Louisiana 2019 2019 Regular Session

Louisiana Senate Bill SB46 Engrossed / Bill

                    SLS 19RS-68	ENGROSSED
2019 Regular Session
SENATE BILL NO. 46
BY SENATOR PEACOCK 
Prefiled pursuant to Article III, Section 2(A)(4)(b)(i) of the Constitution of Louisiana.
INTERNET.  Enacts the Louisiana Cybersecurity Information Sharing Act. (8/1/19)
1	AN ACT
2 To enact Chapter 31 of Title 51 of the Louisiana Revised Statutes of 1950, to be comprised
3 of R.S. 51:2101 through 2110, relative to cybersecurity; to authorize private entities
4 to monitor, share, and receive certain information relative to cyber threats; to
5 authorize certain defensive measures; to provide relative to certain security and
6 information controls; to provide for definitions; to provide for immunity; to provide
7 for public records exemptions; and for confidentiality of certain information; to
8 provide for annual reporting of certain information by state entities; to provide for
9 certain terms, conditions, and procedures; and to provide for related matters.
10 Be it enacted by the Legislature of Louisiana:
11 Section 1.  Chapter 31 of Title 51 of the Louisiana Revised Statutes of 1950,
12 comprised of R.S. 51:2101 through 2110, is hereby enacted to read as follows: 
13 CHAPTER 31.  LOUISIANA CYBERSECURITY INF ORMATION
14	SHARING ACT
15 §2101.  Short title
16	This Chapter shall be known and may be cited as the "Louisiana
17 Cybersecurity Information Sharing Act".
Page 1 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68	ENGROSSED
1 §2101.1. Legislative intent; federal law
2	The purpose of this Act is to provide a framework for sharing
3 cybersecurity information under Louisiana law that is consistent with the
4 federal law for sharing of cybersecurity information. To the extent that any
5 provision of this Act is inconsistent with or conflicts with the requirements of
6 the Federal Cybersecurity Information Sharing Act of 2015, 6 U.S.C.A. §1501
7 et seq., such provision of this Act shall not apply and the applicable federal law
8 shall control.
9 §2102. Definitions
10	As used in this Chapter, the following words shall have the meaning
11 ascribed to them in this Section, unless the text clearly indicates otherwise:
12	(1) "Appropriate entity" means any of the following:
13	(a) Office of attorney general, Department of Justice, investigation
14 division.
15	(b) The Louisiana State Analytical and Fusion Exchange, office of state
16 police, Department of Public Safety and Corrections.
17	(c) The Governor's Office of Homeland Security and Emergency
18 Preparedness.
19	(d) An appropriate federal entity as defined in 6 U.S.C.A. §1501(3).
20	(2) "Cybersecurity purpose" means the purpose of protecting an
21 information system or information that is stored on, processed by, or passed
22 through an information system from a cybersecurity threat or security
23 vulnerability.
24	(3) "Cybersecurity threat" means an action on or through an
25 information system that may result in an unauthorized effort to adversely
26 impact the security, availability, confidentiality, or integrity of an information
27 system or information that is stored on, processed by, or passed through an
28 information system. A "cybersecurity threat" does not include an action that
29 solely involves a violation of a consumer term of service or a consumer licensing
Page 2 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68	ENGROSSED
1 agreement.
2	(4) "Cyber threat indicator" means information that is necessary to
3 describe or identify any of the following:
4	(a) A malicious reconnaissance, including anomalous patterns of
5 communications that appear to be transmitted for the purpose of gathering
6 technical information related to a cybersecurity threat or security vulnerability.
7	(b) A method of defeating a security control or exploitation of a security
8 vulnerability.
9	(c) A security vulnerability, including anomalous activity that appears
10 to indicate the existence of a security vulnerability.
11	(d) A method of causing a user with legitimate access to an information
12 system, or to information that is stored on, processed by, or passed through an
13 information system, to unwittingly enable the defeat of a security control or
14 exploitation of a security vulnerability.
15	(e) A malicious cyber command and control.
16	(f) An actual or potential harm caused by an incident, including a
17 description of the information exfiltrated as a result of a particular
18 cybersecurity threat.
19	(g) Any other attribute of a cybersecurity threat, if disclosure of such
20 attribute is not otherwise prohibited by law.
21	(5) "Defensive measure" means an action, device, procedure, signature,
22 technique, or other measure applied to an information system, or to information
23 that is stored on, processed by, or passed through an information system that
24 detects, prevents, or mitigates a known or suspected cybersecurity threat or
25 security vulnerability. A defensive measure shall not include a measure that
26 destroys, renders unusable, provides unauthorized access to, or substantially
27 harms an information system or information stored on, processed by, or passed
28 through such information system not owned by the entity operating the measure
29 or the entity that is authorized to provide consent and has provided consent to
Page 3 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68	ENGROSSED
1 that private entity for operation of such measure.
