skip to main content
Experience List
DWT
  • Email Page
  • Create PDF
  • Print Page
Louisiana Data Breach Statute

 

La. Rev. Stat. Ann. §§ 51:3071 to 51:3077
Act 382 of the 2018 Regular Session (codified version incorporating amendments not yet available)

To print or save this summary, click here.

 

Quick Facts

Breach Based on
Harm Threshold

Deadline for
Consumer Notice

Government
Notification Required

YES

Not later than 60 days

YES

 

More Details

Scope of this Summary Notification requirements applicable to any person or agency that conducts business in the state or that owns, licenses, or maintains covered info. Some types of businesses may be exempt from some or all of these requirements and non-commercial entities may be subject to different requirements.
Covered Info First name or first initial and last name, plus: Social Security number; driver's license or state identification card number; account, credit card or debit card number in combination with any required security or access code or password that would permit access to a resident’s financial account; passport number; or biometric data.
Form of Covered Info Electronic Only
Encryption Safe Harbor Statute does not apply to information that is encrypted or redacted.
Breach Defined Compromise to the security, confidentiality or integrity of computerized data that results in, or is reasonably believed to have resulted in, the unauthorized acquisition or and access to covered info, excluding certain good-faith acquisitions by employees or agents.
Consumer Notice Timing: Must be made in most expedient time possible and without unreasonable delay, but not later than 60 days from discovery of the breach, consistent with any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system.

Method: By written notice or electronic notice if consistent with E-SIGN.  Substitute notice is available if certain criteria are satisfied.
Delayed Notice Notification may be delayed if law enforcement determines that notification will impede a criminal investigation or if covered entity requires additional time to determine scope of the breach, prevent further disclosures, and restore the reasonable integrity of the system. Must provide reasons for delay to the Attorney General in writing within the original 60-day deadline.
Harm Threshold Notification not required if, after reasonable investigation, the covered entity determines that there is no reasonable likelihood of harm to residents. The covered entity must document determination in writing, retain the documentation for 5 years, and provide a copy to the Attorney General upon request.
Government Notice La. Admin. Code tit. 16, pt. III, § 701: If notice to Louisiana residents is required, must also provide written notice to the Consumer Protection Section of the Attorney General's office. Notice must be received within 10 days of distribution of notice to Louisiana residents and must include the names of those affected residents.
Third-Party Notice If you maintain covered info on behalf of another entity, you must notify them following discovery of a breach if the covered info was, or is reasonably believed to have been, acquired by an unauthorized person.
Potential Penalties Violations may result in civil penalties and/or a fine.

 

To print or save this summary, click here.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on August 1, 2018