Database Security Breach Notification Law

What is the Database Security Breach Notification Law?

SB205 Act 499, known as the Database Security Breach Notification Law, was signed by the governor of Louisiana on July 12, 2005 and became effective on January 1, 2006. This legislation requires notification to any Louisiana resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person as a result of a security breach. In addition, the notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs to law enforcement or any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system.

What is a security breach?

A security breach is a compromise of the security, confidentiality, or integrity of computerized data that results in, or there is reasonable basis to conclude has resulted in, the unauthorized acquisition of and access to personal information. Good faith acquisition of personal information by an individual is not a breach of the security of the system, provided that the personal information is not used for, or subject to, unauthorized disclosure.

What is personal information?

Personal information is an individual's first name or first initial and last name in combination with any one or more of the following data elements (when the name or data element is not encrypted or redacted):

  • social security number (SSN),
  • driver's license number
  • account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

What are the requirements for disclosure upon a security breach of personal information?

Following the discovery of a security breach of the system containing personal information, any person that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information, shall, notify any resident of the state whose personal information was, or is reasonably believed to have been acquired by an unauthorized person.

What are the requirements for disclosure upon a security breach of personal information?

Any agency or person that maintains computerized data that includes personal information that the agency or person does not own shall notify the owner or licensee of the information if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person through a security breach of the system containing such data, following discovery by the agency or person of a breach of security of the system.

How may notification be provided?

Notification may be provided by one of the following methods:

  • written notification
  • electronic notification
  • substitute notification if applicable (including email, posting of notification on the Internet site of the agency or person, or notification to major statewide media).

What are the legal ramifications of the Database Security Breach Notification Law?

A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person's personal information.

What is identity theft?

Identity theft occurs when someone obtains sensitive personal information such as a name, social security number (SSN), driver's license number, credit card number, or other identifying information to take on that person's identity in order to commit fraud or other crimes.

Is identity theft only a problem for people who submit information online?

No. You can be a victim of identity theft even if you never use a computer. People may be able to obtain personal information by stealing your wallet, overhearing a phone conversation, or picking up a receipt at a restaurant that has your account number on it. In addition, the Internet has made it easier for individuals to obtain personal and financial data. Most companies and other institutions store information about individuals in databases; if one can access that database, he or she can obtain information about many people at once rather than focus on one person at a time.

Are there ways to avoid being a victim?

Unfortunately, there is no way to guarantee that you will not be a victim of identify theft. However, there are ways to minimize risk:

  • Do business with reputable companies
  • Take advantage of security features (passwords and other security features add layers of protection if used appropriately)
  • Check privacy policies
  • Be careful what information you publicize
  • Use and maintain anti-virus software and a firewall
  • Be aware of your account activity

How do you know if your identity has been stolen?

Some changes that could indicate that someone has accessed your information include:

  • Unusual or unexplainable charges on bills
  • Phone calls or bills for accounts or services that one does not have
  • Failure to receive regular bills or mail
  • New, strange accounts appearing on your credit report
  • Unexpected denial of one's credit card

What can you do if you think, or know, that your identity has been stolen?

To minimize the extent of the damage, take action as soon as possible:

  • Contact institutions, including banks, where you have accounts
  • Contact the main credit reporting companies (Equifax, Experian, TransUnion)
  • File a report
  • Consider other information that may be at risk (Social Security Administration, Department of Motor Vehicles)