SLS 19RS-68 ORIGINAL
2019 Regular Session
SENATE BILL NO. 46
BY SENATOR PEACOCK
Prefiled pursuant to Article III, Section 2(A)(4)(b)(i) of the Constitution of Louisiana.
INTERNET. Enacts the Louisiana Cybersecurity Information Sharing Act. (8/1/19)
1 AN ACT
2 To enact Chapter 31 of Title 51 of the Louisiana Revised Statutes of 1950, to be comprised
3 of R.S. 51:2101 through 2109, relative to cybersecurity; to authorize private entities
4 to monitor, share, and receive certain information relative to cyber threats; to
5 authorize certain defensive measures; to provide relative to certain security and
6 information controls; to provide for definitions; to provide for immunity; to provide
7 for public records exemptions; and for confidentiality of certain information; to
8 provide for annual reporting of certain information by state entities; to provide for
9 certain terms, conditions, and procedures; and to provide for related matters.
10 Be it enacted by the Legislature of Louisiana:
11 Section 1. Chapter 31 of Title 51 of the Louisiana Revised Statutes of 1950,
12 comprised of R.S. 51:2101 through 2109, is hereby enacted to read as follows:
13 CHAPTER 31. LOUISIANA CYBERSECURITY INFORMATION SHARING ACT
14 §2101. Short title
15 This Chapter shall be known and may be cited as the "Louisiana
16 Cybersecurity Information Sharing Act".
17 §2102. Definitions
Page 1 of 13
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 ORIGINAL
1 As used in this Chapter, the following words shall have the meaning
2 ascribed to them in this Section, unless the text clearly indicates otherwise:
3 (1) "Appropriate entity" means any of the following:
4 (a) Office of attorney general, Department of Justice.
5 (b) The Louisiana State Analytical and Fusion Exchange, office of state
6 police, Department of Public Safety and Corrections.
7 (c) The Governor's Office of Homeland Security and Emergency
8 Preparedness.
9 (d) An appropriate federal entity as defined in 6 U.S.C.A. §1501(3).
10 (2) "Cybersecurity purpose" means the purpose of protecting an
11 information system or information that is stored on, processed by, or passed
12 through an information system from a cybersecurity threat or security
13 vulnerability.
14 (3) "Cybersecurity threat" means an action on or through an
15 information system that may result in an unauthorized effort to adversely
16 impact the security, availability, confidentiality, or integrity of an information
17 system or information that is stored on, processed by, or passed through an
18 information system. A "cybersecurity threat" does not include an action that
19 solely involves a violation of a consumer term of service or a consumer licensing
20 agreement.
21 (4) "Cyber threat indicator" means information that is necessary to
22 describe or identify any of the following:
23 (a) A malicious reconnaissance, including anomalous patterns of
24 communications that appear to be transmitted for the purpose of gathering
25 technical information related to a cybersecurity threat or security vulnerability.
26 (b) A method of defeating a security control or exploitation of a security
27 vulnerability.
28 (c) A security vulnerability, including anomalous activity that appears
29 to indicate the existence of a security vulnerability.
Page 2 of 13
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 ORIGINAL
1 (d) A method of causing a user with legitimate access to an information
2 system, or to information that is stored on, processed by, or passed through an
3 information system, to unwittingly enable the defeat of a security control or
4 exploitation of a security vulnerability.
5 (e) A malicious cyber command and control.
6 (f) An actual or potential harm caused by an incident, including a
7 description of the information exfiltrated as a result of a particular
8 cycbersecurity threat.
9 (g) Any other attribute of a cybersecurity threat, if disclosure of such
10 attribute is not otherwise prohibited by law.
11 (5) "Defensive measure" means an action, device, procedure, signature,
12 technique, or other measure applied to an information system, or to information
13 that is stored on, processed by, or passed through an information system that
14 detects, prevents, or mitigates a known or suspected cybersecurity threat or
15 security vulnerability. A defensive measure shall not include a measure that
16 destroys, renders unusable, provides unauthorized access to, or substantially
17 harms an information system or information stored on, processed by, or passed
18 through such information system not owned by the entity operating the measure
19 or the entity that is authorized to provide consent and has provided consent to
20 that private entity for operation of such measure.
