TEKRiSQ | Technology Risk Assessment Platform  

Louisiana Cybersecurity, Privacy & Data Security Law

March 30, 2025

Doin’ business in the Bayou state? Review information here to get a handle on Louisiana Cybersecurity Privacy & Data Security Laws.

Insurance Data Security Law (IDSL)

The Insurance Data Security Law (IDSL). Act 283 (HB 614) of the 2020 Regular Session of the Louisiana Legislature, established the standards applicable to licensees relative to data security, the investigation of a cybersecurity event, and notification to the Commissioner of Insurance (Commissioner) of a cybersecurity event.

Licensee Requirements and Exemptions

The IDSL applies to all licensees of the Louisiana Department of Insurance. “Licensee” is defined in La. R.S. 22:2503(7) to include any person licensed, authorized to operate, or registered or required to be licensed, authorized, or registered pursuant to Louisiana insurance laws. It expressly excludes;

  • (1) purchasing groups or risk retention groups chartered and licensed in a state other than Louisiana; and
  • (2) assuming insurers that are domiciled in a state or jurisdiction other than Louisiana.

Licensees must develop, implement and maintain a comprehensive written information security program (ISP) that complies with the requirements of La. R.S. 22:2504 no later than August 1, 2021. The ISP must be based on the licensee’s risk assessment and it must contain administrative, technical and physical safeguards for the protection of nonpublic information. Additionally, the licensee’s ISP must be commensurate with the size and complexity of the licensee, its activities, including use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in its possession, custody or control. Nonpublic information is defined in La. R.S. 22:2503(9) for purposes of the IDSL. Furthermore, a licensee has the obligation to notify the Commissioner of a cybersecurity event in accordance with La. R.S. 22:2506.

Licensees that meet any of the criteria outlined in La. R.S. 22:2509(A) (for example, licensees who have fewer than twenty-five employees, less than five million dollars in gross annual revenue, or less than ten million dollars in year-end total assets) are exempt from compliance with La. R.S. 22:2504. Unless the licensee falls within an exemption specified in La. R.S. 22:2509, it shall, no later than August 1, 2022, require each of its third-party service providers to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to or held by the licensee’s third-party service provider.

  • Pursuant to La. R.S. 22:2503, a third-party service provider means “a person, not otherwise defined as a licensee, who contracts with a licensee to maintain, process, store, or otherwise have access to nonpublic information through its provision of services to the licensee.” Domestic Insurer Filing Requirements Beginning February 15, 2022, each domestic insurer must annually submit a “Louisiana Insurance Data Security Law Information Security Program Certification Form” to the Commissioner by February 15th , certifying that the insurer complies with the requirements of La. R.S. 22:2504. If the insurer falls within an exemption specified in La. R.S. 22:2509, it must instead submit a “Louisiana Insurance Data Security Law Information Security Program Exemption Certification Form” certifying which exemption applies by February 15th annually. Only domestic insurers are required to submit the annual certification or exemption forms to the Commissioner. Annual certification and exemption forms are to be submitted through the Cybersecurity Certification Module in the Industry Access Portal, found at https://ia.ldi.state.la.us/industryaccess/.

Louisiana Dept. Of Insurance Data Security Program Requirements

Business Regulations:

Louisiana Breach Law

Effective January 1, 2006

  • S.B. 361 (signed into law May 16, 2018, Act 382)

Effective August 1, 2018

Application. Any individual, corporation, partnership, sole proprietorship, joint stock company, joint venture, or any other legal entity that conducts business in LA or that owns or licenses computerized data that includes PI, or any agency that owns or licenses computerized data that includes PI (collectively, Entity).

  • The provisions governing maintenance of PI that the Entity does not own appear applicable to any Entity maintaining information on LA residents, whether or not the Entity conducts business in LA.

Security Breach Definition. The compromise of the security, confidentiality, or integrity of computerized data that results in, or there is a reasonable basis to conclude has resulted in, the unauthorized acquisition of and access to PI maintained by an Entity.

