Changes to Louisiana Database Security Breach Notification Law

July 23, 2018 by Sumit Jain  | Comments

Colleagues,

As you may be aware, the State of Louisiana has a Database Security Breach Notification Law (original text can be found here - http://www.legis.la.gov/legis/Law.aspx?d=322027).

 In the last legislative session, a bill amending the law was passed and will take effect August 1st, 2018. The core substance of the law remains intact, but there have been some key updates. The language for the amending bill can be found here - https://www.legis.la.gov/legis/ViewDocument.aspx?d=1101149.

 Key points to note with the changes:

  1. The definition of Personal Identifiable Information (PII) now includes state identification card number, Passport number and Biometric data
    • Note:  Biometric data can include any data generated by automatic measurements of an individual’s biological characteristics, such as fingerprint, voice print, retina/iris scan, or other unique biological characteristic that is used to uniquely authenticate an individual’s identity.
  2. An entity maintaining PII “shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
  3. An entity maintaining PII “shall take all reasonable steps to destroy or arrange for the destruction of the records” when they are no longer to be retained by “shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.”
  4. There are additional changes related to when and how a breach notification is to be carried out.

These changes will have impact on all departments that maintain PII, especially those departments that have deployed tools and technologies that involve Biometric Data.

If your department utilizes or plans to utilize Biometric data for any services, please reach out to LSU ITSP by emailing security@lsu.edu.

LSU ITSP will be reaching out to individual departments as well to discuss Security Incident response processes and the impact of these changes for LSU.

 

Sumit Jain, CISSP

Director, IT Security and Policy

Information Technology Services