Data Privacy Map - Louisiana

Highlights

Covered Entities: Individuals, businesses, and governmental entities that maintain, own, or license personal information.

Consumer Notification: Notification must be provided to any Louisiana resident whose unredacted and unencrypted personal information was accessed and acquired on an unauthorized basis that compromises the “security, confidentiality, or integrity” of that information, or there is a reasonable likelihood of the same.

Regulatory Notification: Notice must be given to the Consumer Protection Section of the Attorney General’s office, including names of all Louisiana citizens affected by the breach. Notice to the Attorney General’s office is timely if received within 10 days of notice to residents.

Notification Timeline: Notice must be made in the “most expedient time possible and without unreasonable delay” but not later than sixty days from the discovery of the breach.

Data Format: Electronic.

Citations: La. Rev. Stat. §§ 51:3071 – 3077.

More Details

Definitions:

• Breach: The unauthorized acquisition of and access to personal information, that compromises the “security, confidentiality, or integrity” of data, or there is a reasonable likelihood of the same.
• Personal Information (PI):
  • An individual's first name or first initial and last name in combination of one of the following data elements:
    • Social security number;
    • Driver's license number or state identification card number;
    • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access;
    • Passport number;
    • Biometric data.
• Medical Information: N/A
• Health Insurance Information: N/A

Safe Harbors:

• Encryption: A “breach” does not occur if the personal information was encrypted or redacted.
• Good Faith: Good-faith acquisition of personal information is not a breach if not used or subject to further unauthorized disclosure.
• Risk of Harm: Notification is not required if, after a reasonable investigation, the entity determines that there is no reasonable likelihood of harm to residents. And must retain written determination and supporting documentation of the applicable risk of harm analysis for five years.
• Law Enforcement Delay: If a law enforcement agency determines that the notification would impede a criminal investigation, such notification may be delayed until such law enforcement agency determines that the notification will no longer compromise such investigation.

Direct Notice:

• Timing: Notice must be made in the “most expedient time possible and without unreasonable delay” but not later than sixty days from the discovery of the breach.
• Format: N/A
• Content: N/A
• Method: Written notice; or electronic notice, if the notice provided is “consistent with the provisions regarding electronic records and signatures” per E-SIGN.

Substitute Notice:

If the cost of providing notification would exceed $100,000, or that the affected class of persons exceeds 100,000, or the agency or person does not have sufficient contact information substitute notice can be made in the following manner: (1) e-mail notification when the agency has e-mail addresses for the affected consumers; (2) conspicuous posting of the notice on the web page of the entity; and (3) notification to major statewide media.

Remediation Services:

N/A

Regulatory Notice:

Notice must be given to the Consumer Protection Section of the Attorney General’s office, including names of all Louisiana citizens affected by the breach. Notice to the Attorney General’s office is timely if received within 10 days of notice to residents.

Credit Reporting Agencies Notice:

N/A

Third-Party Notice:

An entity that maintains personal information that it does not own shall notify the owner or licensee of any breach as soon as reasonably practicable following discovery.

HIPAA:

N/A

Private Action:

A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach resulting in the disclosure of a person's personal information.

Associated Regulations:

• Insurance Data Security Law (La. Rev. Stat. §§ 22:2501 – 2511)

Highlights

Covered Entities: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Louisiana, not including a purchasing group or a risk retention group chartered and licensed in a state other than Louisiana or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

Security Standard: A licensee must develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment that contains administrative, technical, and physical safeguards for nonpublic information and the licensee’s information systems. Certain licensees may be exempt per RS 22:2509.

Consumer Notification: A licensee shall comply with the Database Security Breach Notification Law R.S. 51:3071 et seq., as applicable.

Regulatory Notification: A licensee shall notify the Commissioner of Insurance without unreasonable delay, but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below has been met.

Notification Timeline: Without unreasonable delay, but no later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred when either of the following criteria has been met:

• the cybersecurity event has reasonable likelihood of materially harming either of the following:
  
  • Any consumer residing in this state; or
  • Any material part of the normal operations of the licensee; or
• A licensee reasonably believes that the nonpublic information involved is for 250 or more Louisiana consumers and that either of the following has occurred:
  
  • A cybersecurity event affecting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law; or
  • A cybersecurity event that has a reasonable likelihood of materially harming any of the following:
    
    • Any consumer residing in this state; or
    • Any material part of the normal operations of the licensee..

