Louisiana
Privacy Laws
Overview
BREACH NOTIFICATION – Mandated Timeframe
Within 60 days
FINES & PENALTIES – Violations
Constitutes unfair act/practice
Regulation Levels
-
Breach Reporting
-
Consumer Notification
-
Vendor Management
-
Vendor Contract Required
PRIVACY AND SECURITY LAWS
Laws related to personal information and privacy and security.
Breach Reporting
Required
Vendor Obligations
Required
Consumer Notification
Required
Vendor Contracts
Not Required
Vendor Notification
Required
Privacy Program
Required
QUICK FACTS
Louisiana Privacy Law Information
Organizations conducting business in Louisiana must implement and maintain reasonable security procedures and practices to protect computerized personal information in their possession. Organizations who conduct business in Louisiana must have measures in place for the secure disposal of personal information.
Organizations must notify the Louisiana Attorney General within 10 days of consumer notification. There are specific considerations when determining if a breach is reportable. If breach notification is not required, the organization must retain a copy of the written determination and supporting documentation for 5 years from the date of discovery of the breach of the security system. If requested in writing, the organization must send a copy of the written determination and supporting documentation to the Attorney General within 30 days.
If any Louisiana residents are affected by a breach, the notification must be given to each affected individual within 60 days of discovery of the breach. If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Vendors must notify Organizations without delay after the discovery of a breach or suspected breach. The Organization is responsible to complete any regulatory reporting and consumer notification. Vendors who conduct business in the state must have security procedures and practices in place for the protection of personal information. Vendors who conduct business in the state must have measures in place for the destruction of records containing personal information so the records are unreadable or undecipherable.
Louisiana passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective August 1, 2020, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.
Organizations may be fined or penalized for Vendor violations. Civil action may be instituted to recover actual damages resulting from the failure to provide breach notification in a timely manner. Fines of up to $5,000 may be imposed for violations of the requirements for regulatory reporting to Attorney General.
Louisiana Statutes and Laws
Insurance Data Security Law
Database Security Breach Notification Law
Part III consumer protection, database security breach notification – reporting requirements
DISCLAIMER
The information provided is not legal guidance or recommendations and are for informational purposes only.