Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 60 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- constitutes unfair act or practice

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • If any Louisiana residents are affected by a breach, notification must be given to each affected individual within 60 days of discovery of the breach.
  • Businesses must notify the Louisiana Attorney General within 10 days of consumer notification.
  • There are specific considerations when determining if a breach is reportable.
  • If breach notification is not required, the business must retain a copy of the written determination and supporting documentation for 5 years from the date of discovery of the breach of the security system.
  • If requested in writing, the business must send a copy of the written determination and supporting documentation to the Attorney General within 30 days.
  • Civil action may be instituted to recover actual damages resulting from the failure to provide breach notification in a timely manner.
  • If a vendor is breached, they most notify the data owner. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
  • If a breach affects residents of other jurisdictions, those individual must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Businesses conducting business in Louisiana must implement and maintain reasonable security procedures and practices to protect computerized personal information in their possession.
  • Businesses who conduct business in Louisiana must have measures in place for the secure disposal of personal information.
  • Louisiana passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective August 1, 2020, licensees must comply with the breach notification requirements; August 1, 2021 must comply with requirements for written information security program; and August 1, 2022 must comply with the vendor management requirements.
Statutes and Laws
  • LA RS §§ 51:3071 – 3077 Database Security Breach Notification Law

    LA RS § 51:3074 Protection of personal information; disclosure upon breach in the security of personal information; notification requirements; exemption

    LA RS §§ 51:3075 Recovery of damages

    LA RS §§ 22:2501 – 2511 Insurance Data Security Law

    LA Admin. Code § 701 Part III Consumer Protection, Database Security Beach Notification – Reporting Requirements

BAck to map