Citations: La. R.S. 22:2501 to 22:2511

More Details

Definitions:

• Consumer: A natural person who is a resident of Louisiana and whose nonpublic information is in a licensee's possession, custody, or control.
• Cybersecurity Event: The unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization; or an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
• Licensee: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Louisiana, not including a purchasing group or a risk retention group chartered and licensed in a state other than Louisiana or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
• Nonpublic Information: Electronic information that is not publicly available information and is any of the following:
  
  • Any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify the consumer, in combination with:
    
    • Social Security number;
    • Driver’s license number or nondriver identification card number;
    • Financial account number or credit or debit card number;
    • Security code, access code, or password that would permit access to a consumer’s financial account; or
    • Biometric records.
  • Any information or data, except age or gender, created by or derived from a health care provider or a consumer, that can be used to identify a consumer and relates to:
    
    • The past, present, or future physical, mental, or behavioral health or condition of a consumer or a member of the consumer’s family;
    • The provision of health care to any consumer; or
    • The payment for the provision of health care to any consumer.

Regulatory Notice:

A licensee shall notify the Commissioner of Insurance without unreasonable delay, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information has occurred, when either of the following criteria has been met:

• Louisiana is the state of domicile of the licensee, in the case of an insurer, or the home state of the licensee, in the case of a producer, as those terms are defined in R.S. 22:1542, 1661, or 1692, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing Louisiana or any material part of licensee’s operations.
• The licensee reasonably believes that the nonpublic information involves 250 or more consumers residing Louisiana and the cybersecurity event is either:
  
  • A cybersecurity event impacting the licensee that the licensee is required to notify any government body, self-regulatory agency, or any other supervisory body about pursuant to any state or federal law, or
  • A cybersecurity event that has a reasonable likelihood of materially harming either a consumer residing in Louisiana or a material part of licensee’s operations.

Content Requirements:

When notifying the Commissioner of Insurance of a cybersecurity event, a licensee shall provide as much of the following information as possible:

• The date of the cybersecurity event.
• A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of any third-party service providers.
• How the cybersecurity event was discovered.
• Whether any lost, stolen, or breached information has been recovered and if so, how this was done.
• The identity of the source of the cybersecurity event.
• Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when the notification was provided.
• A description of the specific types of information acquired without authorization. Specific types of information means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer.
• The period during which the information system was compromised by the cybersecurity event.
• The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this section.
• The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed.
• A description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur.
• A copy of the privacy policy of the licensee and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event.
• The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.

Third-Party Notice Requirements:

If a licensee discovers that a cybersecurity incident in a system maintained by a third-party service provider, the licensee shall treat the event in the same manner for purposes of notification to the Commissioner of Insurance unless the third-party service provider provides the notice. The computation of the licensee's deadlines shall begin on the day after the third-party service provider notifies the licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever occurs first.

Penalties:

The commissioner may, in accordance with R.S. 49:961, refuse to renew, or may suspend, or revoke the certificate of authority or license of any insurer, person, or entity violating any of the provisions of this Code, or levy a fine not to exceed $1,000 for each violation up to $100,000 aggregate for all violations in a calendar year.

Associated Regulations:

N/A

Highlights

Covered Entities: Any individual, corporation, partnership, sole proprietorship, joint stock company, join venture, or any other legal entity (“entity”) that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information.

First Party Security Standard: Any entity that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure

Third Party Security Standard: N/A

Disposal/Destruction Standard: Any entity that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information shall take all reasonable steps to destroy or arrange for the destruction of the records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.

Data Format: Electronic and Paper.

Citations: La. R.S. §§ 51:3073 to 51:3075

More Details

Definitions:

• Personal Information (PI): An individual’s first name / first initial and last name in combination with one (1) or more of the following unencrypted data elements:
  
  • Social Security number;
  • Driver’s license number or state identification card number;
  • Account number, credit or debit card number, in combination with any required security code, access code, or password to permit access to an individual’s financial account;
  • Passport number; or
  • Biometric data.

PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Methods of Compliance:

The statute does not define what constitutes “reasonable security procedures and practices …”

Exclusions:

N/A

Enforcement/Penalties:

A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person's personal information.

Associated Regulations:

N/A