The original instrument and the following digest, which constitutes no part of the legislative instrument, were prepared by Michelle Ridge. DIGEST SB 46 Reengrossed 2019 Regular Session Peacock Proposed law creates the Louisiana Cybersecurity Information Sharing Act (Act). Proposed law provides that the purpose of this Act is to provide a framework for sharing cybersecurity information under Louisiana law that is consistent with federal law. Proposed law defines "appropriate entity", "cybersecurity purpose", "cybersecurity threat", "cyber threat indicator", "defensive measure", "information system", "federal entity", "malicious cyber command and control", "malicious reconnaissance", "monitor", "private entity", "security control", "security vulnerability", and "state entity". Proposed law provides that a private entity may, for a cybersecurity purpose, monitor certain information systems and information that are stored on, processed by, or passed through certain information systems. Proposed law provides that a private entity may, for a cybersecurity purpose, operate a defensive measure on certain information systems. Proposed law authorizes a private entity, for a cybersecurity purpose and consistent with the protection of classified information, to share or receive a cyber security threat indicator or defensive measure with certain entities. Proposed law requires a private entity to implement and utilize a security control to protect against unauthorized access to or acquisition of a cyber threat or defensive measure. Proposed law provides for the protection of personal information not directly related to a cybersecurity threat. Proposed law exempts from the Public Records Law a cyber threat indicator or defensive measure shared by a state entity with an appropriate entity. Proposed law authorizes a private entity to share a cyber threat indicator or defensive measure with an appropriate entity. Proposed law requires the private entity to: (1)Take reasonable measures to remove or limit the receipt, retention, use, and dissemination of a cyber threat indicator containing personal information from the information shared with the appropriate entity, provided that the personal information is not critical to the appropriate entity's response or ability to mitigate the cyber threat indicator. (2)Include requirements to safeguard a cyber threat indicator containing personal information of specific individuals or information that identifies specific individuals from unauthorized access or acquisition. (3)Protect the confidentiality of a cyber threat indicator containing personal information of specific individuals or information that identifies specific individuals to the greatest extent practicable and require recipients to be informed that such indicator may be used only for purposes authorized by proposed law. (4)Expressly state in the subject line of the email to the appropriate entity that the private entity is conveying a "Cyber Threat Indicator" or "Cyber Defensive Measure". Proposed law provides that a cyber threat indicator and defensive measure shared with an appropriate entity shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection. Proposed law provides that a cyber threat indicator or defensive measure provided by a private entity to an appropriate entity shall be considered the commercial, financial, and proprietary information of the private entity when designated by the originating private entity or a third party acting in accordance with the written authorization of the originating private entity. Proposed law provides that a cyber threat indicator and defensive measure provided to an appropriate entity may be disclosed to, retained by, and used by any federal or state entity for certain purposes. Proposed law restricts the disclosure, retention, or use of a cyber threat indicator and defensive measure to actions authorized by proposed law. Proposed law provides relative to the retention, use, and dissemination of a cyber threat indicator and defensive measure by the federal or state government to an appropriate entity. Proposed law provides that there shall be no cause of action against any private entity for the following, if conducted in accordance with the provisions of proposed law: (1)The sharing or receipt of a cyber threat indicator or defensive measure with another private entity, a federal or state entity, or an appropriate entity. (2)The monitoring of an information system or information stored on, processed by, or passed through such information system of another private entity, state or federal entity, or an appropriate entity. (3)The monitoring of a private entity's information system or information stored on, processed by, or passed through such information system, after receipt of a cyber threat indicator or defensive measure from another private entity, federal or state entity, or an appropriate entity. Proposed law provides that a cyber threat indicator or defensive measure shared with a state entity or an appropriate entity shall not be used by any state entity for the criminal prosecution of the lawful activity of any private entity or any activity taken by a private entity. Proposed law does allow such indicator or measure to be used in the development or implementation of a regulation relating to such information systems. Proposed law provides relative to antitrust immunity under certain circumstances. Proposed law does not relieve a person from compliance with the Database Security Breach Notification Law. Proposed law requires that on or before March first of each year, a state entity that receives information concerning a cyber threat indicator or defensive measure during the preceding calendar year shall submit to the governor an annual report containing a statistical summary of the following: (1)Entities or types of industries that shared information with the state entity. (2)Cyber threat indicators and defensive measures shared with the state entity. Proposed law authorizes the office of state police, in accordance with the APA, to adopt rules necessary to implement the provisions of proposed law. Effective August 1, 2019. (Adds R.S. 51:2101-2110) Summary of Amendments Adopted by Senate Committee Amendments Proposed by Senate Committee on Commerce, Consumer Protection, and International Affairs to the original bill 1. Makes technical changes. 2. Adds a provision relative to legislative intent and federal law. 3. Adds a provision requiring the subject line of emails conveying a cyber threat indicator or defensive measure to include certain information. 4. Revises language on causes of action. 5. Removes a provision that requires the annual report submitted by state entities to the governor to be subject to public records law. Senate Floor Amendments to engrossed bill 1. Makes Legislative Bureau amendments.