SLS 18RS-605 ORIGINAL
2018 Regular Session
SENATE BILL NO. 361
BY SENATOR WALSWORTH
ATTORNEY GENERAL. Provides relative to the protection of computerized data that
contains personal information and requires notification of data breaches. (8/1/18)
1 AN ACT
2 To amend and reenact R.S. 51:3073(4)(a) and 3074, relative to the Database Security Breach
3 Notification Law; to provide for the protection of personal information; to require
4 certain security procedures and practices; to provide for notification requirements;
5 to provide relative to violations; to provide for definitions; and to provide for related
6 matters.
7 Be it enacted by the Legislature of Louisiana:
8 Section 1. R.S. 51:3073(4)(a) and 3074 are hereby amended and reenacted to read
9 as follows:
10 §3073. Definitions
11 As used in this Chapter, the following terms shall have the following
12 meanings:
13 * * *
14 (4)(a) "Personal information" means an individual's first name or first initial
15 and last name in combination with any one or more of the following data elements,
16 when the name or the data element is not encrypted or redacted:
17 (i) Social security number.
Page 1 of 5
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 361
SLS 18RS-605 ORIGINAL
1 (ii) Driver's license number or state identification card.
2 (iii) Account number, credit or debit card number, in combination with any
3 required security code, access code, or password that would permit access to an
4 individual's financial account.
5 (iv) Passport number.
6 (v) Biometric data.
7 * * *
8 §3074. Disclosure Protection of personal information; disclosure upon breach in
9 the security of personal information; notification requirements;
10 exemption
11 A. Any person that conducts business in the state or that owns or
12 licenses computerized data that includes personal information, or any agency
13 that owns or licenses computerized data that includes personal information,
14 shall implement and maintain reasonable security procedures and practices
15 appropriate to the nature of the information to protect the personal information
16 from unauthorized access, destruction, use, modification, or disclosure.
17 B. Any person that conducts business in the state or that owns or
18 licenses computerized data that includes personal information, or any agency
19 that owns or licenses computerized data that includes personal information
20 shall take all reasonable steps to destroy or arrange for the destruction of the
21 records within its custody or control containing personal information that is no
22 longer to be retained by the person or business by shredding, erasing, or
23 otherwise modifying the personal information in the records to make it
24 unreadable or undecipherable though any means.
25 C. Any person that conducts business in the state or that owns or licenses
26 computerized data that includes personal information, or any agency that owns or
27 licenses computerized data that includes personal information, shall, following
28 discovery of a breach in the security of the system containing such data, notify any
29 resident of the state whose personal information was, or is reasonably believed to
Page 2 of 5
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 361
SLS 18RS-605 ORIGINAL
1 have been, acquired by an unauthorized person.
2 B.D. Any agency or person that maintains computerized data that includes
3 personal information that the agency or person does not own shall notify the owner
4 or licensee of the information if the personal information was, or is reasonably
5 believed to have been, acquired by an unauthorized person through a breach of
6 security of the system containing such data, following discovery by the agency or
7 person of a breach of security of the system.
8 C.E. The notification required pursuant to Subsections A and B C and D of
9 this Section shall be made in the most expedient time possible and without
10 unreasonable delay but not later than forty-five days, consistent with the legitimate
11 needs of law enforcement, as provided in Subsection D F of this Section, or any
12 measures necessary to determine the scope of the breach, prevent further disclosures,
13 and restore the reasonable integrity of the data system.
14 D.F. If a law enforcement agency determines that the notification required
15 under this Section would impede a criminal investigation, such notification may be
16 delayed until such law enforcement agency determines that the notification will no
17 longer compromise such investigation.
18 E.G. Notification may be provided by one of the following methods:
19 (1) Written notification.
20 (2) Electronic notification, if the notification provided is consistent with the
21 provisions regarding electronic records and signatures set forth in 15 USC 7001.
22 (3) Substitute notification, if an agency or person demonstrates that the cost
23 of providing notification would exceed two hundred fifty thousand dollars, or that
24 the affected class of persons to be notified exceeds five hundred thousand, or the
25 agency or person does not have sufficient contact information. Substitute notification
26 shall consist of all of the following:
27 (a) E-mail notification when the agency or person has an e-mail address for
28 the subject persons.
29 (b) Conspicuous posting of the notification on the Internet site of the agency
Page 3 of 5
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 361
SLS 18RS-605 ORIGINAL
1 or person, if an Internet site is maintained.
2 (c) Notification to major statewide media.
3 F.H. Notwithstanding Subsection E G of this Section, an agency or person
4 that maintains a notification procedure as part of its information security policy for
5 the treatment of personal information which is otherwise consistent with the timing
6 requirements of this Section shall be deemed to be in compliance with the
7 notification requirements of this Section if the agency or person notifies subject
8 persons in accordance with the policy and procedure in the event of a breach of
9 security of the system.
10 G. Notification under this title is not required if after a reasonable
11 investigation the person or business determines that there is no reasonable likelihood
12 of harm to customers.
13 I. Violations of any of the provisions of this Chapter shall constitute an
14 unfair practice under R.S. 51:1405(A).
The original instrument and the following digest, which constitutes no part
of the legislative instrument, were prepared by Curry Lann.
DIGEST
SB 361 Original 2018 Regular Session Walsworth
Present law defines "personal information" as an individual's first name or first initial and
last name in combination with any one or more of the following data elements, when the
name or the data element is not encrypted or redacted:
(1) Social security number.
(2) Driver's license number.
(3)Account number, credit or debit card number, in combination with any required
security code, access code, or password that would permit access to an individual's
financial account.
Proposed law defines "personal information" as an individual's first name or first initial and
last name in combination with any one or more of the following data elements, when the
name or the data element is not encrypted or redacted:
(1) Social security number.
(2) Driver's license number or state identification card.
(3) Account number, credit or debit card number, in combination with any required
security code, access code, or password that would permit access to an individual's
financial account.
Page 4 of 5
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 361
SLS 18RS-605 ORIGINAL
(4)Passport number.
(5)Biometric data.
Proposed law requires any person that conducts business in the state or that owns or licenses
computerized data that includes personal information, or any agency that owns or licenses
computerized data that includes personal information, to implement and maintain reasonable
security procedures and practices appropriate to the nature of the information to protect the
personal information from unauthorized access, destruction, use, modification, or disclosure.
Proposed law requires any person that conducts business in the state or that owns or licenses
computerized data that includes personal information, or any agency that owns or licenses
computerized data that includes personal information to take all reasonable steps to destroy
or arrange for the destruction of the records within its custody or control containing personal
information that is no longer to be retained by the person or business by shredding, erasing,
or otherwise modifying the personal information in the records to make it unreadable or
undecipherable through any means.
Present law requires notification to be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law enforcement, or any
measures necessary to determine the scope of the breach, prevent further disclosures, and
restore the reasonable integrity of the data system.
Proposed law retains present law and further requires that notification be made within 45
days.
Present law provides that notification is not required if after a reasonable investigation the
person or business determines that there is no reasonable likelihood of harm to customers.
Proposed law repeals present law.
Present law (R.S. 51:1405(A)) declares unfair methods of competition and unfair or
deceptive acts or practices in the conduct of any trade or commerce unlawful.
Proposed law retains present law and provides that violations of the Database Security
Breach Notification Law constitute an unfair practice under R.S. 51:1405(A).
Effective August 1, 2018.
(Amends R.S. 51:3073(4)(a) and 3074)
Page 5 of 5
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.