Changes to Louisiana Database Security Breach Notification Law
July 23, 2018 by Sumit Jain
As you may be aware, the State of Louisiana has a Database Security Breach Notification Law (original text
can be found here - http://www.legis.la.gov/legis/Law.aspx?d=322027).
In the last legislative session, a bill amending the law was passed and will take effect August 1st, 2018. The core substance of the law remains intact, but there have been some key updates. The language for the amending bill can be found here - https://www.legis.la.gov/legis/ViewDocument.aspx?d=1101149.
Key points to note with the changes:
- The definition of Personal Identifiable Information (PII) now includes state identification card number, Passport number and Biometric data
An entity maintaining PII “shall implement and maintain reasonable security procedures
and practices appropriate to the nature of the information to protect the personal
information from unauthorized access, destruction, use, modification, or disclosure.”
An entity maintaining PII “shall take all reasonable steps to destroy or arrange for
the destruction of the records” when they are no longer to be retained by “shredding,
erasing, or otherwise modifying the personal information in the records to make it
unreadable or undecipherable through any means.”
There are additional changes related to when and how a breach notification is to be carried out.
- Note: Biometric data can include any data generated by automatic measurements of an individual’s biological characteristics,
such as fingerprint, voice print, retina/iris scan, or other unique biological characteristic that is used to uniquely authenticate an individual’s identity.
These changes will have impact on all departments that maintain PII, especially those
departments that have deployed tools and technologies that involve Biometric Data.
If your department utilizes or plans to utilize Biometric data for any services, please
reach out to LSU ITSP by emailing email@example.com.
LSU ITSP will be reaching out to individual departments as well to discuss Security
Incident response processes and the impact of these changes for LSU.
Sumit Jain, CISSP
Director, IT Security and Policy
Information Technology Services