Louisiana Updates its Data Breach Notification Law
And now it’s Louisiana’s turn! After several states recently enacted or strengthened existing data breach notification laws (Colorado, Arizona, South Dakota and Alabama just to name a few…), on May 20th , Louisiana Governor John Edwards signed an amendment to the state’s Database Security Breach Notification Law (Act 382) which will take effect August 1, 2018.
As with the recent overhaul of Colorado’s Data Breach Notification Act, the amendments to Louisiana’s law are significant.
Key updates to Louisiana’s new law include:
Expansion of personal information.
Personal information was previously defined under the law as an individual’s first name or initial and last name in combination with any of the following additional data elements when the name or data element is not encrypted or redacted: (1) social security number; (2) driver’s license number; or (3) account number, credit or debit card number, in combination with the applicable password, security code, or access code that would allow access to an individual’s financial account. The new law specifies its application to “an individual resident of this state” and expands the definition of ‘personal information’ to include a state identification card number; passport number; and “biometric data.” “Biometric data” is defined as “data generated by automatic measurements of an individual’s biological characteristics such as fingerprints, voice prints, eye retina or iris, or other unique biological characteristics that are used to authenticate an individual’s identity when accessing a system or account”.
Breach notification requirements.
Previously, businesses were required to notify affected residents of a breach in the “most expedient time possible and without unreasonable delay”. The new law now requires that this be done “not later than sixty (60) days from the discovery of a breach”. In comparison to other states’ recent amendments, a 60-day notice period is fairly long. Colorado recently included a 30-day notice period, and both Arizona and Alabama a 45-day notice period. Notably, when required notification is delayed at the request of law enforcement or due to a determination by the business that measures are necessary to determine the scope of the breach, prevent further disclosures, and restore the integrity of the data system, the business is required to provide the Louisiana Attorney General the reasons for the delay in writing within the sixty day notification period to obtain a reasonable extension of the time to notify impacted individuals.
In addition, the new law lowers the bar for allowing substitute notification (notification by e-mail, posting to the business’s Internet site and statewide media). Whereas before substitute notice was only permitted if providing notification would exceed $250,000 or notifying more than 500,000 affected residents, the amended law allows for notification where providing notification would exceed $100,000 or notifying more than 100,000 affected residents.
Requirements for reasonable security procedures and data disposal.
The new law requires that any person that conducts business in the state or owns or licenses computerized data that includes personal information shall:
- Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure;
- Take all reasonable steps to destroy or arrange for the destruction of the records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
This is a significant expansion to Louisiana’s law, particularly regarding its emphasis on reasonable security practices and procedures and data destruction. It is also worth noting, that Oregon’s similar amendment to its Data Breach Notification Law that we reported on back in April, took effect on June 2nd.
Today’s nationwide patchwork of state breach notification laws continues to evolve, and requires data holders operating in multiple states or maintaining personal information of residents of multiple states to keep up with the requirements across many jurisdictions.