RDCSB361 3264 3329
DIGEST
The digest printed below was prepared by House Legislative Services. It constitutes no part
of the legislative instrument. The keyword, one-liner, abstract, and digest do not constitute
part of the law or proof or indicia of legislative intent. [R.S. 1:13(B) and 24:177(E)]
SB 361 Reengrossed 2018 Regular Session Walsworth
Present law defines "breach of security of the system" as the compromise of the security,
confidentiality, or integrity of computerized data that results in, or there is a reasonable basis
to conclude has resulted in, the unauthorized acquisition of and access to personal
information maintained by an agency or person.
Proposed law defines "breach of the security system" as the compromise of the security,
confidentiality, or integrity of computerized data that results in, or there is a reasonable
likelihood to result in, the unauthorized acquisition of and access to personal information
maintained by an agency or person.
Present law defines "personal information" as an individual's first name or first initial and
last name in combination with any one or more of the following data elements, when the
name or the data element is not encrypted or redacted:
(1) Social security number.
(2) Driver's license number.
(3)Account number, credit or debit card number, in combination with any required
security code, access code, or password that would permit access to an individual's
financial account.
Proposed law defines "personal information" as the first name or first initial and last name
of an individual resident of this state in combination with any one or more of the following
data elements, when the name or the data element is not encrypted or redacted:
(1) Social security number.
(2) Driver's license number or state identification card.
(3) Account number, credit or debit card number, in combination with any required
security code, access code, or password that would permit access to an individual's
financial account.
(4)Passport number.
(5)Biometric data.
Proposed law defines "biometric data" as data generated by automatic measurements of an
individual's biological characteristics, such as fingerprints, voice print, eye retina or iris, or
other unique biological characteristic that is used by the owner or licensee to uniquely
authenticate an individual's identity when the individual accesses a system or account.
Proposed law requires any person that conducts business in the state or owns or licenses
computerized data that includes personal information, or any agency that owns or licenses
computerized data that includes personal information, to implement and maintain reasonable
security procedures and practices appropriate to the nature of the information to protect the
personal information from unauthorized access, destruction, use, modification, or disclosure.
Proposed law requires any person that conducts business in the state or that owns or licenses
computerized data that includes personal information, or any agency that owns or licenses
computerized data that includes personal information to take all reasonable steps to destroy
Page 1 of 3 RDCSB361 3264 3329
or arrange for the destruction of the records within its custody or control containing personal
information that is no longer to be retained by the person or business by shredding, erasing,
or otherwise modifying the personal information in the records to make it unreadable or
undecipherable through any means.
Present law requires any person that conducts business in the state or that owns or licenses
computerized data that includes personal information, or any agency that owns or licenses
computerized data that includes personal information, to notify any resident of the state
whose personal information was, or is reasonably believed to have been, acquired by an
unauthorized person.
Proposed law deletes the requirement of present law pertaining to persons conducting
business in the state. Otherwise retains present law.
Present law requires notification to be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law enforcement, or any
measures necessary to determine the scope of the breach, prevent further disclosures, and
restore the reasonable integrity of the data system.
Proposed law retains present law and further requires that notification be made within 60
days of the discovery of the breach. Further provides that when notification is delayed the
person or agency shall provide the attorney general with the reasons for the delay in writing
with the 60 days period to receive an extension of time.
Present law provides that notification may be provided by substitute notification if the
person or agency demonstrates that the cost of notification would exceed $250,000 or that
the affected class of persons exceeds 500,000, or the agency or person does not have
sufficient contact information.
Proposed law provides that notification may be provided by substitute notification if the
person or agency demonstrates that the cost of notification would exceed $150,000 or that
the affected class of persons exceeds 100,000, or the agency or person does not have
sufficient contact information.
Proposed law provides that notification shall not be required if after a reasonable
investigation, the person or business determines that there is no reasonable likelihood of
harm to the residents of this state. Further, the person or business shall retain a copy of the
written determination and supporting documentation for five years from the date of
discovery of the breach of the security system.
Proposed law provides that, if requested in writing, the person or business shall send a copy
of the written determination and supporting documentation to the attorney general no later
than thirty days from the date of receipt of the request.
Present law (R.S. 51:1405(A)) declares unfair methods of competition and unfair or
deceptive acts or practices in the conduct of any trade or commerce unlawful.
Proposed law retains present law and provides that violations of the Database Security
Breach Notification Law constitute an unfair practice under R.S. 51:1405(A).
Effective August 1, 2018.
(Amends R.S. 51:3073(2) and (4)(a) and 3074)
Summary of Amendments Adopted by Senate
Committee Amendments Proposed by Senate Committee on Judiciary B to the
original bill
1. Makes changes to the definition of "breach of the security of the system".
Page 2 of 3 RDCSB361 3264 3329
2. Clarifies that the definition of "personal information" applies to an individual
resident of this state.
3. Defines "biometric data".
4. Changes the notification period for a breach from no later than 45 days to no
later than 60 days from the discovery of the breach.
5. Requires a person or agency to notify the attorney general in writing if the
required notification is delayed.
6. Decreases the cost that allows for substitute notification from the cost of
notification would exceed $250,000 to the cost of notification would exceed
$100,000.
7. Decreases the amount of persons in the affected class that allows for
substitute notification from more than 500,000 to more than 100,000.
8. Adds present law originally deleted that provides notification is not required
if there is no reasonable likelihood of harm to residents.
Senate Floor Amendments to engrossed bill
1. Legislative Bureau technical amendments.
Summary of Amendments Adopted by House
The Committee Amendments Proposed by House Committee on Commerce to the
reengrossed bill:
1. Delete present law requiring persons conducting business in the state to notify
any resident of the state whose personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.
Page 3 of 3