21 (6) "Information system" includes but is not limited to a computer,
22 computer server, computer program, computer service, computer software,
23 internet-connected device, or computer system. An information system shall
24 also include industrial control systems, such as supervisory control and data
25 acquisition systems, distributed control systems, and programmable logic
26 controllers that store, process, or transmit information.
27 (7) "Federal entity" means a department or agency of the United States
28 or any component of such department or agency.
29 (8) "Malicious cyber command and control" means a method for
Page 3 of 13
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 ORIGINAL
1 unauthorized, remote identification of, access to, or use of an information
2 system or information that is stored on, processed by, or passed through an
3 information system.
4 (9) "Malicious reconnaissance" means a method for actively probing or
5 passively monitoring an information system for the purpose of discerning
6 security vulnerabilities of the information system, if such method is associated
7 with a known or suspected cybersecurity threat.
8 (10) "Monitor" means to acquire, identify, or scan, or to possess
9 information that is stored on, processed by, or passed through an information
10 system.
11 (11) "Private entity" means any citizen of the United States or private
12 group, organization, proprietorship, partnership, trust, cooperative,
13 corporation, or other commercial or nonprofit entity domiciled in the United
14 States of America, including an officer, employee, or agent thereof. "Private
15 entity" does not include any foreign entities, such as governments, nations, or
16 political organizations.
17 (12) "Security control" means the management, operational, and
18 technical controls used to protect against an unauthorized effort to adversely
19 affect the confidentiality, integrity, and availability of an information system or
20 its information.
21 (13) "Security vulnerability" means any attribute of hardware,
22 software, process, or procedure that may enable or facilitate the defeat of a
23 security control.
24 (14) "State entity" means the state, a political subdivision of the state,
25 and any officer, agency, board, commission, department or similar body of the
26 state or any political subdivision of the state.
27 §2103. Authorizations for preventing, detecting, analyzing, and mitigating
28 cybersecurity threats; private entities
29 A. Notwithstanding any provision of law to the contrary, a private entity
Page 4 of 13
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 ORIGINAL
1 may, for a cybersecurity purpose, monitor the following:
2 (1) An information system of the private entity.
3 (2) An information system of another private entity, upon the
4 authorization and written consent of such other entity.
5 (3) An information system of a federal or state entity, upon the
6 authorization and written consent of an authorized representative of the federal
7 or state entity.
8 (4) Information that is stored on, processed by, or passed through an
9 information system monitored by the private entity.
10 B. Notwithstanding any provision of law to the contrary, a private entity
11 may, for a cybersecurity purpose, operate a defensive measure that is applied
12 to the following:
13 (1) An information system of the private entity in order to protect the
14 rights or property of the private entity.
15 (2) An information system of another private entity, upon written
16 consent of such entity for operation of such defensive measure to protect the
17 rights or property of such entity.
18 (3) An information system of a federal or state entity, upon written
19 consent of an authorized representative of such federal or state entity for
20 operation of such defensive measure to protect the rights or property of the
21 federal or state government.
22 C.(1) Except as provided in Paragraph (2) of this Subsection and
23 notwithstanding any other provision of law to the contrary, a private entity
24 may, for a cybersecurity purpose and consistent with the protection of classified
25 information, share with, or receive from, another private entity or a federal or
26 state entity a cyber threat indicator or defensive measure.
27 (2) A private entity receiving a cyber threat indicator or defensive
28 measure from another private entity or a federal or state entity shall comply
29 with any lawful restriction placed on the sharing or use of such cyber threat
Page 5 of 13
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 ORIGINAL
1 indicator or defensive measure by the sharing entity.
2 D.(1) A private entity monitoring an information system, operating a
3 defensive measure, or providing or receiving a cyber threat indicator or
4 defensive measure pursuant to this Section shall implement and utilize a
5 security control to protect against unauthorized access to or acquisition of such
6 cyber threat indicator or defensive measure.
7 (2) Prior to sharing a cyber threat indicator or defensive measure, a
8 private entity shall either:
9 (a) Review the cyber threat indicator to assess whether such indicator
10 contains any information not directly related to a cybersecurity threat that the
11 private entity knows at the time of sharing to be personal information of a
12 specific individual or information that identifies a specific individual and
13 remove such personal information. For the purposes of this Chapter, "personal
14 information" shall not include publicly available information that is lawfully
15 made available to the general public from federal, state, or local government
16 records.
