The original instrument and the following digest, which constitutes no part of the
legislative instrument, were prepared by Michelle Ducharme.
DIGEST
Morrell (SB 176)
Present law provides relative to the Database Security Breach Notification Law.
Present law provides for definitions.
Proposed law adds the following definitions:
(1)"Access device" means a card issued by a financial institution that contains a magnetic
stripe, microprocessor chip, or other means for storage of information, and includes but is
not limited to a credit card, debit card, or stored value card.
(2)"Financial institution" means any person organized to engage in the business of banking
pursuant to the laws of the United States or any person organized to engage in the
business of banking pursuant to La. law.
(3)"Magnetic stripe data" means the data contained in the magnetic stripe of an access
device.
(4)"Microprocessor chip data" means the data contained in the microprocessor chip of an
access device.
(5)"Service provider" means a person or entity that stores, processes, or transmits access
device data on behalf of another person or entity.
Proposed law provides that no person conducting business in Louisiana that accepts an access
device in connection with a transaction shall retain personal information or the full contents of
any track of magnetic stripe data for more than 45 days after authorization of the transaction. In
addition, a person is in violation of proposed law if its service provider retains such data more
than 45 days after authorization of the transaction.
Proposed law provides that any person who violates the provisions of proposed law shall
reimburse the financial institution that issued any access devices affected by the breach for the
costs of reasonable actions undertaken by the financial institution as a result of the breach in
order to protect the information of its cardholders or to continue to provide services to
cardholders, including but not limited to any costs incurred in connection with the following:
(1)The cancellation or reissuance of any access device affected by the breach.
(2)The closure of any deposit, transaction, share draft, or other accounts affected by the breach and any action to stop payments or block transactions with respect to the accounts.
(3)The opening or reopening of any deposit, transaction, share draft, or other accounts
affected by the breach.
(4)Any refund or credit made to an access device holder to cover the cost of any
unauthorized transaction related to the breach.
(5)The notification of access device holders affected by the breach.
Proposed law provides that in addition to any other right or remedy otherwise authorized by law,
the financial institution and access device holder shall be entitled to recover costs for damages
incurred by a breach of the security of the system of a person who has violated the provisions of
proposed law.
Proposed law also provides that costs do not include any amounts recovered from a credit card
company by a financial institution or amounts recovered from a credit card company or financial
institution by an access device holder.
Effective August 1, 2014.
(Adds R.S. 51:3078)