November 2021

1. GOVERNING TEXTS

Please note that this Guidance Note refers to state-wide legislation for Louisiana. In addition to state requirements outlined here, please note that federal cybersecurity requirements may be applicable under federal laws such as the Gramm-Leach-Bliley Act of 1999 ('GLBA') and the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'). For more information, please refer to the following OneTrust DataGuidance Guidance Notes:

• USA Federal - Cybersecurity;
• USA - GLBA Safeguards Rule – Cybersecurity;
• USA - NIST – Cybersecurity; and
• USA - HIPAA - Cybersecurity.

Louisiana residents' general right to privacy is established in Article I, §5 of the Louisiana Constitution of 1974 ('the Constitution'), which provides that each person will be 'secure in his person, property, communications, houses, papers, and effects against unreasonable searches, seizures, or invasions of privacy'. While the remainder of that section of the Constitution addresses warrantless searches and improper seizures, Article I, §5 of the Constitution has been recognised as the constitutional basis for privacy rights in personal information that have been enacted over the years. Most relevant to the present paper are the §51:3071 et seq. of Chapter 51 of Louisiana Revised Statutes ('La. Rev. Stat.') ('Database Security Breach Notification Law'), which were enacted in 2005. The categories of data in the Database Security Breach Notification Law are primarily related to data for financial identity theft. In 2018, however, La. Rev. Stat. §51:3073 added biometric data and passport numbers to the definition of personal information.

An additional change introduced by La. Rev. Stat. §51:3073 was the new requirement for individuals conducting business in Louisiana to implement reasonable security measures to protect personal information from unauthorised access, destruction, use, modification, or disclosure. Those individuals must also take reasonable steps to destroy or otherwise make documents and materials containing personal information unreadable, once the materials are no longer needed. No specific requirements for reasonable security are made explicit in the law.

Louisiana does not have a comprehensive data protection law, like those found in California or the European Union, but additional privacy rights have been established through piecemeal legislation. For certain regulated industries (e.g., health care entities or financial services), the Database Security Breach Notification Law frequently defers to the protections found in HIPAA, GLBA, and similar regulations.

Louisiana has assigned task forces to continue to evaluate additional data protection legislation and state needs. In 2017, Louisiana Governor John Bel Edwards issued an Executive Order establishing the Louisiana Cybersecurity Commission ('the Cybersecurity Commission') with the mission of advancing Louisiana's cyber ecosystem and positioning Louisiana as a national leader and preferred location for cyber business, education, and research. Evaluation of a comprehensive data protection law has also been delegated to the Cybersecurity Commission. In 2021, Governor Edwards signed a proclamation recognising October as Cybersecurity Awareness Month in Louisiana, which coincides with the national Cybersecurity and Infrastructure Security Agency ('CISA') cybersecurity campaign. The Louisiana Senate has also tasked the Joint Legislative Committee on Technology and Cybersecurity to study the impacts of the buying, selling, and usage of consumer data transactions and to submit a written report of its findings.

2. SCOPE OF APPLICATION

The Louisiana Database Security Breach Notification Law was signed in 2005 and became effective on 1 January 2006. Under this Law, businesses and agencies that maintain personal information of Louisiana residents must notify the affected Louisiana residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by unauthorised persons as the result of a breach of the security of a data system. In 2018, the La. Rev. Stat. §51:3073 added additional categories of personal information and data protection requirements and imposed a deadline for notifying affected individuals.

The information covered by La. Rev. Stat. §51:3073 is personal information, which is defined as the first name or first initial and last name of an individual Louisiana resident in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted (La. Rev. Stat. §51:3073(4)(a)):

• social security number;
• driver’s license number or state identification card number;
• account number, credit, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
• passport number; or
• biometric data, meaning data generated by automatic measurements of an individual's biological characteristics, such as fingerprints, voice print, eye retina or iris, or other unique biological characteristic that is used by the owner or licensee to uniquely authenticate an individual's identity when the individual accesses a system or account.

Personal information does not include publicly available information that is lawfully made available to the public by a federal, state, or local government records (La. Rev. Stat. §51:3073(4)(b).

Any other information that does not fall in the above categories would not constitute personal information, and a breach of that information would not require notification under the Database Security Breach Notification Law. However, there may be other federal laws (e.g., HIPAA) or state regulations (e.g., laws governing an insurance-related data incident) that may require notification depending on the type of data involved or entity breached.

Note also that Louisiana does provide for an 'encryption safe harbor'. If the data affected falls into one or more of the above categories, but the information was encrypted and the encryption key or other mechanism of accessing the data in a reasonable format was not accessed, then the information would not constitute personal information and require notification.