2	(6) "Information system" includes but is not limited to a computer,
3 computer server, computer program, computer service, computer software,
4 internet-connected device, or computer system. An information system shall
5 also include industrial control systems, such as supervisory control and data
6 acquisition systems, distributed control systems, and programmable logic
7 controllers that store, process, or transmit information.
8	(7) "Federal entity" means a department or agency of the United States
9 or any component of such department or agency.
10	(8) "Malicious cyber command and control" means a method for
11 unauthorized, remote identification of, access to, or use of an information
12 system or information that is stored on, processed by, or passed through an
13 information system.
14	(9) "Malicious reconnaissance" means a method for actively probing or
15 passively monitoring an information system for the purpose of discerning
16 security vulnerabilities of the information system, if such method is associated
17 with a known or suspected cybersecurity threat.
18	(10) "Monitor" means to acquire, identify, or scan, or to possess
19 information that is stored on, processed by, or passed through an information
20 system.
21	(11) "Private entity" means any citizen of the United States or private
22 group, organization, proprietorship, partnership, trust, cooperative,
23 corporation, or other commercial or nonprofit entity domiciled in the United
24 States of America, including an officer, employee, or agent thereof. "Private
25 entity" does not include any foreign entities, such as governments, nations, or
26 political organizations.
27	(12) "Security control" means the management, operational, and
28 technical controls used to protect against an unauthorized effort to adversely
29 affect the confidentiality, integrity, and availability of an information system or
Page 4 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68	ENGROSSED
1 its information.
2	(13) "Security vulnerability" means any attribute of hardware, software,
3 process, or procedure that may enable or facilitate the defeat of a security
4 control.
5	(14) "State entity" means the state, a political subdivision of the state,
6 and any officer, agency, board, commission, department or similar body of the
7 state or any political subdivision of the state.
8 §2103.  Authorizations for preventing, detecting, analyzing, and mitigating
9	cybersecurity threats; private entities
10	A. Notwithstanding any provision of law to the contrary, a private entity
11 may, for a cybersecurity purpose, monitor the following:
12	(1) An information system of the private entity.
13	(2) An information system of another private entity, upon the
14 authorization and written consent of such other entity.
15	(3) An information system of a federal or state entity, upon the
16 authorization and written consent of an authorized representative of the federal
17 or state entity.
18	(4) Information that is stored on, processed by, or passed through an
19 information system monitored by the private entity.
20	B. Notwithstanding any provision of law to the contrary, a private entity
21 may, for a cybersecurity purpose, operate a defensive measure that is applied
22 to the following:
23	(1) An information system of the private entity in order to protect the
24 rights or property of the private entity.
25	(2) An information system of another private entity, upon written
26 consent of such entity for operation of such defensive measure to protect the
27 rights or property of such entity.
28	(3) An information system of a federal or state entity, upon written
29 consent of an authorized representative of such federal or state entity for
Page 5 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68	ENGROSSED
1 operation of such defensive measure to protect the rights or property of the
2 federal or state government.
3	C.(1) Except as provided in Paragraph (2) of this Subsection and
4 notwithstanding any other provision of law to the contrary, a private entity
5 may, for a cybersecurity purpose and consistent with the protection of classified
6 information, share with, or receive from, another private entity or a federal or
7 state entity a cyber threat indicator or defensive measure.
8	(2) A private entity receiving a cyber threat indicator or defensive
9 measure from another private entity or a federal or state entity shall comply
10 with any lawful restriction placed on the sharing or use of such cyber threat
11 indicator or defensive measure by the sharing entity.
12	D.(1) A private entity monitoring an information system, operating a
13 defensive measure, or providing or receiving a cyber threat indicator or
14 defensive measure pursuant to this Section shall implement and utilize a
15 security control to protect against unauthorized access to or acquisition of such
16 cyber threat indicator or defensive measure.
17	(2) Prior to sharing a cyber threat indicator or defensive measure, a
18 private entity shall either:
19	(a) Review the cyber threat indicator to assess whether such indicator
20 contains any information not directly related to a cybersecurity threat that the
21 private entity knows at the time of sharing to be personal information of a
22 specific individual or information that identifies a specific individual and
23 remove such personal information. For the purposes of this Chapter, "personal
24 information" shall refer to "personal information" as defined in La. R.S.
25 51:3073(4)(a).
26	(b) Implement and utilize a technical capability configured to remove
27 any information not directly related to a cybersecurity threat that the private
28 entity knows at the time of sharing to be personal information of a specific
29 individual or information that identifies a specific individual.
Page 6 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68	ENGROSSED
1	(3)(a) A cyber threat indicator or defensive measure shared or received
2 pursuant to the provisions of this Section may, for a cybersecurity purpose, be
3 used by a private entity to monitor or operate a defensive measure that is
4 applied to an information system of the private entity or an information system
5 of another private entity or a federal or state entity, provided such other private
6 entity or a such federal or state entity has given its written consent.
7	(b) A cyber threat indicator or defensive measure shared or received
8 pursuant to the provisions of this Section may, for a cybersecurity purpose, be
9 used, retained, and further shared by a private entity subject to a lawful
10 restriction placed by the sharing private entity or federal or state entity on such
11 cyber threat indicator or defensive measure or an otherwise applicable
12 provision of law.
13	(4)(a) A state entity that receives a cyber threat indicator or defensive
14 measure pursuant to the provisions of this Section may use such cyber threat
15 indicator or defensive measure in accordance with the provisions of R.S.
16 51:2104.
17	(b) A cyber threat indicator or defensive measure shared by a state entity
18 with an appropriate entity shall be deemed voluntarily shared information and
19 exempt from disclosure under the Public Records Law, R.S. 44:1 et seq.
20	E. The sharing of a cyber threat indicator or defensive measure with a
21 private entity shall not create a right or benefit to similar information from that
22 private entity.
23 §2104. Sharing of a cyber threat indicator and defensive measure with an
24	appropriate entity
25	A.(1) A private entity may, for a cybersecurity purpose and consistent
26 with the protection of classified information, share a cyber threat indicator or
27 defensive measure with an appropriate entity through the transmission of an
28 email to such entity.
29	(2) In sharing a cyber threat indicator or defensive measure with an
Page 7 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68	ENGROSSED
1 appropriate entity, the private entity shall:
2	(a) Take reasonable measures to remove or limit the receipt, retention,
3 use, and dissemination of a cyber threat indicator containing personal
4 information from the information shared with the appropriate entity, provided
5 that the personal information is not critical to the appropriate entity's response
6 or ability to mitigate a cyber threat indicator.
7	(b) Include requirements to safeguard a cyber threat indicator
8 containing personal information of specific individuals or information that
9 identifies specific individuals from unauthorized access or acquisition.
10	(c) Protect to the greatest extent practicable, the confidentiality of a
11 cyber threat indicator containing personal information of specific individuals
12 or information that identifies specific individuals and requires recipients to be
13 informed that such indicator may only be used for purposes authorized by this
14 Chapter.
15	(d) Expressly state in the subject line of the email to the appropriate
16 entity that the private entity is conveying a "Cyber Threat Indicator" or
17 "Cyber Defensive Measure".
18	(3)(a) A cyber threat indicator and defensive measure shared with an
19 appropriate entity shall not constitute a waiver of any applicable privilege or
20 protection provided by law, including trade secret protection.
21	(b) A cyber threat indicator or defensive measure provided by a private
22 entity to an appropriate entity shall be considered the commercial, financial,
23 and proprietary information of the private entity when designated by the
24 originating private entity or a third party acting in accordance with the written
25 authorization of the originating private entity.
26	(c) A cyber threat indicator or defensive measure shared with an
27 appropriate entity shall be deemed voluntarily shared information and exempt
28 from disclosure under the Public Records Law, R.S. 44:1 et seq.
29	(d) A cyber threat indicator and defensive measure provided to an
Page 8 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68	ENGROSSED
1 appropriate entity may be disclosed to, retained by, and used by, consistent with
2 applicable provisions of law, any federal or state entity solely for the following
3 purposes:
4	(i) A cybersecurity purpose.
5	(ii) Identifying a cybersecurity threat, including the source of such threat
6 or a security vulnerability.
7	(iii) Responding to, or otherwise mitigating, a specific threat of death, a
8 specific threat of serious bodily harm, or a specific threat of serious economic
9 harm, including a terrorist act or a use of a weapon of mass destruction.
10	(iv) Responding to, investigating, prosecuting, or otherwise preventing
11 or mitigating, a serious threat to a minor, including sexual exploitation and
12 threats to physical safety.
13	(v) Preventing, investigating, disrupting, or prosecuting an offense
14 arising out of a threat as provided in Item (iii) of this Subparagraph.
15	B. A cyber threat indicator and defensive measure shared with an
16 appropriate entity shall not be disclosed to, retained by, or used by any federal
17 or state entity for any use not permitted under Subsection A of this Section.
18	C. A cyber threat indicator or defensive measure provided to an
19 appropriate entity shall be retained, used, and disseminated by the federal or
20 state government as follows:
21	(1) In a manner consistent with Subsection A of this Section.
22	(2) In a manner that protects from unauthorized use or disclosure any
23 cyber threat indicator that may contain personal information of a specific
24 individual or information that identifies a specific individual.
25	(3) In a manner that protects the confidentiality of any cyber threat
26 indicator containing information of a specific individual or information that
27 identifies a specific individual.
28 §2105.  Protection from liability; private entities
29	If conducted in accordance with the provisions of this Chapter, there
Page 9 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68	ENGROSSED
1 shall be no cause of action against any private entity:
2	(1) For the sharing or receipt of a cyber threat indicator or defensive
3 measure with another private entity, a federal or state entity, or an appropriate
4 entity.
5	(2) For the monitoring of an information system or information stored
6 on, processed by, or passed through such information system, of another private
7 entity, a federal or state entity, or an appropriate entity.
8	(3) For the monitoring of a private entity’s information system or
9 information stored on, processed by, or passed through such information
10 system, after receipt of a cyber threat indicator or defensive measure from
11 another private entity, federal or state entity, or an appropriate entity.
12 §2106.  State regulatory authority
13	A cyber threat indicator or defensive measure shared in accordance with
14 the provisions of this Chapter with a state entity or an appropriate entity shall
15 not be used by any state entity for the criminal prosecution of the lawful activity
16 of any private entity or any activity taken by a private entity pursuant to
17 mandatory standards, including an activity relating to monitoring, operating
18 a defensive measure, or sharing of a cyber threat indicator. However, a shared
19 cyber threat indicator or defensive measure may be used in the development or
20 implementation of a regulation relating to such information systems.
21 §2107.  Antitrust immunity; exception
22	A. It shall not be considered a violation of state antitrust laws for two or
23 more private entities to exchange or provide, for a cybersecurity purpose, a
24 cyber threat indicator or defensive measure or assistance relating to the
25 prevention, investigation, or mitigation of a cybersecurity threat. The provisions
26 of this Paragraph shall apply only to information that is exchanged, or
27 assistance provided, in order to assist with either of the following:
28	(1) Facilitating the prevention, investigation, or mitigation of a
29 cybersecurity threat to an information system or to information that is stored
Page 10 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68	ENGROSSED
1 on, processed by, or passed through an information system.
2	(2) Communicating or disclosing a cyber threat indicator to help prevent,
3 investigate, or mitigate the effect of a cybersecurity threat to an information
4 system or to information that is stored on, processed by, or passed through an
5 information system.
6	B. Nothing in this Section shall authorize price-fixing, allocating a
7 market between competitors, monopolizing or attempting to monopolize a
8 market, boycotting, or exchanges of price or cost information, customer lists,
9 or information regarding future competitive planning.
10 §2108. Compliance with Database Security Breach Notification Law
11	Nothing in this Chapter shall relieve a person or entity from compliance
12 with the Database Security Breach Notification Law, R. S. 51:3071 et seq.,
13 specifically including but not limited to, the requirements under R.S. 51:3074.
14 §2109.  Annual report; state agencies
15	On or before March first of each year, a state entity that receives
16 information concerning a cyber threat indicator or defensive measure during
17 the preceding calendar year shall submit to the governor an annual report
18 containing a statistical summary of the following:
19	(1) Entities or types of industries that shared information with the state
20 entity.
21	(2) Cyber threat indicators and defensive measures shared with the state
22 entity.
23 §2110.  Rulemaking authority
24	The Department of Corrections, office of state police, may, in accordance
25 with the Administrative Procedure Act, adopt all rules necessary to implement
26 the provisions of this Chapter.
Page 11 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68	ENGROSSED
The original instrument and the following digest, which constitutes no part
of the legislative instrument, were prepared by Michelle Ridge.
DIGEST
SB 46 Engrossed 2019 Regular Session	Peacock
Proposed law creates the Louisiana Cybersecurity Information Sharing Act (Act).
Proposed law provides that the purpose of this Act is to provide a framework for sharing
cybersecurity information under Louisiana law that is consistent with federal law.
Proposed law defines "appropriate entity", "cybersecurity purpose", "cybersecurity threat",
"cyber threat indicator", "defensive measure", "information system", "federal entity",
"malicious cyber command and control", "malicious reconnaissance", "monitor", "private
entity", "security control", "security vulnerability", and "state entity". 
Proposed law provides that a private entity may, for a cybersecurity purpose, monitor certain
information systems and information that are stored on, processed by, or passed through
certain information systems.
Proposed law provides that a private entity may, for a cybersecurity purpose, operate a
defensive measure on certain information systems.
Proposed law authorizes a private entity, for a cybersecurity purpose and consistent with the
protection of classified information, to share or receive a cyber security threat indicator or
defensive measure with certain entities.
Proposed law requires a private entity to implement and utilize a security control to protect
against unauthorized access to or acquisition of a cyber threat or defensive measure.
Proposed law provides for the protection of personal information not directly related to a
cybersecurity threat.
Proposed law exempts from the Public Records Law a cyber threat indicator or defensive
measure shared by a state entity with an appropriate entity.
Proposed law authorizes a private entity to share a cyber threat indicator or defensive
measure with an appropriate entity.
Proposed law requires the private entity to:
(1)Take reasonable measures to remove or limit the receipt, retention, use, and
dissemination of a cyber threat indicator containing personal information from the
information shared with the appropriate entity, provided that the personal
information is not critical to the appropriate entity's response or ability to mitigate
the cyber threat indicator.
(2)Include requirements to safeguard a cyber threat indicator containing personal
information of specific individuals or information that identifies specific individuals
from unauthorized access or acquisition.
(3)Protect the confidentiality of a cyber threat indicator containing personal information
of specific individuals or information that identifies specific individuals to the
greatest extent practicable and require recipients to be informed that such indicator
may only be used for purposes authorized by proposed law.
(4)Expressly state in the subject line of the email to the appropriate entity that the
Page 12 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68	ENGROSSED
private entity is conveying a "Cyber Threat Indicator" or "Cyber Defensive
Measure".
Proposed law provides that a cyber threat indicator and defensive measure shared with an
appropriate entity shall not constitute a waiver of any applicable privilege or protection
provided by law, including trade secret protection.
Proposed law provides that a cyber threat indicator or defensive measure provided by a
private entity to an appropriate entity shall be considered the commercial, financial, and
proprietary information of the private entity when designated by the originating private
entity or a third party acting in accordance with the written authorization of the originating
private entity.
Proposed law provides that a cyber threat indicator and defensive measure provided to an
appropriate entity may be disclosed to, retained by, and used by any federal or state entity
for certain purposes.
Proposed law restricts the disclosure, retention, or use of a cyber threat indicator and
defensive measure to actions authorized by proposed law.
Proposed law provides relative to the retention, use, and dissemination of a cyber threat
indicator and defensive measure by the federal or state government to an appropriate entity. 
Proposed law provides that there shall be no cause of action against any private entity for
the following, if conducted in accordance with the provisions of proposed law:
(1)The sharing or receipt of a cyber threat indicator or defensive measure with another
private entity, a federal or state entity, or an appropriate entity.
(2)The monitoring of an information system or information stored on, processed by, or
passed through such information system of another private entity, state or federal
entity, or an appropriate entity.
(3)The monitoring of a private entity's information system or information stored on,
processed by, or passed through such information system, after receipt of a cyber
threat indicator or defensive measure from another private entity, federal or state
entity, or an appropriate entity.
Proposed law provides that a cyber threat indicator or defensive measure shared with a state
entity or an appropriate entity shall not be used by any state entity for the criminal
prosecution of the lawful activity of any private entity or any activity taken by a private
entity. Proposed law does allow such indicator or measure to be used in the development or
implementation of a regulation relating to such information systems.
Proposed law provides relative to antitrust immunity under certain circumstances. 
Proposed law does not relieve a person from compliance with the Database Security Breach
Notification Law.
Proposed law requires that on or before March first of each year, a state entity that receives
information concerning a cyber threat indicator or defensive measure during the preceding
calendar year shall submit to the governor an annual report containing a statistical summary
of the following:
(1)Entities or types of industries that shared information with the state entity.
(2)Cyber threat indicators and defensive measures shared with the state entity.
Page 13 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68	ENGROSSED
Proposed law authorizes the office of state police, in accordance with the APA, to adopt
rules necessary to implement the provisions of proposed law.
Effective August 1, 2019.
(Adds R.S. 51:2101-2110)
Summary of Amendments Adopted by Senate
Committee Amendments Proposed by Senate Committee on Commerce, Consumer
Protection, and International Affairs to the original bill
1. Makes technical changes.
2. Adds a provision relative to legislative intent and federal law.
3. Adds a provision requiring the subject line of emails conveying a cyber threat
indicator or defensive measure to include certain information.
4. Revises language on causes of action.
5. Removes a provision that requires the annual report submitted by state
entities to the governor to be subject to public records law.
Page 14 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.