Companies that do business in Louisiana need to be aware of Louisiana's Database Security Breach Notification Law. Louisiana's data breach law has specific notification requirements for businesses that handle Louisiana residents' personal information, and financial penalties for noncompliance.

This article explains what Louisiana's Database Security Breach Notification Law is, who it applies to, what it requires, the steps businesses can take to comply with the law, and the penalties for noncompliance.

What customers say about TermsFeed:

This really is the most incredible service that most website owners should consider using.

Easy to generate custom policies in minutes & having the peace of mind & protection these policies can offer is priceless. Will definitely recommend it to others. Thank you.

- Bluesky's review for TermsFeed. Read all our testimonials here.

With TermsFeed, you can generate:



What is Louisiana's Database Security Breach Notification Law?

Louisiana's data breach law requires applicable businesses to keep the personal information they collect safe and comply with the law's notification provisions in the event of a data breach.

Personal information under the law is defined as a Louisiana resident's first name or first initial and last name in combination with any of the following:

  • Social security number
  • Driver's license or state ID card number
  • Account, credit card, or debit card number combined with security or access codes or passwords
  • Passport number
  • Biometric data (including fingerprints, voice print, or eye retina or iris)

Section 3073 of the Database Security Breach Notification Law defines personal information as a Louisiana resident's first name or first initial and last name in combination with other identifying data, such as financial account info or biometric data:

Louisiana Database Security Breach Notification Law Section 3073

Who Does Louisiana's Database Security Breach Notification Law Apply to?

Louisiana's data breach law applies to anyone who:

  • Conducts business in Louisiana, or
  • Owns, licenses, or maintains computerized data that includes personal information

Section 3074 (A-D) of the Database Security Breach Notification Law explains that it applies to entities that do business in Louisiana or own, license, or maintain computerized data that includes personal information:

Louisiana Database Security Breach Notification Law Section 3074

Who is Exempt From Louisiana's Database Security Breach Notification Law?

Louisiana's data breach law does not apply to organizations that only collect or use personal information that has been made publicly available from federal, state, or local government records.

Financial institutions that are subject to and comply with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice are considered to be in compliance with Louisiana's data breach law.

Section 3076 of the Database Security Breach Notification Law explains that financial institutions that comply with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice don't have to take any other steps to comply with Louisiana's data breach law:

Louisiana Database Security Breach Notification Law Section 3076

What Does Louisiana's Database Security Breach Notification Law Require?

Louisiana's data breach law requires applicable entities to do the following:

  • Protect personal information from unauthorized access or use
  • Ensure that personal information is destroyed after fulfilling its purpose
  • Notify Louisiana residents after a data breach if an unauthorized person may have accessed their personal information

Notifying Louisiana residents of any data breaches that could have a negative impact on their personal information is the Database Security Breach Notification Law's primary requirement.

How to Comply With Louisiana's Database Security Breach Notification Law

There are a few steps you should take to ensure compliance with Louisiana's data breach law, including keeping personal information secure, destroying personal information once it has fulfilled its purpose, and notifying Louisiana residents of any data breaches that may affect their personal information.

Let's take a look at each of these requirements.

Keep Personal Information Safe

You should keep the personal information you collect or use secure. There are a few different ways you can do this, including:

  • Physical measures such as installing alarm systems, locking file cabinets and storage rooms, and employing security guards
  • Technological measures such as using firewalls, encryption, and multifactor authentication
  • Administrative measures such as conducting employee trainings and ensuring that only authorized individuals have access to personal information

Whichever security measures you use, you should ensure that they are sufficient to protect the personal information you collect or use from unauthorized:

  • Access
  • Destruction
  • Use
  • Modification
  • Disclosure

Section 3074 (A) of the Database Security Breach Notification Law explains that applicable entities must keep personal information safe from unauthorized access or use:

Louisiana Database Security Breach Notification Law Section 3074 A

Painting With a Twist's Privacy Policy (a legal agreement that describes how a company collects and uses personal information) explains that it uses a third-party payment gateway that utilizes encryption hardware to protect its customers' personal information:

Painting With a Twist Privacy Policy: How We Protect Information clause

Destroy Personal Information Once it Has Fulfilled its Purpose

You should only retain personal information for as long as you need it to fulfill your purposes. Once you are finished using personal information, you should destroy it. If any third parties have access to the personal information you have collected, you should ensure that they also destroy the data.