Louisiana does also allow for a 'risk of harm' analysis before sending notifications. If after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to the Louisiana residents potentially affected by a security breach, notification is not required. If that determination is made, the person or business must retain a written record of the determination and supporting documents for five years from the date of discovery of the breach of the security system. Within 30 days of written request, the person or business will provide a copy of the written determination and supporting documents to the Louisiana Attorney General ('AG') (La. Rev. Stat. §51:3074(I)).

Compliance with the Database Security Breach Notification Law is required from persons (individuals as well as legal entities) that conduct business in the state of Louisiana or that own or license computerised data including personal information. This definition is broad enough to encompass businesses that own or license data of Louisiana residents that are not domiciled in Louisiana, and those businesses must also provide Louisiana residents of notice the same as if they were found in Louisiana (La. Rev. Stat. §51:3074(C)).

The Database Security Breach Notification Law also applies to agencies that own or license computerised data including personal information. Agencies include the state, a political subdivision of the state, and any officer, agency, board, commission, department, or similar body of the state (La. Rev. Stat. §51:3073, 3074(D)).

3. GENERAL REQUIREMENTS

3.1. Implementation of a cybersecurity framework

For most entities in Louisiana, there are no specific requirements on how to structure a cybersecurity framework. Rather, most businesses will fall under the very general requirements of the Database Security Breach Notification Law. Under that Law, any person that conducts business in Louisiana or that owns or licenses computerised data including personal information or any agency that owns or licenses computerised data including personal information must 'maintain reasonable security procedures and practices appropriate to the nature of the information' so that the personal information can be protected 'from unauthorized access, destruction, use, modification, or disclosure' (La. Rev. Stat. §51:3074(A)). To that end, the person or agency conducting business must also 'take all reasonable steps to destroy or arrange for the destruction of the records within its custody or control' that contain personal information that is to be no longer maintained by the business or agency (La. Rev. Stat. §51:3074(B)). 'Destruction' under this section means to shred, erase, or otherwise modify the personal information in the records so that it is unreadable or undecipherable 'through any means' (La. Rev. Stat. §51:3074(B)).

Entities regulated by the Louisiana insurance laws are required to implement an Information Security Program, which is further discussed in section 4 below.

3.2. Notification of cybersecurity incidents

3.2.1.  In case of a cybersecurity incident, is there an obligation to notify the regulatory authority?

Yes, if an entity is required to notify affected persons under the Database Security Breach Notification Law, then the Louisiana AG has also to be notified in addition to the affected persons pursuant to Title 16 of the Louisiana Administrative Code ('La. Admin. Code') §16-3-701.

3.2.2. If yes, please describe the process, timeline, and any other formality that needs to be adhered to.

Louisiana does not have any specific content requirements for the notice to affected persons. Notices must be sent to affected persons within 60 days from the day the breach is discovered, consistent with the legitimate needs of law enforcement and any measures needed to determine the scope of the breach, prevent further disclosures, and restore the integrity of the data system. If notification is delayed, then the reporting entity must notify the Louisiana AG of the delay within a 60-day period. Upon a receipt of written reasons, the AG will grant a reasonable extension (La. Rev. Stat. §51:3074(E)). If a law enforcement agency determines that providing notice would impede a criminal investigation, the notice may be delayed until the law enforcement agency determines that providing notice would not compromise the investigation (La. Rev. Stat. §51:3074(F)).

The Louisiana AG's Office must receive notice of the mailing of notifications to affected persons within ten days of the date of distribution of the notices. Notices can be sent by mail to the Louisiana AG's Office, Consumer Protection Division, 1885 North Third Street, Baton Rouge, LA 70802. The notice to the AG must include a list of the names of all affected Louisiana residents (La. Admin. Code §16-3-701).

Failure to timely provide notice may result in a fine of up to $5,000. Each day that the notice is not received by the AG after the ten-day deadline constitutes a separate violation (La. Admin. Code §16-3-701(B)).

3.2.3. In case of a cybersecurity incident, are there other subjects that need to be notified?

If the person or agency that maintains computerised data does not own the personal information that was affected, then that person or agency must notify the information's owner or licensee following discovery of any breach. Notice is subject to the same timing requirements as notices to affected persons (La. Rev. Stat. §51:3074(D)-(E)).

Certain businesses are exempt from the Database Security Breach Notification Law. For example, financial institutions that are subject to and in compliance with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, issued on 7 March 7 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the office of the comptroller of the currency and the office of thrift supervision, and any revisions, additions, or substitutions relating to said interagency guidance, are considered to be in compliance with the Database Security Breach Notification Law (La. Rev. Stat. §51:3076). Also, if an entity maintains a notification procedure as part of an Information Security Program for the treatment of personal information that is otherwise consistent with the statute's timing requirements and it follows that policy during an incident, then that person or agency will also be deemed compliant (La. Rev. Stat. §51:3074(H))

3.2.4. Please outline any other bodies that might be notified.

Not applicable.

For more information please refer to the following OneTrust DataGuidance Guidance Note Louisiana - Data Breach.

