2018 Regular Session ENROLLED
SENATE BILL NO. 361
BY SENATOR WALSWORTH
1 AN ACT
2 To amend and reenact R.S. 51:3073(2) and (4)(a) and 3074, relative to the Database Security
3 Breach Notification Law; to provide for the protection of personal information; to
4 require certain security procedures and practices; to provide for notification
5 requirements; to provide relative to violations; to provide for definitions; and to
6 provide for related matters.
7 Be it enacted by the Legislature of Louisiana:
8 Section 1. R.S. 51:3073(2) and (4)(a) and 3074 are hereby amended and reenacted
9 to read as follows:
10 §3073. Definitions
11 As used in this Chapter, the following terms shall have the following
12 meanings:
13 * * *
14 (2) "Breach of the security of the system" means the compromise of the
15 security, confidentiality, or integrity of computerized data that results in, or there is
16 a reasonable basis to conclude has resulted likelihood to result in, the unauthorized
17 acquisition of and access to personal information maintained by an agency or person.
18 Good faith acquisition of personal information by an employee or agent of an agency
19 or person for the purposes of the agency or person is not a breach of the security of
20 the system, provided that the personal information is not used for, or is subject to,
21 unauthorized disclosure.
22 * * *
23 (4)(a) "Personal information" means an individual's the first name or first
24 initial and last name of an individual resident of this state in combination with any
25 one or more of the following data elements, when the name or the data element is not
26 encrypted or redacted:
Page 1 of 5
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 361 ENROLLED
1 (i) Social security number.
2 (ii) Driver's license number or state identification card number.
3 (iii) Account number, credit or debit card number, in combination with any
4 required security code, access code, or password that would permit access to an
5 individual's financial account.
6 (iv) Passport number.
7 (v) Biometric data. "Biometric data" means data generated by automatic
8 measurements of an individual's biological characteristics, such as fingerprints,
9 voice print, eye retina or iris, or other unique biological characteristic that is
10 used by the owner or licensee to uniquely authenticate an individual's identity
11 when the individual accesses a system or account.
12 * * *
13 §3074. Disclosure Protection of personal information; disclosure upon breach in
14 the security of personal information; notification requirements;
15 exemption
16 A. Any person that conducts business in the state or that owns or licenses
17 computerized data that includes personal information, or any agency that owns
18 or licenses computerized data that includes personal information, shall
19 implement and maintain reasonable security procedures and practices
20 appropriate to the nature of the information to protect the personal information
21 from unauthorized access, destruction, use, modification, or disclosure.
22 B. Any person that conducts business in the state or that owns or licenses
23 computerized data that includes personal information, or any agency that owns
24 or licenses computerized data that includes personal information shall take all
25 reasonable steps to destroy or arrange for the destruction of the records within
26 its custody or control containing personal information that is no longer to be
27 retained by the person or business by shredding, erasing, or otherwise
28 modifying the personal information in the records to make it unreadable or
29 undecipherable through any means.
30 C. Any person that conducts business in the state or that owns or licenses
Page 2 of 5
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 361 ENROLLED
1 computerized data that includes personal information, or any agency that owns or
2 licenses computerized data that includes personal information, shall, following
3 discovery of a breach in the security of the system containing such data, notify any
4 resident of the state whose personal information was, or is reasonably believed to
5 have been, acquired by an unauthorized person.
6 B.D. Any agency or person that maintains computerized data that includes
7 personal information that the agency or person does not own shall notify the owner
8 or licensee of the information if the personal information was, or is reasonably
9 believed to have been, acquired by an unauthorized person through a breach of
10 security of the system containing such data, following discovery by the agency or
11 person of a breach of security of the system.
12 C.E. The notification required pursuant to Subsections A and B C and D of
13 this Section shall be made in the most expedient time possible and without
14 unreasonable delay but not later than sixty days from the discovery of the
15 breach, consistent with the legitimate needs of law enforcement, as provided in
16 Subsection D F of this Section, or any measures necessary to determine the scope of
17 the breach, prevent further disclosures, and restore the reasonable integrity of the
18 data system. When notification required pursuant to Subsections C and D of this
19 Section is delayed pursuant to Subsection F of this Section or due to a
20 determination by the person or agency that measures are necessary to
21 determine the scope of the breach, prevent further disclosures, and restore the
22 reasonable integrity of the data system, the person or agency shall provide the
23 attorney general the reasons for the delay in writing within the sixty day
24 notification period provided in this Subsection. Upon receipt of the written
25 reasons, the attorney general shall allow a reasonable extension of time to
26 provide the notification required in Subsections C and D of this Section.
27 D.F. If a law enforcement agency determines that the notification required
28 under this Section would impede a criminal investigation, such notification may be
29 delayed until such law enforcement agency determines that the notification will no
30 longer compromise such investigation.
Page 3 of 5
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 361 ENROLLED
1 E.G. Notification may be provided by one of the following methods:
2 (1) Written notification.
3 (2) Electronic notification, if the notification provided is consistent with the
4 provisions regarding electronic records and signatures set forth in 15 USC U.S.C.
5 7001.
6 (3) Substitute notification, if an agency or person demonstrates that the cost
7 of providing notification would exceed two hundred fifty one hundred thousand
8 dollars, or that the affected class of persons to be notified exceeds five one hundred
9 thousand, or the agency or person does not have sufficient contact information.
10 Substitute notification shall consist of all of the following:
11 (a) E-mail notification when the agency or person has an e-mail address for
12 the subject persons.
13 (b) Conspicuous posting of the notification on the Internet site of the agency
14 or person, if an Internet site is maintained.
15 (c) Notification to major statewide media.
16 F.H. Notwithstanding Subsection E G of this Section, an agency or person
17 that maintains a notification procedure as part of its information security policy for
18 the treatment of personal information which is otherwise consistent with the timing
19 requirements of this Section shall be deemed considered to be in compliance with
20 the notification requirements of this Section if the agency or person notifies subject
21 persons in accordance with the policy and procedure in the event of a breach of
22 security of the system.
23 G. Notification under this title is not required if after a reasonable
24 investigation the person or business determines that there is no reasonable likelihood
25 of harm to customers.
26 I. Notification as provided in this Section shall not be required if after a
27 reasonable investigation, the person or business determines that there is no
28 reasonable likelihood of harm to the residents of this state. The person or
29 business shall retain a copy of the written determination and supporting
30 documentation for five years from the date of discovery of the breach of the
Page 4 of 5
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 361 ENROLLED
1 security system. If requested in writing, the person or business shall send a copy
2 of the written determination and supporting documentation to the attorney
3 general no later than thirty days from the date of receipt of the request. The
4 provisions of R.S. 51:1404(A)(1)(c) shall apply to a written determination and
5 supporting documentation sent to the attorney general pursuant to this
6 Subsection.
7 J. A violation of a provision of this Chapter shall constitute an unfair act
8 or practice pursuant to R.S. 51:1405(A).
PRESIDENT OF THE SENATE
SPEAKER OF THE HOUSE OF REPRESENTATIVES
GOVERNOR OF THE STATE OF LOUISIANA
APPROVED:
Page 5 of 5
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.