Louisiana | Data Breach Law

January 3, 2018

You are here:
< Back

Notification of Affected Parties

Affected residents must be notified as soon as possible when a Louisiana business’s data breach compromises their personal information. Notification must be made via mail or electronic means, except when the security breach affects more than 500,000 people, or the cost of notification exceeds $250,000. In these cases, public service announcements can be used. Learn more about LA’s data breach laws below.

Name of Law / Statute Database Security Breach Notification Law
Definition of Protected Information Combination of (1) name or other identifying info, PLUS (2) one or more of these “data” elements: SSN; driver’s license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes.
Who Is Subject to Law? Any person or agency conducting business in the state or who owns or licenses computer data containing PI
Notification of Consumers? Yes, unless determination of no harm by business
By what means? Written or electronic
Substitute Notice Threshold? If cost of notice >$250,000 or involves >500k residents
Notification of authorities / regulators required? Yes, within 10 days of notice to consumers (per LA Admin. Code title 16 § 701)
By what means? Copy of the notice to consumers
Regulatory Fines Up to $5000/violation if no notice to AG within 10 days
Credit monitoring requirement? No
Private lawsuits allowed? Yes
Private damages cap? Actual economic damages
Regulatory actions allowed? N/A
HIPAA Compliance exemption? N/A
Other  (e.g., timeframe) Law does not apply if PI was encrypted or redacted
Link to complete law Louisiana’s Data Breach Law

Read the full text of Louisiana’s data breach law.