3.3. Appointment of a security officer

Louisiana currently does not require the appointment of a security officer specifically for cybersecurity matters.

3.4. Other requirements

Louisiana allows for a civil action to be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person's personal information (La. Rev. Stat. §51:3075).

4. REQUIREMENTS IN THE INSURANCE SECTOR

4.1. Definitions

Consumer means a natural person who is a resident of Louisiana and whose non-public information is in a licensee's possession, custody, or control (La. R.S. §22:2503(2)).

Cybersecurity event means an event resulting in unauthorised access to or disruption or misuse of an information system or non-public information stored on an information system (La. R.S. §22:2503(3)(a)).

Information Security Program means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle non-public information (La. R.S. §22:2503(5)).

Information System means a discrete set of electronic information resources organised for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic non-public information. 'Information system' shall include any specialised system, such as industrial or process controls systems, telephone switching and private branch exchange systems, and environmental control systems (La. R.S. §22:2503(6)).

Licensee means any person licensed, authorised to operate, registered, or required to be licensed, authorised, or registered pursuant to the insurance laws of Louisiana. Qualifying as a licensee does not include (La. R.S. §22:2503(7)(a)):

• a purchasing group or a risk retention group chartered and licensed in a state other than Louisiana; or
• a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

Non-public Information means electronic information that is not publicly available information and is any of the following (La. R.S. §22:2503(9)(a)):

• Any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify a consumer, in combination with any one or more of the following data elements:
  • Social Security Number;
  • driver's license number or nondriver identification card number;
  • financial account number or credit or debit card number;
  • any security code, access code, or password that would permit access to a consumer's financial account; or
  • biometric records.
• Any information or data, except age or gender, in any form or medium created by or derived from a healthcare provider or consumer, that can be used to identify a particular consumer, and that relates to any of the following:
  • the past, present, or future physical, mental, or behavioural health or condition of any consumer;
  • the provision of health care to any consumer; or
  • the payment for the provision of health care to any consumer.

4.2. Information security program implementation

As of 1 August 2021, Louisiana licensees must develop, implement, and maintain a comprehensive, written Information Security Program. The licensee's Information Security Program should be designed to do the following (La. Rev. Stat. §22:2504(B)):

• protect the security and confidentiality of non-public information and the security of the information system;
• protect against any threats or hazards to the security or integrity of non-public information and the information system.
• protect against unauthorised access to or use of non-public information and minimise the likelihood of harm to any consumer; and
• define and periodically re-evaluate a schedule for retention of non-public information and a mechanism for its destruction when no longer needed.

The Information Security Program must satisfy the following criteria (La. Rev. Stat. §22:2504(H)):

• be based on the licensee's risk assessment;
• contain administrative, technical, and physical safeguards for the protection of non-public information and the licensee's information system;
• be commensurate with the following:
  • the size and complexity of the licensee;
  • the nature and scope of the licensee's activities including the use of third-party service providers; and
  • the sensitivity of the non-public information used by the licensee or in the licensee's possession, custody, or control (La. Rev. Stat. §22:2504(A)).
• contain a written incident response plan designed to promptly respond to and recover from any cybersecurity event that compromises the confidentiality, integrity, or availability of non-public information in its possession, the licensee's information systems, or the continuing functionality of any aspect of the licensee's business or operations. This plan must address the following:
  • the internal process for responding to a cybersecurity event;
  • the goals of the incident response plan;
  • the definition of clear roles, responsibilities, and levels of decision-making authority;
  • the external and internal communications and information sharing;
  • the identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;
  • the documentation and reporting regarding cybersecurity events and related incident response activities;
  • the evaluation and revision of the incident response plan, as necessary, following a cybersecurity event.

The licensee risk assessment should include all the following activities (La. Rev. Stat. §22:2504(C)):

• designating one or more employees, an affiliate, or an outside vendor to act on behalf of the licensee and to be responsible for the Information Security Program;
• identifying reasonably foreseeable internal or external threats that could result in unauthorised access, transmission, disclosure, misuse, alteration, or destruction of non-public information, including the security of information systems and non-public information that are accessible to or held by third-party service providers;
• assessing the likelihood and potential damage of these threats, taking into consideration the sensitivity of the non-public information;
• assessing the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee's operations, including the following:
  • employee training and management;
  • information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and
  • detecting, preventing, and responding to attacks, intrusions, or other systems failures.
• implementing information safeguards to manage the threats identified in its ongoing assessment, and, at least once per year, assess the effectiveness of the safeguards' key controls, systems, and procedures.

Based on the results of the risk assessment, the licensee is required to (La. Rev. Stat. §22:2504(D)):

• design an Information Security Program to mitigate the identified risks, commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including the use of third-party service providers, and the sensitivity of the non-public information used by the licensee or in the licensee's possession, custody, or control.
• implement the following security measures that the licensee determines are appropriate:
  • placing access controls on information systems, including controls to authenticate and permit access only to authorised individuals to protect against the unauthorised acquisition of non-public information;
  • identifying and managing the data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes in accordance with their relative importance to business objectives and the organisation's risk strategy;
  • restricting physical access to non-public information to authorised individual;
  • protecting by encryption or other appropriate means all non-public information while being transmitted over an external network, and all non-public information stored on a laptop computer or other portable computing or storage device or media.
  • adopting secure development practices for in-house developed applications used by the licensee and procedures for evaluating, assessing, or testing the security of externally developed applications used by the licensee;
  • modifying the information system in accordance with the licensee's Information Security Program;
  • using effective controls, which may include multifactor authentication procedures for any individual accessing non-public information;
  • regularly testing and monitoring systems and procedures to detect actual and attempted attacks on or intrusions into information systems;
  • including audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee; and
  • implementing measures to protect against destruction, loss, or damage of non-public information due to environmental hazards, such as fire and water damage, or other catastrophes or technological failures.
• develop, implement, and maintain procedures for the secure disposal of non-public information in any format;
• include cybersecurity risks in the licensee's enterprise risk management process;
• stay informed regarding emerging threats or vulnerabilities;
• use reasonable security measures when sharing information relative to the character of the sharing and the type of information shared; and
• provide its personnel with cybersecurity awareness training that reflects current risks identified by the licensee in the risk assessment.

Licensees are required to monitor, evaluate, and adjust, as appropriate, the Information Security Program consistent with any relevant changes in technology, the sensitivity of its non-public information, internal or external threats to information, and the licensee's own changing business arrangements, including, but not limited to, mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems (La. Rev. Stat. §22:2504(G)).

4.3. Cybersecurity incidents

If a licensee learns that a cybersecurity event may have or has occurred, the licensee (or an outside vendor or service provider designated to act on behalf of the licensee) must conduct a prompt investigation, including (La. Rev. Stat. §22:2505(B)):

• determining whether a cybersecurity event occurred;
• assessing the nature and scope of the cybersecurity event;
• identifying any non-public information that may have been involved in the cybersecurity event; and
• undertaking reasonable measures to restore the security of the information systems compromised in the cybersecurity event to prevent further unauthorised acquisition, release, or use of non-public information in the licensee's possession, custody, or control.

If the cybersecurity event may have or has occurred in a system maintained by a third-party service provider, either the licensee shall make reasonable efforts to perform the investigation, or the licensee shall make reasonable efforts to confirm and document that the third-party service provider investigated properly. All records concerning the cybersecurity event must be maintained for at least five years from the date of the event and shall be produced upon demand of the Commissioner (La. Rev. Stat. §22:2505 (C)).

The licensee must also notify the Commissioner without unreasonable delay, but in no more than three business days from the determination that a cybersecurity event involving non-public information occurred, when either has occurred (La. Rev. Stat. §22:2506(A)):

• the licensee is an insurer domiciled in Louisiana or is a producer, adjuster, or public adjuster with a home state in Louisiana, and the cybersecurity event has a reasonable likelihood of materially harming:
  • any consumer residing in this state; or
  • a material part of the licensee's normal operations.
• the licensee reasonably believes that the non-public information involved is for 250 or more Louisiana consumer and that a cybersecurity event has occurred that:
  • requires notice to any government body, self-regulatory agency, or other supervisory body pursuant to any state or federal law; or
  • has a reasonable likelihood of materially harming:
    • any consumer residing in this state; or
    • a material part of the licensee's normal operations.

The notice to the Commissioner must include as much of the following information possible in electronic form (La. Rev. Stat. §22:2506(B)(2)):

• date of the cybersecurity incident;
• description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of any third-party service providers;
• how the cybersecurity event was discovered;
• whether any lost, stolen, or breached information has been recovered and, if so, how recovery was accomplished;
• the source of the cybersecurity incident;
• whether the licensee filed a police report or notified any regulatory, government, or law enforcement agencies and when the notification was provided;
• the specific types of information acquired without authorisation, including but not limited to types of medical information, types of financial information, or types of information allowing identification of the consumer;
• the period during which the cybersecurity event compromised the information system;
• the total number of affected consumers (if not known, a best estimate should be provided and updated in subsequent reports);
• the results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed;
• description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur;
• a copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and
• the name of a contact person who is both familiar with the cybersecurity event and authorised to act for the licensee.

The licensee is obligated to continuously update and supplement the initial and subsequent notifications to the Commissioner regarding any material changes to the prior report(s) (La. Rev. Stat. §22:2506(B)(1)).

The licensee is required to comply with the notice requirements of the Database Security Breach Notification Law, as applicable, and provide the Commissioner with a copy of the notice sent to consumers if the licensee is required to notify the Commissioner (La. Rev. Stat. §22:2506(C)).

If the cybersecurity event occurs in a system maintained by a third-party service provider, the licensee is still obligated to treat the event the same way as it would if a breach of its own systems had occurred, unless the third-party service provider makes the required notification to the Commissioner. In this case, the deadline clock begins to run the day after the third-party service provider notifies the licensee or the date the licensee discovers the event, whichever occurs first (La. Rev. Stat. §22:2506(D)(1)).

If the cybersecurity event involves non-public information used by or is in the possession, custody, or control of a licensee acting as an assuming insurer or its third-party service provider and that does not have a direct contractual relationship with the affected consumers, the assuming insurer must notify the affected ceding insurers and the Commissioner of its domicile state within three business days of determining a cybersecurity event occurred. The ceding insurers that have the direct contractual relationship with affected consumers will fulfil the notification requirements (La. Rev. Stat. §22:2506(E)).

For cybersecurity events that involve non-public information in the possession, custody, or control of a licensee that is an insurer or its third-party service provider for which a consumer accessed the insurer's services through an independent insurance producer and for which consumer notice is required by the Database Security Breach Notification Law, the insurer shall notify the producers of record of all affected consumers of the cybersecurity event no later than the time at which notice is provided to the affected consumers. The insurer shall be excused from this obligation for any producers who are not authorised by law or contract to sell, solicit, or negotiate on behalf of the insurer, and in those instances in which the insurer does not have the current producer of record information for an individual consumer (La. Rev. Stat. §22:2506(F)).

4.4. Powers / penalties

The Commissioner is authorised to examine and investigate into the affairs of any licensee to determine whether the licensee has violated the Insurance Data Security Law, as well as take any necessary or appropriate action to enforce its provisions (La. Rev. Stat. §22:2507).

4.5. Other

Reporting Requirements

Each insurer domiciled in Louisiana is required to submit to the Commissioner every year by 15 February a certification that the insurer is in compliance with the Information Security Program requirements of La. Rev. Stat. §22:2504. The insurer must maintain all records, schedules, and data supporting the certificate for a period of five years for examination by the Commissioner. To the extent an insurer identifies areas, systems, or processes that require material improvement, update, or redesign, the insurer shall document the identification and the remediation efforts planned and underway to address the areas, systems, or processes. The documentation shall be made available for inspection by the commissioner.

Board of Directors

For licensees that have a Board of Directors, the board or an appropriate committee of the board shall, at a minimum, require a licensee's executive management or its delegates to do the following (La. Rev. Stat. §22:2504(E)):

• develop, implement, and maintain the licensee's Information Security Program;
• report in writing, at least annually, the following information:
  • the overall status of the Information Security Program and the licensee's compliance with the Insurance Data Security Law;
  • material matters related to the Information Security Program, addressing issues such as risk assessment, risk management and control decisions, third-party service provider arrangements, results of testing, cybersecurity events or violations and management's responses thereto, and recommendations for changes in the Information Security Program.
• if executive management delegates any of the responsibilities provided for in this Section, management shall oversee the development, implementation, and maintenance of the licensee's Information Security Program prepared by the delegates and shall receive a report from the delegates complying with the requirements of the report to the Board of Directors above.

Third-Party Service Providers

Beginning on 1 August 2022, licensees will also be required to implement further security measures towards third-party service providers. Regarding third-party service providers, licensees will be required to (La. Rev. Stat. §22:2504(F)):

• exercise due diligence in selecting a third-party service provider; and
• require third-party service providers to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and non-public information that are accessible to or held by the third-party service provider.

5. REQUIREMENTS IN THE HEALTH SECTOR

5.1. Definitions

Not applicable.

5.2. Security program / framework

Not applicable.

5.3. Incidents

Not applicable.

5.4. Penalties

Not applicable.

5.5. Other

Not applicable.

For more information on federal cybersecurity obligations in the health sector please refer to the following OneTrust DataGuidance Guidance Note USA - HIPAA - Cybersecurity.

6. REQUIREMENTS IN THE FINANCIAL SECTOR

6.1. Definitions

Not applicable.

6.2. Security program / framework

Not applicable.

6.3. Incidents

Not applicable.

6.4. Penalties

Not applicable.

6.5. Other

Not applicable.

For more information on federal cybersecurity obligations in the final sector please refer to the following OneTrust DataGuidance Guidance Note USA - GLBA Safeguards Rule – Cybersecurity.

7. PENALTIES

Database Security Breach Notification Law

Violations of the Database Security Breach Notification Law may result in penalties and civil actions. The Louisiana AG enforces the Database Security Breach Notification Law under La. Rev. Stat. §51:1401 ('Unfair Trade Practices and Consumer Protection Law') and other consumer protection laws. The AG may seek remedies including injunctive relief, civil penalties of up to $5,000 for each violation (including $5,000 per day for failure to timely report), an additional $5,000 civil penalty for violations against an elderly or disabled person, or restitution (La. Rev. Stat. §51:1407, La. Admin. Code §16-3-701).

In addition to AG enforcement, a civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person's personal information (La. Rev. Stat. §51:3075). A civil action may also be brought under the Unfair Trade Practices and Consumer Protection Law related to failure to maintain reasonable security or properly destroy data containing personal information when that violation results in actual damages. Note that claims under the Unfair Trade Practices and Consumer Protection Law may only be brought in an individual capacity and may not be certified as a class action (La. Rev. Stat. §51:1409(A)).

Computer Crimes

Louisiana has updated certain areas of its Criminal Code to address various cyber and computing intrusions, trespass, and malicious actions involving computers La. Rev. Stat. §§14:73.1-73.12 makes the following actions involving computers illegal:

• intentional unauthorised modifying or destroying of computer equipment or supplies used or intended for use in a computer, computer system, or computer network;
• intentional denial of full and effective use of, or access to, a computer, computer system, computer network, or computer services to an authorised user without consent;
• accessing a computer, computer system, or computer network with the intent to defraud or to obtain money, property, or services by means of false or fraudulent actions or through fraudulent alteration, deletion, or insertion of programs or data;
• using the computer, computer network, or computer services of an electronic mail service provider to transmit bulk emails in contravention of the authority granted by the electronic mail service provider;
• using a computer or computer network without authority with the intent to falsify or forge emails misrepresenting the sender;
• intentional unauthorised accessing of a computer or data contained within the computer;
• intentional unauthorised copying of any program or data stored within a computer;
• intentional unauthorised damaging or destroying a computer, any programs on it, or any data therein, or eliminating or reducing the ability of the owner to access or utilise the computer or any program or data contained on the computer;
• intentional unauthorised introduction of malware on a computer;
• using an internet, virtual, street level map in the commission of a crime;
• intentional unauthorised impersonation of another person, with the intent to harm, intimidate, threaten, or defraud, in order to open an email account, social media account, or Internet website or send or post messages through social media or other website;
• intentional unauthorised impersonation of another person, with the intent to harm, intimidate, threaten, or defraud, in order to spoof electronic communications;
• wilful or malicious injury, destruction, obstruction, delay, or interference with state-controlled communication, military or civil defence communication, or communications controlled by utility distributors; and
• intentional unauthorised accessing of computing devices owned, operated, or utilised by the state of Louisiana for:
  • obtaining or transmitting to unauthorised persons information that is not subject to public disclosure for the purpose of protecting public health, safety, welfare, or an ongoing law enforcement investigation; or
  • initiating a denial of service attack or any malware.

Violations of these provisions can incur fines ranging from $500 to $15,000 and imprisonment from six months to up to five years, depending on the severity of the crime committed, the damage incurred, and whether the affected entity was a government agency or vital services or operations of the state.

8. OTHER AREAS OF INTEREST

Requirements for managed service providers of public entities

In August 2020, Louisiana became the first state to enact regulations on Managed Service Providers ('MSPs'), which came on the heels of several successful MSP-targeted cyber incidents. Senate Bill 273, Act No. 117 To Enact R.S. 44:4.1(D) and Chapter 31-A of Title 51 of the Louisiana Revised Statutes of 1950 ('SB 273') went fully into effect on 1 February  2021 and applies to Managed Security Services Providers ('MSSPs') that supply IT functions to public bodies in Louisiana. The defined purpose of the law is to:

• create a registry of MSPs and MSSPs doing business in Louisiana;
• provide access for public bodies to learn about MSPs and MSSPs; and
• require MSPs and MSSPs to report cyber incidents and payment of cyber ransoms or ransomware (La. Rev. Stat. §51:2111).

Definitions

Cyber incident means the compromise of the security, confidentiality, or integrity of computerised data due to the exfiltration, modification, or deletion that results in the unauthorised acquisition of and access to information maintained by a public body (La. R.S. §51:2112(1)).

Cyber ransom or ransomware means a type of malware that encrypts or locks valuable digital files and demands a ransom to release the files (La. R.S. §51:2112(2)).

Louisiana Fusion Center comprises the Department of Public Safety and Corrections, Office of State Police, Louisiana State Analytical and Fusion Exchange (La. R.S. §51:2112(3)).

MSP means an individual, partnership, corporation, incorporated or unincorporated association, joint stock company, reciprocal, syndicated, or any similar entity or combination of entities that manages a public body's information technology infrastructure or end-user systems. The term shall not include any entity providing communications services subject to regulation or oversight by the Louisiana Public Service Commission or the Federal Communications Commission (La. R.S. §51:2112(6)).

Managed Security Service Provider (MSSP) means an individual, partnership, corporation, incorporated or unincorporated association, joint stock company, reciprocal, syndicated, or any similar entity or combination of entities that provides a managed security service for a public body (La. R.S. §51:2112(5)).

Managed Security Service means a network and system security service that has been outsourced to a third-party service provider pursuant to a written agreement specifying the service and in which the service provider has assumed operational control of the monitoring and management of the public body's cybersecurity. The term shall not include a cybersecurity consulting service or customer-managed service purchased from the provider (La. R.S. §51:2112(4)).

Provider means a MSP or MSSP that requires remote management or operational control of a public body's network or end user systems (La. R.S. §51:2112(7)).

Public Body means any branch, department, office, agency, board, commission, district, governing authority, political subdivision, or any other instrumentality of the state, parish, or municipal government, including a public or quasi-public non-profit corporation designated as an entity to perform a governmental or proprietary function (La. R.S. §51:2112(8)).

Requirements for doing business in louisiana

Providers may not provide managed security services to a public body in Louisiana unless the provider is registered with the Louisiana Secretary of State and remains in good standing. The application to the Louisiana Secretary of State must contain the provider's name, address, telephone number, contact person, and designation of a person in this State for service of process, and provide a listing of all officers, all directors, and all owners of ten percent, or more, of the provider. Additionally, the provider shall file a copy of its basic organisational documents, including, but not limited to, articles of incorporation, articles of organisation, articles of association, or partnership agreement.

Registration is effective for two years unless it is denied or revoked. The registration renewal application must be submitted at least 90 days prior to the expiration of a registration. If there is any change in the registration information, the Secretary of State must be notified and provided a copy of any supporting documentation no later than 60 days after the effective date of the change (La. Rev. Stat. §51:2113).

Any contracts entered into by a public body with an unregistered provider are null and void (La. Rev. Stat. §51:2115).

Notification of cyber incidents and ransomware payments

The provider must provide the notices described in La. Rev. Stat. §51:2114 only if the contract terms explicitly incorporate the provisions of SB 273 and La. Rev. Stat. §51:2111 et seq.

If a provider has actual knowledge of a cyber incident that impacts a public body, the provider must notify the Louisiana Fusion Center within 24 hours of discovery of the incident. Notice must include the name of the impacted public body (La. Rev. Stat. §51:2114).

If the provider has a cyber incident which impacts a public body and the provider or public body makes a ransom payment, to the extent the provider has actual knowledge of the payment, the provider shall report the payment to the Louisiana Fusion Center within then calendar days of the payment. Notification must include the name of the affected public body.

Computer spyware prohibitions

Louisiana law prohibits intentional use of computer software by an unauthorised user to do any of the following:

• modify through deceptive means any settings related to the computer's access to or use of the internet, including:
  • the webpage that launches when an authorised user launches the internet browsers or other program to use the internet;
  • the default provider or website proxy used to access or search the internet; or
  • the authorised user's bookmarks used to access websites.
• collect through deceptive means:
  • keystroke logs;
  • all or substantially all of the websites visited by an authorised user if the software was installed in a way to conceal the fact that the software had been installed; or
  • is personal information extracted for a purpose unrelated to the purpose of the software or service described to a user.
• prevent, without authorisation and through deceptive means, an authorised user's reasonable efforts to block installation or disable software by causing software that the authorised user has properly removed or disabled to automatically reinstall or reactivate on the computer without the authorisation;
• misrepresent that software will be uninstalled or disabled with the knowledge that no such action will be taken; and
• through deceptive means, remove, disable, or render inoperative security, anti-spyware, or anti-virus software installed on the computer (La. Rev. Stat. §51:2008).

For the purposes of this statute, 'personal information' refers to any of the following:

• credit or debit card numbers or other financial account numbers;
• a password or personal identification number required to access an identified financial account other than a password, personal identification number, or other identification number transmitted by an authorised user to the issuer of the account or its agent;
• Social Security Number; or
• any of the following in a form that personally identifies the authorised user:
  • account balances; or
  • overdraft history (La. Rev. Stat. §51:2007(11)(b), (c), (d) (e)(i) and (ii)).

Louisiana's spyware prohibitions further prohibit the intentional use of computer software by an unauthorised user to do any of the following:

• take control of the authorised user's computer by:
  • sending commercial emails or a computer virus from the authorised user's computer without authorisation;
  • access or use of the authorised user's modem or internet service for the purpose of causing damage to the authorised user's computer or cause the user to incur unauthorised financial charges;
  • using the authorised user's computer as part of an activity performed by a group of computers to cause damage to another computer, including a denial of service attack; or
  • open a series of stand-alone messages in the authorised user's computer without the authorisation of an authorised user and with knowledge that a reasonable computer user cannot close the advertisements without turning off the computer or closing the internet application.
• modify settings related to the computer's access to or use of the internet, including:
  • an authorised user's settings for the purpose of stealing personal information of an authorised user; or
  • the security settings for the purpose of causing damage to one or more computers.
• preventing an authorised user's reasonable efforts to block installation of or disable software by:
  • presenting an option to the user to decline installation of a software that nonetheless installs anyway;
  • falsely representing that the software has been disabled;
  • requiring in a deceptive manner the user to access the internet to remove the software with knowledge or reckless disregard of the fact that the software prevents the user from accessing the internet;
  • change the name, location, or other designation information of the software for the purpose of preventing an authorised user from locating it for removal;
  • using randomised or deceptive file names to avoid detection;
  • installing the software in a computer directory or memory to avoid detection and removal; or
  • requiring, without authority, that an authorised user download software or obtain a special code from a third party to uninstall the software (La. Rev. Stat. §51:2009).

Persons or entities who are not authorised users are further prohibited from inducing an authorised user to install software by misrepresenting the software is necessary for security, privacy, or to utilise a particular type of content or to cause copying and execution of computer software with the intent to violate Louisiana's anti-spyware laws (La. Rev. Stat. §51:2010).

For the purposes of this statute, 'personal information' refers to any of the following (La. Rev. Stat. §51:2007(11)):

• first name or first initial in combination with last name;
• credit or debit card numbers or other financial account numbers;
• a password or personal identification number required to access an identified financial account other than a password, personal identification number, or other identification number transmitted by an authorised user to the issuer of the account or its agent;
• Social Security Number; or
• any of the following information in a form that personally identifies an authorised user:
  • account balances;
  • overdraft history;
  • payment history;
  • internet browsing history;
  • home address;
  • work address; or
  • a record of purchase(s).

Note that the prohibitions under La. Rev. Stat. §51:2009 or §2010 do not apply to any monitoring of or interaction with a user's internet or other network connection or service, or a protected computer, by a cable operator, computer hardware or software provider, or provider of information service or interactive computer service for network or computer security purposes, diagnostics, technical support, repair, authorised updates of software or system firmware, network management or maintenance, authorised remote system management or detection or prevention of the use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing prohibited software (La. Rev. Stat. §51:2011).

The district attorney of the parish where the violation occurred and the AG are authorised to investigate and institute criminal proceedings for violations. Penalties can include imprisonment for up to ten years and/or fines of up to $25,000 (La. Rev. Stat. §51:2013).

Other statutes of interest

Certain other statutes of interest connected to cybersecurity relate to:

Social media accounts

La. Rev. Stat. §51:1951 et seq. ('Personal Online Account Privacy Protection Act') prohibits employers and educational institutions from requiring or requesting employees, applicants for employment, or students to disclose social media usernames, passwords, or other information that would allow the employer or educational institution from accessing the personal account, unless specific exceptions are present. Certain exceptions exist for circumstances such as legitimate investigations of employee misappropriation of employer's proprietary information, where the employee has transferred employer's data to a personal account without authorisation, or where the online account is affiliated with or related to the employer's business.

Anti-Phishing Act of 2006

La. Rev. Stat. §51:2031 et seq. ('Anti-Phishing Act') prohibits the soliciting, requesting, or inducing a person through a web page, electronic message, or other use of the Internet to provide identifying information by representing itself to be a business without the authority or approval of the represented business. "Identifying information" includes the Social Security Number, driver's license number, bank account number, credit card or debit card number, personal identification number, automated or electronic signature, unique biometric data, account password, or any other piece of information that can be used to access an individual's financial accounts or to obtain goods or services. In addition to action by the district attorney and AG, a private right of action is provided for the person who was misled by the phishing and incurred damages, and the business that was misrepresented in the phishing act.

Restrictions on DNA testing kits

With the rise in popularity of home DNA testing kits, in 2018, Louisiana enacted certain disclosure requirements for sellers of testing kits (La. Rev. Stat. §51:3151 et seq.). Companies selling DNA testing kits for any purpose must provide concise and easy-to-read disclosures of the following matters, to the extent they apply to the company:

• whether the users DNA may be used for scientific research or analysis unrelated to the service purchased and whether express consent is required for that research or analysis;
• information on the nature of the scientific research and analysis unrelated to the service that was purchased that may be conducted with the user's DNA;
• whether the user can withhold consent to use of DNA for unrelated scientific research and analysis;
• whether the user's DNA may be shared with a third party unrelated to the service purchase;
• whether the user's DNA can be sold to a third party for any purpose;
• whether the user can have his DNA destroyed upon request; and
• a statement as to whether the user relinquishes ownership of his DNA by submitting his DNA for testing.

Notification can be provided through the website or app where the product is ordered, or through a paper insert in the product box. Violations constitute an unfair trade practice in Louisiana.

Jessica Engler Partner
[email protected]
Kean Miller LLP, Louisiana