Quick Facts
Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: No later than 60 days
Government Notification Required: Yes
Scope of this Summary:
Notification requirements applicable to any person or agency that conducts business in the state or that owns, licenses, or maintains covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if, after reasonable investigation, the covered entity determines that there is no reasonable likelihood of harm to residents. The covered entity must document determination in writing, retain the documentation for five years, and provide a copy to the Attorney General upon request.
Breach Defined
Compromise to the security, confidentiality, or integrity of computerized data that results in, or there is a reasonable likelihood to result in, the unauthorized acquisition of and access to covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted or redacted.
Form of Covered Info
Electronic Only
Covered Info
An individual's first name or first initial and last name in combination with any one or more of the following data elements:
- Social Security number.
- Driver's license number or state identification card number.
- Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
- Passport number.
- Biometric data, meaning data generated by automatic measurements of an individual's biological characteristics, such as fingerprints, voice print, eye retina or iris, or other unique biological characteristic that is used by the owner or licensee to uniquely authenticate an individual's identity when the individual accesses a system or account.
Consumer Notice Timing
Must be made in most expedient time possible and without unreasonable delay but no later than 60 days from discovery of the breach, consistent with any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system.
Consumer Notice Method
By written notice or electronic notice if consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
Content of notice undefined.
Delayed Notice
Notification may be delayed if law enforcement determines that notification will impede a criminal investigation or if covered entity requires additional time to determine scope of the breach, prevent further disclosures, and restore the reasonable integrity of the system. Within the original 60-day deadline the covered entity must provide in writing to the Attorney General reasons for delay.
Government Notice
If notice to Louisiana residents is required, the covered entity must also provide written notice to the Consumer Protection Section of the Attorney General's office. Notice must be received within 10 days of distribution of notice to Louisiana residents and must include the names of those affected residents.
Consumer Reporting Agency Notice
N/A
Exceptions for Other Laws
Financial institutions that must comply with the Gramm-Leach-Bliley Act (GLBA) and are in compliance with the federal banking regulators' notification requirements.
Third-Party Notice
If you maintain covered info on behalf of another entity, you must notify it following discovery of a breach if the covered info was or is reasonably believed to have been acquired by an unauthorized person.
Private Right of Action
The Louisiana general breach notification statute provides individuals with a private right of action to recover actual damages resulting from a covered entity's failure to disclose a breach of the security system that resulted in the disclosure of the individual's personal information in a timely manner.
Potential Penalties
Violations may result in civil penalties.
This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.
Last revised on June 15, 2023