FINES & PENALTIES
Constitutes unfair act/practice
Within 60 days.
Organizations must notify the Louisiana Attorney General within 10 days of consumer notification. There are specific considerations when determining if a breach is reportable. If breach notification is not required, the organization must retain a copy of the written determination and supporting documentation for 5 years from the date of discovery of the breach of the security system. If requested in writing, the organization must send a copy of the written determination and supporting documentation to the Attorney General within 30 days.
If any Louisiana residents are affected by a breach, the notification must be given to each affected individual within 60 days of discovery of the breach. If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
FINES & PENALTIES
Organizations may be fined or penalized for Vendor violations. Civil action may be instituted to recover actual damages resulting from the failure to provide breach notification in a timely manner. Fines of up to $5,000 may be imposed for violations of the requirements for regulatory reporting to Attorney General.
INDUSTRY SPECIFIC LAWS
Louisiana passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective August 1, 2020, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.
Organizations conducting business in Louisiana must implement and maintain reasonable security procedures and practices to protect computerized personal information in their possession. Organizations who conduct business in Louisiana must have measures in place for the secure disposal of personal information.
Vendors must notify Organizations without delay after the discovery of a breach or suspected breach. The Organization is responsible to complete any regulatory reporting and consumer notification. Vendors who conduct business in the state must have security procedures and practices in place for the protection of personal information. Vendors who conduct business in the state must have measures in place for the destruction of records containing personal information so the records are unreadable or undecipherable.