Fighting Security Breach Incidents in the State of Louisana

La. Rev. Stat. §§ 51:3071, also known as the Database Security Breach Notification Law, is a security breach notification law that was passed in the U.S. state of Louisiana in 2006. The Database Security Breach Notification Law establishes the legal guidelines that business entities and organizations within Louisiana must follow in the event that a security breach occurs. Moreover, the law also sets forth the punishments that may be imposed against individuals, businesses, and organizations that fail to comply with the law. As such, Database Security Breach Notification Law is the primary law that governs data breaches within the state of Louisiana.

How is a security breach defined?

Under the Database Security Breach Notification Law, a security breach is defined as “the compromise of the security, confidentiality, or integrity of computerized data that results in, or there is a reasonable basis to conclude has resulted in, the unauthorized acquisition of and access to PI maintained by an Entity.” On the contrary, the “good-faith acquisition of PI by an employee of the Entity for the purposes of the Entity is not a breach of the security of the system, provided that the PI is not used for, or is not subject to, unauthorized disclosure.” Additionally, as it concerns the scope and application of the law, La. Rev. Stat. §§ 51:3071 applies to “any individual, corporation, partnership, sole proprietorship, joint-stock company, joint venture, or any other legal entity that conducts business in LA.”

What are the requirements of businesses and organizations?

La. Rev. Stat. §§ 51:3071 mandates that businesses entities and organizations within the state of Louisiana provide residents of the state with security breach notices in instances where such events occur. These notices must be provided to Louisiana residents within 60 days of the discovery of the breach, and must provide them with information concerning the categories of personal information that were compromised as a result of the breach, as well as the scope and severity of the breach in question, among other pertinent details. These notices may be provided to consumers in either written or electronic form, permitting any electronic communications provided are “consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).”

Conversely, agencies, businesses, and organizations within Louisana are also permitted to provide consumers with substitute security breach notices under certain circumstances. Such circumstances include instances where an entity demonstrates that providing standard security breach notices to consumers would exceed $100,000, the number of consumers who were affected by the breach exceeds 100,000, or the entity that experienced the breach does not have sufficient contact information to provide standard security breach notices. These substitute notices must include the following:

• Email notification to affected persons, permitting the entity that experienced the breach has access to such information.
• “Conspicuous posting of the notification on the Entity’s Web site if the Entity maintains one.”
• Notification to major media outlets within Louisana.

What categories of personal information are protected?

Under the Database Security Breach Notification Law, the following categories of personal information are legally protected should they be compromised as a result of a data breach, in conjunction with the first name or initial and last name of a Louisana resident, when the data element in question has not been encrypted or redacted:

• Social security numbers.
• Drivers license numbers and state identification card numbers.
• Account numbers, credit card numbers, debit card numbers, as well as any required access codes, security codes, or passwords that could be used to gain access to an individual’s financial account.
• Passport numbers.
• “Biometric data. “Biometric data” means data generated by automatic measurements of an individual’s biological characteristics, such as fingerprints, voice print, eye retina or iris, or other unique biological characteristic that is used by the owner or licensee to uniquely authenticate an individual’s identity when the individual accesses a system or account.”

In terms of the enforcement of the Database Security Breach Notification Law, the law is enforced by the Louisana Attorney General. To this point, the Louisana Attorney General has the authority to impose a number of sanctions against business entities and organizations within the state that are found to be in non-compliance with the law. Such sanctions include a monetary penalty of up to $5,000 per violation. What’s more, businesses and organizations within Lousiana are also required to provide notice to the Louisana Attorney General within 10 days of the discovery of a security breach, or face additional penalties for each day in which said notice is not provided.

Louisiana’s Database Security Breach Notification Law represents the primary means by which the personal information of citizens of the state is legally protected against security breaches. Through the various provisions set out in the law, residents within Louisiana can have the peace of mind that they will be able to receive justice in the event that their personal information is compromised as a result of a data breach. Legislation such as La. Rev. Stat. §§ 51:3071 is very much needed in lieu of a comprehensive data privacy law at the state level, such as the Virginia Consumer Data Protection Act and the California Privacy Rights Act.