17 (b) Implement and utilize a technical capability configured to remove
18 any information not directly related to a cybersecurity threat that the private
19 entity knows at the time of sharing to be personal information of a specific
20 individual or information that identifies a specific individual.
21 (3)(a) A cyber threat indicator or defensive measure shared or received
22 pursuant to the provisions of this Section may, for a cybersecurity purpose, be
23 used by a private entity to monitor or operate a defensive measure that is
24 applied to an information system of the private entity or an information system
25 of another private entity or a federal or state entity, provided such other private
26 entity or a such federal or state entity has given its written consent.
27 (b) A cyber threat indicator or defensive measure shared or received
28 pursuant to the provisions of this Section may, for a cybersecurity purpose, be
29 used, retained, and further shared by a private entity subject to a lawful
Page 6 of 13
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 ORIGINAL
1 restriction placed by the sharing private entity or federal or state entity on such
2 cyber threat indicator or defensive measure or an otherwise applicable
3 provision of law.
4 (4)(a) A state entity that receives a cyber threat indicator or defensive
5 measure pursuant to the provisions of this Section may use such cyber threat
6 indicator or defensive measure in accordance with the provisions of R.S.
7 51:2104.
8 (b) A cyber threat indicator or defensive measure shared by a state
9 entity with an appropriate entity shall be deemed voluntarily shared
10 information and exempt from disclosure under the Public Records Law, R.S.
11 44:1 et seq.
12 E. The sharing of a cyber threat indicator or defensive measure with a
13 private entity shall not create a right or benefit to similar information from that
14 private entity.
15 §2104. Sharing of a cyber threat indicator and defensive measure with an
16 appropriate entity
17 A.(1) A private entity may, for a cybersecurity purpose and consistent
18 with the protection of classified information, share a cyber threat indicator or
19 defensive measure with an appropriate entity through the transmission of an
20 email to such entity.
21 (2) In sharing a cyber threat indicator or defensive measure with an
22 appropriate entity, the private entity shall:
23 (a) Take reasonable measures to remove or limit the receipt, retention,
24 use, and dissemination of a cyber threat indicator containing personal
25 information from the information shared with the appropriate entity, provided
26 that the personal information is not critical to the appropriate entity's response
27 or ability to mitigate a cyber threat indicator.
28 (b) Include requirements to safeguard a cyber threat indicator
29 containing personal information of specific individuals or information that
Page 7 of 13
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 ORIGINAL
1 identifies specific individuals from unauthorized access or acquisition, including
2 appropriate sanctions for activities by officers, employees, or agents of the
3 federal or state government.
4 (c) Protect to the greatest extent practicable, the confidentiality of a
5 cyber threat indicator containing personal information of specific individuals
6 or information that identifies specific individuals and requires recipients to be
7 informed that such indicator may only be used for purposes authorized by this
8 Chapter.
9 (3) Nothing in this Chapter shall be construed to relieve a person from
10 compliance with the Database Security Breach Notification Law, R. S. 51:3072
11 et seq.
12 (4)(a) A cyber threat indicator and defensive measure shared with an
13 appropriate entity shall not constitute a waiver of any applicable privilege or
14 protection provided by law, including trade secret protection.
15 (b) A cyber threat indicator or defensive measure provided by a private
16 entity to an appropriate entity shall be considered the commercial, financial,
17 and proprietary information of the private entity when designated by the
18 originating private entity or a third party acting in accordance with the written
19 authorization of the originating private entity.
20 (c) A cyber threat indicator or defensive measure shared with an
21 appropriate entity shall be deemed voluntarily shared information and exempt
22 from disclosure under the Public Records Law, R.S. 44:1 et seq.
23 (d) A cyber threat indicator and defensive measure provided to an
24 appropriate entity may be disclosed to, retained by, and used by, consistent with
25 applicable provisions of law, any federal or state entity solely for the following
26 purposes:
27 (i) A cybersecurity purpose.
28 (ii) Identifying a cybersecurity threat, including the source of such
29 threat or a security vulnerability.
