To say that privacy regulations have been in the news lately is a bit of an understatement. The European Union’s new General Data Protection Regulation has had privacy professionals and businesses scrambling to meet the May 25, 2018 deadline for compliance. While the GDPR may be dominating the national news circuits, the EU is not the only one making changes to their privacy laws. The Louisiana Legislature has passed, and Governor Edwards signed on May 20, 2018, amendments to Louisiana’s Database Security Breach Notification Law (Louisiana Revised Statutes 51:3071, et seq.), at Act 382.[i] Act 382 becomes effective on August 1, 2018.
A. Expansion of “Personal Information”
The first major change is the expansion of the definition of “personal information” under the statute. Louisiana previously defined personal information for the purposes of the breach notification law as an individual’s first name or initial and last name in combination with any of the following additional data elements when the name or data element is not encrypted or redacted: (1) social security number; (2) driver’s license number; or (3) account number, credit or debit card number, in combination with the applicable password, security code, or access code that would allow access to an individual’s financial account. Act 382 adds the following additional pieces of data to this list: state identification card number; passport number; and “biometric data.” “Biometric data” is defined as “data generated by automatic measurements of an individual’s biological characteristics” and includes markers such as fingerprints, voice prints, eye retina or iris, or other unique biological characteristics that are used to authenticate an individual’s identity when accessing a system or account. In this change, Louisiana joins a growing trend of expanding personal data beyond ID numbers and financial accounts into more unique and personal identifiers. At the time of this writing, at least twelve other states have enacted laws that include biometric markers as personal information.[ii]
B. New Data Protection Requirements
Act 382 imposes new requirements on Louisiana businesses to protect personal information. These changes affect companies that conduct business in the state of Louisiana or own or license computerized data that include personal information of Louisiana residents and for agencies that own or license computerized data that includes Louisiana residents’ personal information (collectively “Subject Entities”). Under Act 382, Subject Entities will be required to implement and maintain “reasonable security procedures and practices appropriate to the nature of the information” to protect the personal information from breaches, destruction, use, modification, or disclosure.
Subject Entities will also be under new requirements for data destruction. Subject Entities will be required to take reasonable steps to destroy or arrange for the destruction of records within its custody or control containing personal information that is no longer to be retained by the Subject Entity by shredding, erasing, or otherwise modifying the personal information to make the information unreadable or undecipherable.
C. Data Breach Notifications
In the event of a breach, the revisions to Section 51:3073 have now implemented a time limit within which Subject Entities must notify the Louisiana residents’ whose data was affected. Originally, the statute provided that notice must be done “in the most expedient time possible and without unreasonable delay.” The revised statute retains that language, but now includes that notification must be made no later than 60 days from the discovery of the breach. The revisions maintain the original exception to this rule in the case of delay necessitated by the needs of law enforcement or measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system. However, if a Subject Entity does delay notification for one of these reasons, it must provide written notice to the Louisiana Attorney General of this delay and the reasons for same within the 60 day period. Upon receipt, the Attorney General will grant a reasonable extension of time for notification.
The revisions preserve the ability for a Subject Entity to investigate whether the breach is reasonably likely to cause harm to Louisiana residents, and, if the breach is unlikely to cause harm, the Subject Entity is not required to notify affected Louisiana residents of the breach. This situation commonly arises when the breached data was encrypted, provided the encryption key was not also breached. If the Subject Entity decides not to report under this section, then the entity must document that decision in writing and retain the written decision and supporting documentation for five years from the date of discovery of the breach. The Attorney General can request a copy of this documentation and the written determination, and the Subject Entity must provide the documentation within thirty days of the Attorney General’s request.
Last, violations of these provisions are now deemed an unfair trade practice under R.S. 51:1405(A). During testimony on this bill, the Attorney General’s Office commented that their Office has already been treating violations as an unfair trade practice, so this language only codifies their current practice.
D. General Comments
Many of the changes made to Louisiana’s data security laws echo similar revisions in other states. Several states have opened their data security laws to expand beyond notification procedures to now requiring “reasonable” security practices and destruction of outdated data. Unlike Alabama’s new data security law, Louisiana’s revised law does not define what security practices qualify as “reasonable”, which may cause some concern amongst Subject Entities looking for guidance when updating their security practices.
It is possible that the new revisions may lead to increased litigation for data breaches. The Attorney General currently is and remains the primary enforcer of the data breach laws; however, private rights of action are permitted. Codifying violations of these statutes as an unfair trade practice may lead to an increase in suits filed under these statutes. However, a potential plaintiff will likely still be required to provide that he or she was injured by the breach, which has been a difficult task for plaintiffs that have not suffered an identity theft.
The new law becomes effective on August 1, 2018. Until that time, Subject Entities that have not recently reviewed their data security policies and practices may want to consider an update.
[i] Act 382 of the 2018 Regular Session can be found at the following address: https://www.legis.la.gov/legis/ViewDocument.aspx?d=1101149.
[ii] These states include, but are not limited to Arizona, Delaware, Illinois, Iowa, Maryland, Nebraska, New Mexico, North Carolina, Oregon, South Dakota, Wisconsin, and Wyoming.