§3074. Protection of personal information; disclosure upon breach in the security of personal information; notification requirements; exemption
A. Any person that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information, shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
B. Any person that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information shall take all reasonable steps to destroy or arrange for the destruction of the records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
C. Any person that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information, shall, following discovery of a breach in the security of the system containing such data, notify any resident of the state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
D. Any agency or person that maintains computerized data that includes personal information that the agency or person does not own shall notify the owner or licensee of the information if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person through a breach of security of the system containing such data, following discovery by the agency or person of a breach of security of the system.
E. The notification required pursuant to Subsections C and D of this Section shall be made in the most expedient time possible and without unreasonable delay but not later than sixty days from the discovery of the breach, consistent with the legitimate needs of law enforcement, as provided in Subsection F of this Section, or any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system. When notification required pursuant to Subsections C and D of this Section is delayed pursuant to Subsection F of this Section or due to a determination by the person or agency that measures are necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system, the person or agency shall provide the attorney general the reasons for the delay in writing within the sixty day notification period provided in this Subsection. Upon receipt of the written reasons, the attorney general shall allow a reasonable extension of time to provide the notification required in Subsections C and D of this Section.
F. If a law enforcement agency determines that the notification required under this Section would impede a criminal investigation, such notification may be delayed until such law enforcement agency determines that the notification will no longer compromise such investigation.
G. Notification may be provided by one of the following methods:
(1) Written notification.
(2) Electronic notification, if the notification provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. 7001.
(3) Substitute notification, if an agency or person demonstrates that the cost of providing notification would exceed one hundred thousand dollars, or that the affected class of persons to be notified exceeds one hundred thousand, or the agency or person does not have sufficient contact information. Substitute notification shall consist of all of the following:
(a) E-mail notification when the agency or person has an e-mail address for the subject persons.
(b) Conspicuous posting of the notification on the Internet site of the agency or person, if an Internet site is maintained.
(c) Notification to major statewide media.
H. Notwithstanding Subsection G of this Section, an agency or person that maintains a notification procedure as part of its information security policy for the treatment of personal information which is otherwise consistent with the timing requirements of this Section shall be considered to be in compliance with the notification requirements of this Section if the agency or person notifies subject persons in accordance with the policy and procedure in the event of a breach of security of the system.
I. Notification as provided in this Section shall not be required if after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to the residents of this state. The person or business shall retain a copy of the written determination and supporting documentation for five years from the date of discovery of the breach of the security system. If requested in writing, the person or business shall send a copy of the written determination and supporting documentation to the attorney general no later than thirty days from the date of receipt of the request. The provisions of R.S. 51:1404(A)(1)(c) shall apply to a written determination and supporting documentation sent to the attorney general pursuant to this Subsection.
J. A violation of a provision of this Chapter shall constitute an unfair act or practice pursuant to R.S. 51:1405(A).
Acts 2005, No. 499, §1, eff. Jan. 1, 2006; Acts 2018, No. 382, §1.