Skip Navigation Links
      RS 51:3074     

  

§3074.  Disclosure upon breach in the security of personal information; notification requirements; exemption

A.  Any person that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information, shall, following discovery of a breach in the security of the system containing such data, notify any resident of the state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

B.  Any agency or person that maintains computerized data that includes personal information that the agency or person does not own shall notify the owner or licensee of the information if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person through a breach of security of the system containing such data, following discovery by the agency or person of a breach of security of the system.

C.  The notification required pursuant to Subsections A and B of this Section shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in Subsection D of this Section, or any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system.

D.  If a law enforcement agency determines that the notification required under this Section would impede a criminal investigation, such notification may be delayed until such law enforcement agency determines that the notification will no longer compromise such investigation.

E.  Notification may be provided by one of the following methods:

(1)  Written notification.

(2)  Electronic notification, if the notification provided is consistent with the provisions regarding electronic records and signatures set forth in 15 USC 7001.

(3)  Substitute notification, if an agency or person demonstrates that the cost of providing notification would exceed two hundred fifty thousand dollars, or that the affected class of persons to be notified exceeds five hundred thousand, or the agency or person does not have sufficient contact information.  Substitute notification shall consist of all of the following:

(a)  E-mail notification when the agency or person has an e-mail address for the subject persons.

(b)  Conspicuous posting of the notification on the Internet site of the agency or person, if an Internet site is maintained.

(c)  Notification to major statewide media.

F.  Notwithstanding Subsection E of this Section, an agency or person that maintains a notification procedure as part of its information security policy for the treatment of personal information which is otherwise consistent with the timing requirements of this Section shall be deemed to be in compliance with the notification requirements of this Section if the agency or person notifies subject persons in accordance with the policy and procedure in the event of a breach of security of the system.

G.  Notification under this title1 is not required if after a reasonable investigation the person or business determines that there is no reasonable likelihood of harm to customers.

Acts 2005, No. 499, §1, eff. Jan. 1, 2006.

1As appears in enrolled bill.  Should be "Section".



If you experience any technical difficulties navigating this website, click here to contact the webmaster.
P.O. Box 94062 (900 North Third Street) Baton Rouge, Louisiana 70804-9062