Advanced Search
View Mobile Site
ExperiencePracticesProfessionalsOfficesEventsNews/BlogsFirmDiversityCareers

Louisiana


La. Rev. Stat. § 51:3071 et seq.

La. Admin. Code tit. 16, pt. III, § 701

S.B. 205 (signed into law July 12, 2005, Act 499)

Effective January 1, 2006
Application.  Any individual, corporation, partnership, sole proprietorship, joint stock company, joint venture, or any other legal entity that conducts business in LA or that owns or licenses computerized data that includes PI, or any agency that owns or licenses computerized data that includes PI (collectively, Entity). 
    • The provisions governing maintenance of PI that the Entity does not own appear applicable to any Entity maintaining information on LA residents, whether or not the Entity conducts business in LA.
Security Breach Definition.  The compromise of the security, confidentiality, or integrity of computerized data that results in, or there is a reasonable basis to conclude has resulted in, the unauthorized acquisition of and access to PI maintained by an Entity.
    • Good-faith acquisition of PI by an employee of the Entity for the purposes of the Entity is not a breach of the security of the system, provided that the PI is not used for, or is not subject to, unauthorized disclosure.
Notification Obligation.  Any Entity to which the statute applies shall, following discovery of a breach of the security of the system containing such data, notify any resident of the state whose PI was, or is reasonably believed to have been, acquired by an unauthorized person.
    • Notification is not required if after a reasonable investigation the Entity determines that there is not a reasonable likelihood of harm to customers.
Attorney General Notification.  When notice to LA citizens is required by the statute, the Entity shall provide written notice detailing the breach of the security of the system to the Consumer Protection Section of the Attorney General’s Office. Notice shall include the names of all LA citizens affected by the breach. Notice to the state AG shall be timely if received within 10 days of distribution of notice to LA citizens. Each day notice is not received by the state AG shall be deemed a separate violation.

Third-Party Data Notification.  Any individual, corporation, partnership, sole proprietorship, joint stock company, joint venture, or any other legal entity that maintains computerized data that includes PI that the agency or person does not own shall notify the owner or licensee of the information if the PI was, or is reasonably believed to have been, acquired by an unauthorized person through a breach of security of the system containing such data, following discovery by the agency or person of a breach of the security system.

Timing of Notification.  The notification required pursuant to the statute shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system. 

Personal Information Definition.  An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted:
    • Social Security Number;

    • Driver license number; or

    • Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
Notice Required.  Notice may be provided by one of the following methods:
    • Written notification; or

    • Electronic notification, if the notification provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).
Substitute Notice Available.  If an Entity demonstrates that the cost of providing notification would exceed $250,000, or that the affected class of persons to be notified exceeds 500,000, or the Entity does not have sufficient contact information.  Substitute notice shall consist of all of the following:
    • Email notification when the Entity has an email address for the subject persons;

    • Conspicuous posting of the notification on the Entity’s Web site if the Entity maintains one; and

    • Notification to major statewide media.
Exception: Own Notification Policy.  Any Entity that maintains notification procedures as part of its information security policy for the treatment of PI which is otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if the Entity notifies subject persons in accordance with the policy and procedures in the event of a breach of a security of the system.

Exception:  Compliance with Other Laws.
    • Federal Interagency Guidance.  A financial institution that is subject to and in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued on March 7, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, and any revisions, additions, or substitutions relating to said interagency guidance, shall be deemed to be in compliance.
Penalties.
    • A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person’s PI.

    • Failure to provide timely notice may be punishable by a fine not to exceed $5,000 per violation. Notice to the state AG shall be timely if received within 10 days of distribution of notice to LA citizens. Each day notice is not received by the state AG shall be deemed a separate violation.
Other Key Provisions:
    • Delay for Law Enforcement.  Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation.  Notice required by the statute must be made without unreasonable delay and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.

    • Private Right of Action.  A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person’s PI.
Contact Us  ·  Mobile Access  ·  Site Map  ·  Terms Of Use  ·  Privacy Policy  ·  Legal Disclaimer  · Alumni ·  Perkins Coie Trust Company LLC
2012 Perkins Coie LLP