Appropriate destruction methods depend on the format of the personal information and include:

  • Shredding
  • Erasing
  • Modifying personal information so that it is no longer readable or decipherable

Google's Privacy Policy explains its data retention policies and deletion processes:

Google Privacy Policy: Retaining Your Information clause

Section 3074 (B) of the Database Security Breach Notification Law explains that applicable entities must destroy or arrange for the destruction of any personal information that is no longer being retained:

Louisiana Database Security Breach Notification Law Section 3074 B

Notify Louisiana Residents of Data Breaches

You should notify Louisiana residents as soon as possible after the discovery of any data breaches that potentially affect their personal information.

To comply with the law, you will need to inform Louisiana residents of a data breach within 60 days of discovery of the breach. If you are unable to provide notification to Louisiana residents within 60 days, you must contact the attorney general with your reasons for the delay within those 60 days.

If law enforcement decides that the notification requirement would compromise a criminal investigation, then the notification can be delayed until the law enforcement agency says otherwise.

You can provide notification via either written or electronic methods.

You can use a substitute notification method if you can show that:

  • Notification would cost you over $100,000, or
  • You would have to notify over 100,000 people of the data breach, or
  • You don't have adequate contact information

Substitute notification methods can include email, a post on your website, and statewide media notification.

You don't have to fulfill the notification requirements if an investigation determines that the data breach didn't cause harm to any Louisiana residents. In this case, you will need to keep a written copy of the determination for five years after the date of discovery of the data breach. If you receive a request in writing from the attorney general, you will need to send a copy of the written determination to the attorney general within 30 days of receiving the request.

A data breach notification from WooCommerce describes the types of information that may have been affected by the data breach, including names, store URLs, and email addresses:

WooCommerce data breach email

Section 3074 (E-G) of the Database Security Breach Notification Law details the law's notification requirements, including notifying Louisiana residents within 60 days of discovering a data breach and complying with law enforcement agencies:

Louisiana Database Security Breach Notification Law Section 3074 E through G

What are the Penalties for Noncompliance with Louisiana's Database Security Breach Notification Law?

Violations of Louisiana's data breach law count as an unfair act or practice and are punishable under Louisiana's R.S. 51:1405 (Unfair Trade Practices and Consumer Protection Law).

Section 3075 of the Database Security Breach Notification Law says that civil action can be brought against anyone who doesn't meet the law's notification requirements:

Louisiana Database Security Breach Notification Law Section 3075

The attorney general can bring an action for injunctive relief against and request civil penalties be imposed on anyone who violates the law. If the court finds that the violation was committed with the intent to defraud, or if the violation was committed against an elderly person or a person with a disability, it can charge a penalty of up to $5,000 per violation.

Louisiana residents who lose money or property due to a violation of the law also have the right to bring private action against anyone who violates the law. An entity found in violation of the law will be responsible for paying damages, including attorney fees. Anyone found to have intentionally violated the law must pay three times the amount of actual damages.

Summary

Louisiana's Database Security Breach Notification Law requires applicable entities to keep the personal information they collect or use secure, destroy personal information once they are done using it, and provide timely notification to Louisiana residents of data breaches that could negatively affect their personal information.

Louisiana's Database Security Breach Notification Law applies to anyone who conducts business in Louisiana or owns, licenses, or maintains computerized data that includes personal information.

Entities that only collect or use personal information that is legally made publicly available via federal, state, or local government records are not required to comply with Louisiana's data breach law.

Financial institutions subject to and in compliance with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice are considered to be in compliance with Louisiana's Database Security Breach Notification Law.

To comply with Louisiana's data breach law, applicable entities should:

  • Keep personal information safe
  • Ensure that personal information is destroyed once its purpose has been fulfilled
  • Notify Louisiana residents of data breaches that could affect their personal information

The attorney general can bring action against anyone who violates the law. Louisiana residents who have been harmed by a violation of the law can also bring private action against violators of the law. Anyone who violates the law with the intent to defraud or who commits a violation against an elderly person or a person with a disability can face civil penalties of up to $5,000 per violation.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy