SLS 19RS-68 REENGROSSED
2019 Regular Session
SENATE BILL NO. 46
BY SENATOR PEACOCK
Prefiled pursuant to Article III, Section 2(A)(4)(b)(i) of the Constitution of Louisiana.
INTERNET. Enacts the Louisiana Cybersecurity Information Sharing Act. (8/1/19)
1 AN ACT
2 To enact Chapter 31 of Title 51 of the Louisiana Revised Statutes of 1950, to be comprised
3 of R.S. 51:2101 through 2110, relative to cybersecurity; to authorize private entities
4 to monitor, share, and receive certain information relative to cyber threats; to
5 authorize certain defensive measures; to provide relative to certain security and
6 information controls; to provide for definitions; to provide for immunity; to provide
7 for public records exemptions; and for confidentiality of certain information; to
8 provide for annual reporting of certain information by state entities; to provide for
9 certain terms, conditions, and procedures; and to provide for related matters.
10 Be it enacted by the Legislature of Louisiana:
11 Section 1. Chapter 31 of Title 51 of the Louisiana Revised Statutes of 1950,
12 comprised of R.S. 51:2101 through 2110, is hereby enacted to read as follows:
13 CHAPTER 31. LOUISIANA CYBERSECURITY INF ORMATION
14 SHARING ACT
15 §2101. Short title
16 This Chapter shall be known and may be cited as the "Louisiana
17 Cybersecurity Information Sharing Act".
Page 1 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 REENGROSSED
1 §2101.1. Legislative intent; federal law
2 The purpose of this Act is to provide a framework for sharing
3 cybersecurity information under Louisiana law that is consistent with the
4 federal law for sharing of cybersecurity information. To the extent that any
5 provision of this Act is inconsistent with or conflicts with the requirements of
6 the Federal Cybersecurity Information Sharing Act of 2015, 6 U.S.C.A. §1501
7 et seq., such provision of this Act shall not apply and the applicable federal law
8 shall control.
9 §2102. Definitions
10 As used in this Chapter, the following words shall have the meaning
11 ascribed to them in this Section, unless the text clearly indicates otherwise:
12 (1) "Appropriate entity" means any of the following:
13 (a) Department of Justice, investigation division.
14 (b) The Louisiana State Analytical and Fusion Exchange, office of state
15 police, Department of Public Safety and Corrections.
16 (c) The Governor's Office of Homeland Security and Emergency
17 Preparedness.
18 (d) An appropriate federal entity as defined in 6 U.S.C.A. §1501(3).
19 (2) "Cybersecurity purpose" means the purpose of protecting an
20 information system or information that is stored on, processed by, or passed
21 through an information system from a cybersecurity threat or security
22 vulnerability.
23 (3) "Cybersecurity threat" means an action on or through an
24 information system that may result in an unauthorized effort to adversely
25 impact the security, availability, confidentiality, or integrity of an information
26 system or information that is stored on, processed by, or passed through an
27 information system. A "cybersecurity threat" does not include an action that
28 solely involves a violation of a consumer term of service or a consumer licensing
29 agreement.
Page 2 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 REENGROSSED
1 (4) "Cyber threat indicator" means information that is necessary to
2 describe or identify any of the following:
3 (a) A malicious reconnaissance, including anomalous patterns of
4 communications that appear to be transmitted for the purpose of gathering
5 technical information related to a cybersecurity threat or security vulnerability.
6 (b) A method of defeating a security control or exploitation of a security
7 vulnerability.
8 (c) A security vulnerability, including anomalous activity that appears
9 to indicate the existence of a security vulnerability.
10 (d) A method of causing a user with legitimate access to an information
11 system, or to information that is stored on, processed by, or passed through an
12 information system, to unwittingly enable the defeat of a security control or
13 exploitation of a security vulnerability.
14 (e) A malicious cyber command and control.
15 (f) An actual or potential harm caused by an incident, including a
16 description of the information exfiltrated as a result of a particular
17 cybersecurity threat.
18 (g) Any other attribute of a cybersecurity threat, if disclosure of such
19 attribute is not otherwise prohibited by law.
20 (5) "Defensive measure" means an action, device, procedure, signature,
21 technique, or other measure applied to an information system, or to information
22 that is stored on, processed by, or passed through an information system that
23 detects, prevents, or mitigates a known or suspected cybersecurity threat or
24 security vulnerability. A defensive measure shall not include a measure that
25 destroys, renders unusable, provides unauthorized access to, or substantially
26 harms an information system or information stored on, processed by, or passed
27 through such information system not owned by the entity operating the measure
28 or the entity that is authorized to provide consent and has provided consent to
29 that private entity for operation of such measure.
Page 3 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 REENGROSSED
1 (6) "Information system" includes but is not limited to a computer,
2 computer server, computer program, computer service, computer software,
3 internet-connected device, or computer system. An information system shall
4 also include industrial control systems, such as supervisory control and data
5 acquisition systems, distributed control systems, and programmable logic
6 controllers that store, process, or transmit information.
7 (7) "Federal entity" means a department or agency of the United States
8 or any component of such department or agency.
9 (8) "Malicious cyber command and control" means a method for
10 unauthorized, remote identification of, access to, or use of an information
11 system or information that is stored on, processed by, or passed through an
12 information system.
13 (9) "Malicious reconnaissance" means a method for actively probing or
14 passively monitoring an information system for the purpose of discerning
15 security vulnerabilities of the information system, if such method is associated
16 with a known or suspected cybersecurity threat.
17 (10) "Monitor" means to acquire, identify, or scan, or to possess
18 information that is stored on, processed by, or passed through an information
19 system.
20 (11) "Private entity" means any citizen of the United States or private
21 group, organization, proprietorship, partnership, trust, cooperative,
22 corporation, or other commercial or nonprofit entity domiciled in the United
23 States of America, including an officer, employee, or agent thereof. "Private
24 entity" does not include any foreign entities, such as governments, nations, or
25 political organizations.
26 (12) "Security control" means the management, operational, and
27 technical controls used to protect against an unauthorized effort to adversely
28 affect the confidentiality, integrity, and availability of an information system or
29 its information.
Page 4 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 REENGROSSED
1 (13) "Security vulnerability" means any attribute of hardware, software,
2 process, or procedure that may enable or facilitate the defeat of a security
3 control.
4 (14) "State entity" means the state, a political subdivision of the state,
5 and any officer, agency, board, commission, department or similar body of the
6 state or any political subdivision of the state.
7 §2103. Authorizations for preventing, detecting, analyzing, and mitigating
8 cybersecurity threats; private entities
9 A. Notwithstanding any provision of law to the contrary, a private entity
10 may, for a cybersecurity purpose, monitor the following:
11 (1) An information system of the private entity.
12 (2) An information system of another private entity, upon the
13 authorization and written consent of such other entity.
14 (3) An information system of a federal or state entity, upon the
15 authorization and written consent of an authorized representative of the federal
16 or state entity.
17 (4) Information that is stored on, processed by, or passed through an
18 information system monitored by the private entity.
19 B. Notwithstanding any provision of law to the contrary, a private entity
20 may, for a cybersecurity purpose, operate a defensive measure that is applied
21 to the following:
22 (1) An information system of the private entity in order to protect the
23 rights or property of the private entity.
24 (2) An information system of another private entity, upon written
25 consent of such entity for operation of such defensive measure to protect the
26 rights or property of such entity.
27 (3) An information system of a federal or state entity, upon written
28 consent of an authorized representative of such federal or state entity for
29 operation of such defensive measure to protect the rights or property of the
Page 5 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 REENGROSSED
1 federal or state government.
2 C.(1) Except as provided in Paragraph (2) of this Subsection and
3 notwithstanding any other provision of law to the contrary, a private entity
4 may, for a cybersecurity purpose and consistent with the protection of classified
5 information, share with, or receive from, another private entity or a federal or
6 state entity a cyber threat indicator or defensive measure.
7 (2) A private entity receiving a cyber threat indicator or defensive
8 measure from another private entity or a federal or state entity shall comply
9 with any lawful restriction placed on the sharing or use of such cyber threat
10 indicator or defensive measure by the sharing entity.
11 D.(1) A private entity monitoring an information system, operating a
12 defensive measure, or providing or receiving a cyber threat indicator or
13 defensive measure pursuant to this Section shall implement and utilize a
14 security control to protect against unauthorized access to or acquisition of such
15 cyber threat indicator or defensive measure.
16 (2) Prior to sharing a cyber threat indicator or defensive measure, a
17 private entity shall either:
18 (a) Review the cyber threat indicator to assess whether such indicator
19 contains any information not directly related to a cybersecurity threat that the
20 private entity knows at the time of sharing to be personal information of a
21 specific individual or information that identifies a specific individual and
22 remove such personal information. For the purposes of this Chapter, "personal
23 information" shall refer to "personal information" as defined in La. R.S.
24 51:3073(4)(a).
25 (b) Implement and utilize a technical capability configured to remove
26 any information not directly related to a cybersecurity threat that the private
27 entity knows at the time of sharing to be personal information of a specific
28 individual or information that identifies a specific individual.
29 (3)(a) A cyber threat indicator or defensive measure shared or received
Page 6 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 REENGROSSED
1 pursuant to the provisions of this Section may, for a cybersecurity purpose, be
2 used by a private entity to monitor or operate a defensive measure that is
3 applied to an information system of the private entity or an information system
4 of another private entity or a federal or state entity, provided such other private
5 entity or a such federal or state entity has given its written consent.
6 (b) A cyber threat indicator or defensive measure shared or received
7 pursuant to the provisions of this Section may, for a cybersecurity purpose, be
8 used, retained, and further shared by a private entity subject to a lawful
9 restriction placed by the sharing private entity or federal or state entity on such
10 cyber threat indicator or defensive measure or an otherwise applicable
11 provision of law.
12 (4)(a) A state entity that receives a cyber threat indicator or defensive
13 measure pursuant to the provisions of this Section may use such cyber threat
14 indicator or defensive measure in accordance with the provisions of R.S.
15 51:2104.
16 (b) A cyber threat indicator or defensive measure shared by a state entity
17 with an appropriate entity shall be deemed voluntarily shared information and
18 exempt from disclosure under the Public Records Law, R.S. 44:1 et seq.
19 E. The sharing of a cyber threat indicator or defensive measure with a
20 private entity shall not create a right or benefit to similar information from that
21 private entity.
22 §2104. Sharing of a cyber threat indicator and defensive measure with an
23 appropriate entity
24 A.(1) A private entity may, for a cybersecurity purpose and consistent
25 with the protection of classified information, share a cyber threat indicator or
26 defensive measure with an appropriate entity through the transmission of an
27 email to such entity.
28 (2) In sharing a cyber threat indicator or defensive measure with an
29 appropriate entity, the private entity shall:
Page 7 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 REENGROSSED
1 (a) Take reasonable measures to remove or limit the receipt, retention,
2 use, and dissemination of a cyber threat indicator containing personal
3 information from the information shared with the appropriate entity, provided
4 that the personal information is not critical to the appropriate entity's response
5 or ability to mitigate a cyber threat indicator.
6 (b) Include requirements to safeguard a cyber threat indicator
7 containing personal information of specific individuals or information that
8 identifies specific individuals from unauthorized access or acquisition.
9 (c) Protect to the greatest extent practicable, the confidentiality of a
10 cyber threat indicator containing personal information of specific individuals
11 or information that identifies specific individuals and requires recipients to be
12 informed that such indicator may be used only for purposes authorized by this
13 Chapter.
14 (d) Expressly state in the subject line of the email to the appropriate
15 entity that the private entity is conveying a "Cyber Threat Indicator" or
16 "Cyber Defensive Measure".
17 (3)(a) A cyber threat indicator and defensive measure shared with an
18 appropriate entity shall not constitute a waiver of any applicable privilege or
19 protection provided by law, including trade secret protection.
20 (b) A cyber threat indicator or defensive measure provided by a private
21 entity to an appropriate entity shall be considered the commercial, financial,
22 and proprietary information of the private entity when designated by the
23 originating private entity or a third party acting in accordance with the written
24 authorization of the originating private entity.
25 (c) A cyber threat indicator or defensive measure shared with an
26 appropriate entity shall be deemed voluntarily shared information and exempt
27 from disclosure under the Public Records Law, R.S. 44:1 et seq.
28 (d) A cyber threat indicator and defensive measure provided to an
29 appropriate entity may be disclosed to, retained by, and used by, consistent with
Page 8 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 REENGROSSED
1 applicable provisions of law, any federal or state entity solely for the following
2 purposes:
3 (i) A cybersecurity purpose.
4 (ii) Identifying a cybersecurity threat, including the source of such threat
5 or a security vulnerability.
6 (iii) Responding to, or otherwise mitigating, a specific threat of death, a
7 specific threat of serious bodily harm, or a specific threat of serious economic
8 harm, including a terrorist act or a use of a weapon of mass destruction.
9 (iv) Responding to, investigating, prosecuting, or otherwise preventing
10 or mitigating, a serious threat to a minor, including sexual exploitation and
11 threats to physical safety.
12 (v) Preventing, investigating, disrupting, or prosecuting an offense
13 arising out of a threat as provided in Item (iii) of this Subparagraph.
14 B. A cyber threat indicator and defensive measure shared with an
15 appropriate entity shall not be disclosed to, retained by, or used by any federal
16 or state entity for any use not permitted under Subsection A of this Section.
17 C. A cyber threat indicator or defensive measure provided to an
18 appropriate entity shall be retained, used, and disseminated by the federal or
19 state government as follows:
20 (1) In a manner consistent with Subsection A of this Section.
21 (2) In a manner that protects from unauthorized use or disclosure any
22 cyber threat indicator that may contain personal information of a specific
23 individual or information that identifies a specific individual.
24 (3) In a manner that protects the confidentiality of any cyber threat
25 indicator containing information of a specific individual or information that
26 identifies a specific individual.
27 §2105. Protection from liability; private entities
28 If conducted in accordance with the provisions of this Chapter, there
29 shall be no cause of action against any private entity:
Page 9 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 REENGROSSED
1 (1) For the sharing or receipt of a cyber threat indicator or defensive
2 measure with another private entity, a federal or state entity, or an appropriate
3 entity.
4 (2) For the monitoring of an information system or information stored
5 on, processed by, or passed through such information system, of another private
6 entity, a federal or state entity, or an appropriate entity.
7 (3) For the monitoring of a private entity’s information system or
8 information stored on, processed by, or passed through such information
9 system, after receipt of a cyber threat indicator or defensive measure from
10 another private entity, federal or state entity, or an appropriate entity.
11 §2106. State regulatory authority
12 A cyber threat indicator or defensive measure shared in accordance with
13 the provisions of this Chapter with a state entity or an appropriate entity shall
14 not be used by any state entity for the criminal prosecution of the lawful activity
15 of any private entity or any activity taken by a private entity pursuant to
16 mandatory standards, including an activity relating to monitoring, operating
17 a defensive measure, or sharing of a cyber threat indicator. However, a shared
18 cyber threat indicator or defensive measure may be used in the development or
19 implementation of a regulation relating to such information systems.
20 §2107. Antitrust immunity; exception
21 A. It shall not be considered a violation of state antitrust laws for two or
22 more private entities to exchange or provide, for a cybersecurity purpose, a
23 cyber threat indicator or defensive measure or assistance relating to the
24 prevention, investigation, or mitigation of a cybersecurity threat. The provisions
25 of this Paragraph shall apply only to information that is exchanged, or
26 assistance provided, in order to assist with either of the following:
27 (1) Facilitating the prevention, investigation, or mitigation of a
28 cybersecurity threat to an information system or to information that is stored
29 on, processed by, or passed through an information system.
Page 10 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 REENGROSSED
1 (2) Communicating or disclosing a cyber threat indicator to help prevent,
2 investigate, or mitigate the effect of a cybersecurity threat to an information
3 system or to information that is stored on, processed by, or passed through an
4 information system.
5 B. Nothing in this Section shall authorize price-fixing, allocating a
6 market between competitors, monopolizing or attempting to monopolize a
7 market, boycotting, or exchanges of price or cost information, customer lists,
8 or information regarding future competitive planning.
9 §2108. Compliance with Database Security Breach Notification Law
10 Nothing in this Chapter shall relieve a person or entity from compliance
11 with the Database Security Breach Notification Law, R. S. 51:3071 et seq.,
12 specifically including but not limited to, the requirements under R.S. 51:3074.
13 §2109. Annual report; state agencies
14 On or before March first of each year, a state entity that receives
15 information concerning a cyber threat indicator or defensive measure during
16 the preceding calendar year shall submit to the governor an annual report
17 containing a statistical summary of the following:
18 (1) Entities or types of industries that shared information with the state
19 entity.
20 (2) Cyber threat indicators and defensive measures shared with the state
21 entity.
22 §2110. Rulemaking authority
23 The Department of Corrections, office of state police, may, in accordance
24 with the Administrative Procedure Act, adopt all rules necessary to implement
25 the provisions of this Chapter.
Page 11 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 REENGROSSED
The original instrument and the following digest, which constitutes no part
of the legislative instrument, were prepared by Michelle Ridge.
DIGEST
SB 46 Reengrossed 2019 Regular Session Peacock
Proposed law creates the Louisiana Cybersecurity Information Sharing Act (Act).
Proposed law provides that the purpose of this Act is to provide a framework for sharing
cybersecurity information under Louisiana law that is consistent with federal law.
Proposed law defines "appropriate entity", "cybersecurity purpose", "cybersecurity threat",
"cyber threat indicator", "defensive measure", "information system", "federal entity",
"malicious cyber command and control", "malicious reconnaissance", "monitor", "private
entity", "security control", "security vulnerability", and "state entity".
Proposed law provides that a private entity may, for a cybersecurity purpose, monitor certain
information systems and information that are stored on, processed by, or passed through
certain information systems.
Proposed law provides that a private entity may, for a cybersecurity purpose, operate a
defensive measure on certain information systems.
Proposed law authorizes a private entity, for a cybersecurity purpose and consistent with the
protection of classified information, to share or receive a cyber security threat indicator or
defensive measure with certain entities.
Proposed law requires a private entity to implement and utilize a security control to protect
against unauthorized access to or acquisition of a cyber threat or defensive measure.
Proposed law provides for the protection of personal information not directly related to a
cybersecurity threat.
Proposed law exempts from the Public Records Law a cyber threat indicator or defensive
measure shared by a state entity with an appropriate entity.
Proposed law authorizes a private entity to share a cyber threat indicator or defensive
measure with an appropriate entity.
Proposed law requires the private entity to:
(1)Take reasonable measures to remove or limit the receipt, retention, use, and
dissemination of a cyber threat indicator containing personal information from the
information shared with the appropriate entity, provided that the personal
information is not critical to the appropriate entity's response or ability to mitigate
the cyber threat indicator.
(2)Include requirements to safeguard a cyber threat indicator containing personal
information of specific individuals or information that identifies specific individuals
from unauthorized access or acquisition.
(3)Protect the confidentiality of a cyber threat indicator containing personal information
of specific individuals or information that identifies specific individuals to the
greatest extent practicable and require recipients to be informed that such indicator
may be used only for purposes authorized by proposed law.
(4)Expressly state in the subject line of the email to the appropriate entity that the
Page 12 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 REENGROSSED
private entity is conveying a "Cyber Threat Indicator" or "Cyber Defensive
Measure".
Proposed law provides that a cyber threat indicator and defensive measure shared with an
appropriate entity shall not constitute a waiver of any applicable privilege or protection
provided by law, including trade secret protection.
Proposed law provides that a cyber threat indicator or defensive measure provided by a
private entity to an appropriate entity shall be considered the commercial, financial, and
proprietary information of the private entity when designated by the originating private
entity or a third party acting in accordance with the written authorization of the originating
private entity.
Proposed law provides that a cyber threat indicator and defensive measure provided to an
appropriate entity may be disclosed to, retained by, and used by any federal or state entity
for certain purposes.
Proposed law restricts the disclosure, retention, or use of a cyber threat indicator and
defensive measure to actions authorized by proposed law.
Proposed law provides relative to the retention, use, and dissemination of a cyber threat
indicator and defensive measure by the federal or state government to an appropriate entity.
Proposed law provides that there shall be no cause of action against any private entity for
the following, if conducted in accordance with the provisions of proposed law:
(1)The sharing or receipt of a cyber threat indicator or defensive measure with another
private entity, a federal or state entity, or an appropriate entity.
(2)The monitoring of an information system or information stored on, processed by, or
passed through such information system of another private entity, state or federal
entity, or an appropriate entity.
(3)The monitoring of a private entity's information system or information stored on,
processed by, or passed through such information system, after receipt of a cyber
threat indicator or defensive measure from another private entity, federal or state
entity, or an appropriate entity.
Proposed law provides that a cyber threat indicator or defensive measure shared with a state
entity or an appropriate entity shall not be used by any state entity for the criminal
prosecution of the lawful activity of any private entity or any activity taken by a private
entity. Proposed law does allow such indicator or measure to be used in the development or
implementation of a regulation relating to such information systems.
Proposed law provides relative to antitrust immunity under certain circumstances.
Proposed law does not relieve a person from compliance with the Database Security Breach
Notification Law.
Proposed law requires that on or before March first of each year, a state entity that receives
information concerning a cyber threat indicator or defensive measure during the preceding
calendar year shall submit to the governor an annual report containing a statistical summary
of the following:
(1)Entities or types of industries that shared information with the state entity.
(2)Cyber threat indicators and defensive measures shared with the state entity.
Page 13 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 46
SLS 19RS-68 REENGROSSED
Proposed law authorizes the office of state police, in accordance with the APA, to adopt
rules necessary to implement the provisions of proposed law.
Effective August 1, 2019.
(Adds R.S. 51:2101-2110)
Summary of Amendments Adopted by Senate
Committee Amendments Proposed by Senate Committee on Commerce, Consumer
Protection, and International Affairs to the original bill
1. Makes technical changes.
2. Adds a provision relative to legislative intent and federal law.
3. Adds a provision requiring the subject line of emails conveying a cyber threat
indicator or defensive measure to include certain information.
4. Revises language on causes of action.
5. Removes a provision that requires the annual report submitted by state
entities to the governor to be subject to public records law.
Senate Floor Amendments to engrossed bill
1. Makes Legislative Bureau amendments.
Page 14 of 14
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.