March 30, 2025
Doin’ business in the Bayou state? Review information here to get a handle on Louisiana Cybersecurity Privacy & Data Security Laws.
The Insurance Data Security Law (IDSL). Act 283 (HB 614) of the 2020 Regular Session of the Louisiana Legislature, established the standards applicable to licensees relative to data security, the investigation of a cybersecurity event, and notification to the Commissioner of Insurance (Commissioner) of a cybersecurity event.
The IDSL applies to all licensees of the Louisiana Department of Insurance. “Licensee” is defined in La. R.S. 22:2503(7) to include any person licensed, authorized to operate, or registered or required to be licensed, authorized, or registered pursuant to Louisiana insurance laws. It expressly excludes;
Licensees must develop, implement and maintain a comprehensive written information security program (ISP) that complies with the requirements of La. R.S. 22:2504 no later than August 1, 2021. The ISP must be based on the licensee’s risk assessment and it must contain administrative, technical and physical safeguards for the protection of nonpublic information. Additionally, the licensee’s ISP must be commensurate with the size and complexity of the licensee, its activities, including use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in its possession, custody or control. Nonpublic information is defined in La. R.S. 22:2503(9) for purposes of the IDSL. Furthermore, a licensee has the obligation to notify the Commissioner of a cybersecurity event in accordance with La. R.S. 22:2506.
Licensees that meet any of the criteria outlined in La. R.S. 22:2509(A) (for example, licensees who have fewer than twenty-five employees, less than five million dollars in gross annual revenue, or less than ten million dollars in year-end total assets) are exempt from compliance with La. R.S. 22:2504. Unless the licensee falls within an exemption specified in La. R.S. 22:2509, it shall, no later than August 1, 2022, require each of its third-party service providers to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to or held by the licensee’s third-party service provider.
Effective January 1, 2006
Effective August 1, 2018
Application. Any individual, corporation, partnership, sole proprietorship, joint stock company, joint venture, or any other legal entity that conducts business in LA or that owns or licenses computerized data that includes PI, or any agency that owns or licenses computerized data that includes PI (collectively, Entity).
Security Breach Definition. The compromise of the security, confidentiality, or integrity of computerized data that results in, or there is a reasonable basis to conclude has resulted in, the unauthorized acquisition of and access to PI maintained by an Entity.
Notification Obligation. Any Entity to which the statute applies shall, following discovery of a breach of the security of the system containing such data, notify any resident of the state whose PI was, or is reasonably believed to have been, acquired by an unauthorized person.
Attorney General Notification. When notice to LA citizens is required by the statute, the Entity shall provide written notice detailing the breach of the security of the system to the Consumer Protection Section of the Attorney General’s Office. Notice shall include the names of all LA citizens affected by the breach. Notice to the state AG shall be timely if received within 10 days of distribution of notice to LA citizens. Each day notice is not received by the state AG shall be deemed a separate violation.
Third-Party Data Notification. Any individual, corporation, partnership, sole proprietorship, joint stock company, joint venture, or any other legal entity that maintains computerized data that includes PI that the agency or person does not own shall notify the owner or licensee of the information if the PI was, or is reasonably believed to have been, acquired by an unauthorized person through a breach of security of the system containing such data, following discovery by the agency or person of a breach of the security system.
Timing of Notification. The notification required pursuant to the statute shall be made in the most expedient time possible and without unreasonable delay, but not later than 60 days from discovery of the breach, consistent with any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system. When notification is delayed by law enforcement request or due to a determination by the Entity that measures are necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system, the Entity shall provide the attorney general the reasons for the delay in writing within the 60-day notification period. Upon receipt of the written reasons, the attorney general shall allow a reasonable extension of time to provide the consumer notification.
Personal Information Definition. The first name or first initial and last name of a LA resident in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted:
“Personal information” shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice Required. Notice may be provided by one of the following methods:
Substitute Notice Available. If an Entity demonstrates that the cost of providing notification would exceed $100,000, or that the affected class of persons to be notified exceeds 100,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
Exception: Own Notification Policy. Any Entity that maintains notification procedures as part of its information security policy for the treatment of PI which is otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if the Entity notifies subject persons in accordance with the policy and procedures in the event of a breach of a security of the system.
Exception: Compliance with Other Laws.
Penalties.
Other Key Provisions:
Private Right of Action. A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person’s PI.