifying party submits a written request within 60 days outlining the need for additional time based on the notifying party’s determination that measures are necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system. See La. R.S. § 51:3074(E).
The required notification must be provided in (1) writing or (2) electronically consistent with the provisions regarding electronic records and signatures pursuant to 15 U.S.C. 7001. See La. R.S. § 51:3074(G)(1)-(2). Substitute notification may be provided via email, website posting, or to major statewide media if (1) the cost of providing notice would exceed $100,000; (2) the class of persons to be notified exceeds 100,000; or (3) the notifying party does not have sufficient contact information. See La. R.S. § 51:3074(G)(3). However, a notifying party that maintains a notification procedure as part of its security policy for protection of personal information which is consistent with the timing requirements of the law may issue notification to necessary persons consistent with its policy and procedure in the event of a breach. See La. R.S. 51:3074(H). Furthermore, notification is not required if the person, business or agency determines there is no “reasonable likelihood of harm” to Louisiana residents after “reasonable investigation.” La. R.S. § 51:3074(I). Written notice of a breach must also be provided to the Louisiana Attorney General so that it is received within 10 days of distribution of notice to Louisiana residents. See La. Admin. Code, tit. 16, pt. III, § 701.
Lastly, violations of the Database Security Breach Notification Law constitute unfair trade practices under Louisiana law. See La. R.S. § 51:3074(J). Failure to provide timely notice as required under the law can result in fines not to exceed $5,000 per violation, and each day notice is not received by the Louisiana Attorney General constitutes a separate violation. See id. Additionally, a private right of action is granted under La. R.S. § 51:3075 to recover actual damages for failure to provide timely notice in the event of a breach of a person’s personal information as required under the law.