  • Good-faith acquisition of PI by an employee of the Entity for the purposes of the Entity is not a breach of the security of the system, provided that the PI is not used for, or is not subject to, unauthorized disclosure.

Notification Obligation. Any Entity to which the statute applies shall, following discovery of a breach of the security of the system containing such data, notify any resident of the state whose PI was, or is reasonably believed to have been, acquired by an unauthorized person.

  • Notification is not required if after a reasonable investigation the Entity determines that there is no reasonable likelihood of harm to LA residents. The Entity shall retain a copy of the written determination and supporting documentation for 5 years, and provide a copy to the Attorney General upon request.

Attorney General Notification. When notice to LA citizens is required by the statute, the Entity shall provide written notice detailing the breach of the security of the system to the Consumer Protection Section of the Attorney General’s Office. Notice shall include the names of all LA citizens affected by the breach. Notice to the state AG shall be timely if received within 10 days of distribution of notice to LA citizens. Each day notice is not received by the state AG shall be deemed a separate violation.

Third-Party Data Notification. Any individual, corporation, partnership, sole proprietorship, joint stock company, joint venture, or any other legal entity that maintains computerized data that includes PI that the agency or person does not own shall notify the owner or licensee of the information if the PI was, or is reasonably believed to have been, acquired by an unauthorized person through a breach of security of the system containing such data, following discovery by the agency or person of a breach of the security system.

Timing of Notification. The notification required pursuant to the statute shall be made in the most expedient time possible and without unreasonable delay, but not later than 60 days from discovery of the breach, consistent with any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system. When notification is delayed by law enforcement request or due to a determination by the Entity that measures are necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system, the Entity shall provide the attorney general the reasons for the delay in writing within the 60-day notification period. Upon receipt of the written reasons, the attorney general shall allow a reasonable extension of time to provide the consumer notification.

Personal Information Definition. The first name or first initial and last name of a LA resident in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted:

  • Social Security Number;
  • Driver license number or state identification card number;
  • Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
  • Passport number; or
  • Biometric data. “Biometric data” means data generated by automatic measurements of an individual’s biological characteristics, such as fingerprints, voice print, eye retina or iris, or other unique biological characteristic that is used by the owner or licensee to uniquely authenticate an individual’s identity when the individual accesses a system or account

“Personal information” shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Notice Required. Notice may be provided by one of the following methods:

  • Written notification; or
  • Electronic notification, if the notification provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).

Substitute Notice Available.  If an Entity demonstrates that the cost of providing notification would exceed $100,000, or that the affected class of persons to be notified exceeds 100,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:

  • Email notification when the Entity has an email address for the subject persons;
  • Conspicuous posting of the notification on the Entity’s Web site if the Entity maintains one; and
  • Notification to major statewide media.

Exception: Own Notification Policy. Any Entity that maintains notification procedures as part of its information security policy for the treatment of PI which is otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if the Entity notifies subject persons in accordance with the policy and procedures in the event of a breach of a security of the system.

Exception: Compliance with Other Laws.

  • Federal Interagency Guidance. A financial institution that is subject to and in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued on March 7, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, and any revisions, additions, or substitutions relating to said interagency guidance, shall be deemed to be in compliance.

Penalties.

  • A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person’s PI.
  • Failure to provide timely notice may be punishable by a fine not to exceed $5,000 per violation. Notice to the state AG shall be timely if received within 10 days of distribution of notice to LA citizens. Each day notice is not received by the state AG shall be deemed a separate violation.

Other Key Provisions:

  • Delay for Law Enforcement. Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice required by the statute must be made without unreasonable delay and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.

Private Right of Action. A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person’s PI.

Categories: Breach Laws, States

Tags: , , , , , , , , , ,

 
South Dakota Cybersecurity Law

© Copyright 2025 TEKRiSQ, INC. All rights reserved.
Website by: Colophon

TEKRiSQ BBB Business Review