New Changes to Louisiana’s Breach Notification Law Mean Tighter Restrictions For Companies That Retain Personal Information of Louisiana Residents
It’s been an active year on the cybersecurity front. Several states have either enacted (South Dakota and Alabama) or amended (such as Colorado and Hawaii) their breach notification laws and last month, the European Union’s far-reaching General Data Protection Regulation went into effect.
Louisiana joined the fray on May 20, 2018, when Governor Edwards signed Act. 382 (SB No. 361) into law that amends the Louisiana Database Security Breach Notification Law (LDSBNL). The Act 382 amendments, which become effective on August 1, 2018, raise the standard of care for companies that retain the personal information of Louisiana residents (no matter whether they are located in Louisiana or not). Here is what your company needs to know:
- Definition of “Personal information” now includes state identification numbers, passport numbers, and biometric data(fingerprints, voice prints, ocular prints, and any other “biological characteristic that is…used to uniquely authenticate an individual’s identity when the individual accesses a system of account”).
- Post-breach investigation must be documented.A company is not required to notify when there is no reasonable likelihood of harm to Louisiana residents following a reasonable investigation. The Act 382 amendments require that the investigation be documented, the documented findings be retained for five years, and upon the request of the attorney general, produced within 30 days of the request. This requirement is similar to the laws in other states, as well as HIPAA.
- Notification is now required within 60 days after the discovery of a breach. An extension may be granted by the Attorney General.
- Notification costs reduced for larger breaches. Affected persons may be notified by email, conspicuous posing on the company’s website, or through statewide media when the costs of notification exceed $100,000 (reduced from $250,000), the affected class exceeds 100,000 (reduced from 500,000), or where the company does not have sufficient contact information. The Act 382 amendment lowers the cost and population thresholds, so that cheaper forms of notification can be used in larger incidents.
- Companies must now “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
- Companies must reasonably dispose of data “that is no longer to be retained by the person or business.” Similar to the Fair Credit Reporting Act’s “Disposal Rule”(16 CFR Part 682), the LDSBNL outlines reasonable methods of disposing of data (“shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means”).
- Violations under the LDSBNL equate to an unfair act or practice under the Louisiana Unfair Trade Practices and Consumer Protection Law (La. R.S. 51:1405). This is in addition to the private right of action and delay penalties already provided under the LDSBNL.
Tips for your company to consider before August 1, 2018
- Create a breach response team. Your team should balance members that understand your company’s interests and structure with those who are knowledgeable in cybersecurity. The former roles are usually best served by your C-suite executives, in-house counsel, and in-house IT (or contracted firms if your company does not employ in-house groups).
- When an incident occurs, contact outside legal counsel immediately. From there, outside counsel (under the guise of the Attorney-Client Privilege and Work Product Doctrine) should arrange for a digital forensics firm to evaluate whether a breach occurred and if so, the extent of same.
- Prepare a customized incident response plan that works. Your plan should help your company quickly and deliberately evaluate the severity of an incident and the steps needed to stop or mitigate it. It should be tailored to your company’s operations and capabilities and include a critical evaluation to determine whether and to what extent, notification is required. It should include the contact information for your response team; cybersecurity insurance information; and communication and notification protocols.
- Train, test, and refine. Majority of data breaches in the United States are caused by employee error (such as clicking on a phishing email). However, information security-focused training can turn your company’s weakness into a strength. This includes periodic training sessions that address likely threat indicators, hardware and software use policies, mobile device usage, in addition to identifying and reacting to suspicious events.
- Preparing an information security policy and response plan should not be a onetime event. Instead, they should be revisited and adjusted to respond to developments (like changing threats, employment, or other occurrences). Furthermore, your company should conduct periodic employee training, penetration testing, and tabletop exercises to test your breach response plan and your team’s readiness.
This article was written by Lafayette attorney, Steven Bucher. To learn more about Steven and his practices, you may visit his biography here: Steven Bucher.