Page 8 of 13
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 ORIGINAL
1 (iii) Responding to, or otherwise mitigating, a specific threat of death,
2 a specific threat of serious bodily harm, or a specific threat of serious economic
3 harm, including a terrorist act or a use of a weapon of mass destruction.
4 (iv) Responding to, investigating, prosecuting, or otherwise preventing
5 or mitigating, a serious threat to a minor, including sexual exploitation and
6 threats to physical safety.
7 (v) Preventing, investigating, disrupting, or prosecuting an offense
8 arising out of a threat as provided in Item (iii) of this Subparagraph.
9 B. A cyber threat indicator and defensive measure shared with an
10 appropriate entity shall not be disclosed to, retained by, or used by any federal
11 or state entity for any use not permitted under Subsection A of this Section.
12 C. A cyber threat indicator or defensive measure provided to an
13 appropriate entity shall be retained, used, and disseminated by the federal or
14 state government as follows:
15 (1) In a manner consistent with Subsection A of this Section.
16 (2) In a manner that protects from unauthorized use or disclosure any
17 cyber threat indicator that may contain personal information of a specific
18 individual or information that identifies a specific individual.
19 (3) In a manner that protects the confidentiality of any cyber threat
20 indicator containing information of a specific individual or information that
21 identifies a specific individual.
22 §2105. Protection from liability; private entities
23 There shall be no cause of action against any private entity for the
24 monitoring of an information system or information stored on, processed by, or
25 passed through such information system, or for the sharing or receipt of a cyber
26 threat indicator or defensive measure with another private entity, a federal or
27 state entity, or an appropriate entity, if such monitoring, sharing, or receipt is
28 conducted in accordance with the provisions of this Chapter.
29 §2106. State regulatory authority
Page 9 of 13
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 ORIGINAL
1 A cyber threat indicator or defensive measure shared in accordance with
2 the provisions of this Chapter with a state entity or an appropriate entity shall
3 not be used by any state entity to regulate, including any enforcement action,
4 the lawful activity of any private entity or any activity taken by a private entity
5 pursuant to mandatory standards, including an activity relating to monitoring,
6 operating a defensive measure, or sharing of a cyber threat indicator. However,
7 a shared cyber threat indicator or defensive measure may be used in the
8 development or implementation of a regulation relating to such information
9 systems.
10 §2107. Antitrust immunity; exception
11 A. It shall not be considered a violation of state antitrust laws for two or
12 more private entities to exchange or provide, for a cybersecurity purpose, a
13 cyber threat indicator or defensive measure or assistance relating to the
14 prevention, investigation, or mitigation of a cybersecurity threat. The
15 provisions of this Paragraph shall apply only to information that is exchanged,
16 or assistance provided, in order to assist with either of the following:
17 (1) Facilitating the prevention, investigation, or mitigation of a
18 cybersecurity threat to an information system or to information that is stored
19 on, processed by, or passed through an information system.
20 (2) Communicating or disclosing a cyber threat indicator to help
21 prevent, investigate, or mitigate the effect of a cybersecurity threat to an
22 information system or to information that is stored on, processed by, or passed
23 through an information system.
24 B. Nothing in this Section shall authorize price-fixing, allocating a
25 market between competitors, monopolizing or attempting to monopolize a
26 market, boycotting, or exchanges of price or cost information, customer lists,
27 or information regarding future competitive planning.
28 §2108. Annual report; state agencies
29 A. On or before March first of each year, a state entity that receives
Page 10 of 13
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 ORIGINAL
1 information concerning a cyber threat indicator or defensive measure during
2 the preceding calendar year shall submit to the governor an annual report
3 containing a statistical summary of the following:
4 (1) Entities or types of industries that shared information with the state
5 entity.
6 (2) Cyber threat indicators and defensive measures shared with the state
7 entity.
8 B. The annual report shall be subject to the Public Records Law, R.S.
9 44:1 et seq.
10 §2109. Rulemaking authority
11 The Department of Corrections, office of state police, may, in accordance
12 with the Administrative Procedure Act, adopt all rules necessary to implement
13 the provisions of this Chapter.
The original instrument and the following digest, which constitutes no part
of the legislative instrument, were prepared by Michelle Ridge.
DIGEST
SB 46 Original 2019 Regular Session Peacock
Proposed law creates the Louisiana Cybersecurity Information Sharing Act
(Act).
