On May 20, 2018, Governor Edwards signed an amendment to the Louisiana Database Security Breach Notification Law that potentially impacts all companies doing business in Louisiana.
Starting August 1, 2018, businesses in Louisiana that maintain, own, or license “personal information” must implement “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” The amendment remains silent as to what constitutes reasonable procedures and practices. However, the amendment implies that a detailed data breach response plan may act as an effective tool in evaluating individualized business strengths and weaknesses to ensure the appropriate procedures and practices are implemented in order to prevent a data breach.
Additionally, the amendment requires that a business, “take all reasonable steps” to destroy records containing personal information once they are “no longer to be retained.” While not explicit, this provision implies that a data retention policy should be formulated and followed.
Other key amendment takeaways include:
As a result of these changes, all businesses should reevaluate their data breach response plans, encryption practices, and retention policies before the law takes effect on August 1, 2018. Please contact Walt Green or Greg Reda if you have any additional questions regarding this amendment or cybersecurity.