SLS 14RS-227 ORIGINAL
Page 1 of 4
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.
Regular Session, 2014
SENATE BILL NO. 176
BY SENATOR MORRELL
COMMERCIAL REGULATIONS. Provides relative to the Database Security Breach
Notification Law. (8/1/14)
AN ACT1
To enact R.S. 51:3078, relative to the Database Security Breach Notification Law; to2
provide for definitions; to provide for storage of certain information; to provide for3
damages; to provide for terms, conditions, and procedures; and to provide for related4
matters.5
Be it enacted by the Legislature of Louisiana:6
Section 1. R.S. 51:3078 is hereby enacted to read as follows:7
ยง3078. Access devices; retention prohibited8
A. As used in this Section, the terms shall have the following meanings:9
(1) "Access device" means a card issued by a financial institution that10
contains a magnetic stripe, microprocessor chip, or other means for storage of11
information. It includes but is not limited to a credit card, debit card, or stored12
value card.13
(2) "Financial institution" means any person organized to engage in the14
business of banking pursuant to the laws of the United States or any person15
organized to engage in the business of banking pursuant to Title VI of the16
Louisiana Revised Statutes of 1950.17 SB NO. 176
SLS 14RS-227 ORIGINAL
Page 2 of 4
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.
(3) "Magnetic stripe data" means the data contained in the magnetic1
stripe of an access device.2
(4) "Microprocessor chip data" means the data contained in the3
microprocessor chip of an access device.4
(5) "Service provider" means a person or entity that stores, processes,5
or transmits access device data on behalf of another person or entity.6
B. No person conducting business in Louisiana that accepts an access7
device in connection with a transaction shall retain personal information or the8
full contents of any track of magnetic stripe data for more than forty-five days9
after authorization of the transaction. In addition, a person is in violation of10
this Section if its service provider retains such data more than forty-five days11
after authorization of the transaction.12
C. Any person who violates the provisions of Subsection B of this Section13
shall reimburse the financial institution that issued any access devices affected14
by the breach for the costs of reasonable actions undertaken by the financial15
institution as a result of the breach in order to protect the information of its16
cardholders or to continue to provide services to cardholders, including but not17
limited to any costs incurred in connection with the following:18
(1) The cancellation or reissuance of any access device affected by the19
breach.20
(2) The closure of any deposit, transaction, share draft, or other21
accounts affected by the breach and any action to stop payments or block22
transactions with respect to the accounts.23
(3) The opening or reopening of any deposit, transaction, share draft, or24
other accounts affected by the breach.25
(4) Any refund or credit made to an access device holder to cover the26
cost of any unauthorized transaction related to the breach.27
(5) The notification of access device holders affected by the breach.28
D. In addition to any other right or remedy otherwise authorized by law,29 SB NO. 176
SLS 14RS-227 ORIGINAL
Page 3 of 4
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.
the financial institution and access device holder shall be entitled to recover1
damages for costs incurred by a breach of the security of the system of a person2
who has violated the provisions of this Section. Costs shall not include any3
amounts recovered from a credit card company by a financial institution or4
amounts recovered from a credit card company or financial institution by an5
access device holder.6
The original instrument and the following digest, which constitutes no part
of the legislative instrument, were prepared by Michelle Ducharme.
DIGEST
Morrell (SB 176)
Present law provides relative to the Database Security Breach Notification Law.
Present law provides for definitions.
Proposed law adds the following definitions:
(1)"Access device" means a card issued by a financial institution that contains a
magnetic stripe, microprocessor chip, or other means for storage of information, and
includes but is not limited to a credit card, debit card, or stored value card.
(2)"Financial institution" means any person organized to engage in the business of
banking pursuant to the laws of the United States or any person organized to engage
in the business of banking pursuant to La. law.
(3)"Magnetic stripe data" means the data contained in the magnetic stripe of an access
device.
(4)"Microprocessor chip data" means the data contained in the microprocessor chip of
an access device.
(5)"Service provider" means a person or entity that stores, processes, or transmits access
device data on behalf of another person or entity.
Proposed law provides that no person conducting business in Louisiana that accepts an
access device in connection with a transaction shall retain personal information or the full
contents of any track of magnetic stripe data for more than 45 days after authorization of the
transaction. In addition, a person is in violation of proposed law if its service provider
retains such data more than 45 days after authorization of the transaction.
Proposed law provides that any person who violates the provisions of proposed law shall
reimburse the financial institution that issued any access devices affected by the breach for
the costs of reasonable actions undertaken by the financial institution as a result of the
breach in order to protect the information of its cardholders or to continue to provide
services to cardholders, including but not limited to any costs incurred in connection with
the following:
(1)The cancellation or reissuance of any access device affected by the breach.
(2)The closure of any deposit, transaction, share draft, or other accounts affected by the SB NO. 176
SLS 14RS-227 ORIGINAL
Page 4 of 4
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.
breach and any action to stop payments or block transactions with respect to the
accounts.
(3)The opening or reopening of any deposit, transaction, share draft, or other accounts
affected by the breach.
(4)Any refund or credit made to an access device holder to cover the cost of any
unauthorized transaction related to the breach.
(5)The notification of access device holders affected by the breach.
Proposed law provides that in addition to any other right or remedy otherwise authorized by
law, the financial institution and access device holder shall be entitled to recover costs for
damages incurred by a breach of the security of the system of a person who has violated the
provisions of proposed law.
Proposed law also provides that costs do not include any amounts recovered from a credit
card company by a financial institution or amounts recovered from a credit card company
or financial institution by an access device holder.
Effective August 1, 2014.
(Adds R.S. 51:3078)