Proposed law defines "appropriate entity", "cybersecurity purpose", "cybersecurity threat",
"cyber threat indicator", "defensive measure", "information system", "federal entity",
"malicious cyber command and control", "malicious reconnaissance", "monitor", "private
entity", "security control", "security vulnerability", and "state entity".
Proposed law provides that a private entity may, for a cybersecurity purpose, monitor certain
information systems and information that are stored on, processed by, or passed through
certain information systems.
Proposed law provides that a private entity may, for a cybersecurity purpose, operate a
defensive measure on certain information systems.
Proposed law authorizes a private entity, for a cybersecurity purpose and consistent with the
protection of classified information, to share or receive a cyber security threat indicator or
defensive measure with certain entities.
Proposed law requires a private entity to implement and utilize a security control to protect
against unauthorized access to or acquisition of a cyber threat or defensive measure.
Proposed law provides for the protection of personal information not directly related to a
cybersecurity threat.
Page 11 of 13
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 ORIGINAL
Proposed law exempts from the Public Records Law a cyber threat indicator or defensive
measure shared by a state entity with an appropriate entity.
Proposed law authorizes a private entity to share a cyber threat indicator or defensive
measure with an appropriate entity.
Proposed law requires the private entity to:
(1)Take reasonable measures to remove or limit the receipt, retention, use, and
dissemination of a cyber threat indicator containing personal information from the
information shared with the appropriate entity, provided that the personal
information is not critical to the appropriate entity's response or ability to mitigate
the cyber threat indicator.
(2)Include requirements to safeguard a cyber threat indicator containing personal
information of specific individuals or information that identifies specific individuals
from unauthorized access or acquisition, including appropriate sanctions for
activities by officers, employees, or agents of the federal or state government.
(3)Protect the confidentiality of a cyber threat indicator containing personal information
of specific individuals or information that identifies specific individuals to the
greatest extent practicable and require recipients to be informed that such indicator
may only be used for purposes authorized by proposed law.
Proposed law does not relieve a person from compliance with the Database Security Breach
Notification Law.
Proposed law provides that a cyber threat indicator and defensive measure shared with an
appropriate entity shall not constitute a waiver of any applicable privilege or protection
provided by law, including trade secret protection.
Proposed law provides that a cyber threat indicator or defensive measure provided by a
private entity to an appropriate entity shall be considered the commercial, financial, and
proprietary information of the private entity when designated by the originating private
entity or a third party acting in accordance with the written authorization of the originating
private entity.
Proposed law provides that a cyber threat indicator and defensive measure provided to an
appropriate entity may be disclosed to, retained by, and used by any federal or state entity
for certain purposes.
Proposed law restricts the disclosure, retention, or use of a cyber threat indicator and
defensive measure to actions authorized by proposed law.
Proposed law provides relative to the retention, use, and dissemination of a cyber threat
indicator and defensive measure by the federal or state government to an appropriate entity.
Proposed law provides that there shall be no cause of action against any private entity for
the monitoring of an information system or information stored on, processed by, or passed
through such information system or for the sharing or receipt of a cyber threat indicator or
defensive measure with another private entity, a federal or state entity, or an appropriate
entity if such monitoring, sharing, or receipt is conducted in accordance with proposed law.
Proposed law provides that a cyber threat indicator or defensive measure shared with a state
entity or an appropriate entity shall not be used by any state entity to regulate the lawful
activity of any private entity or any activity taken by a private entity. Proposed law does
allow such indicator or measure to be used in the development or implementation of a
regulation relating to such information systems.
Page 12 of 13
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 ORIGINAL
Proposed law provides relative to antitrust immunity under certain circumstances.
Proposed law requires that on or before March first of each year, a state entity that receives
information concerning a cyber threat indicator or defensive measure during the preceding
calendar year shall submit to the governor an annual report containing a statistical summary
of the following:
(1)Entities or types of industries that shared information with the state entity.
(2)Cyber threat indicators and defensive measures shared with the state entity.
Proposed law authorizes the office of state police, in accordance with the APA, to adopt
rules necessary to implement the provisions of proposed law.
Effective August 1, 2019.
(Adds R.S. 51:2101-2109)
Page 13 of 13
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.