Security and Policies: About the Database Security Breach Notification Law


What is the Database Security Breach Notification Law?

SB205 Act 499, known as the Database Security Breach Notification Law, was signed by the governor of Louisiana on July 12, 2005 and became effective on January 1, 2006. This legislation requires notification to any Louisiana resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person as a result of a security breach. In addition, the notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs to law enforcement or any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system.

What is a security breach?

A security breach is a compromise of the security, confidentiality, or integrity of computerized data that results in, or there is reasonable likelihood to result in, the unauthorized acquisition of and access to personal information. Good faith acquisition of personal information by an individual is not a breach of the security of the system, provided that the personal information is not used for, or subject to, unauthorized disclosure.

What is personal information?

Personal information is the first name or first initial and last name of an individual resident of State of Louisiana in combination with any one or more of the following data elements (when the name or data element is not encrypted or redacted):

  • social security number (SSN),
  • driver’s license number or state identification card number.
  • account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
  • Passport number.
  • Biometric data. "Biometric data" means data generated by automatic measurements of an individual's biological characteristics, such as fingerprints, voice print, eye retina or iris, or other unique biological characteristic that is used by the owner or licensee to uniquely authenticate an individual's identity when the individual accesses a system or account.

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

What are the requirements for protection of personal information for individuals who conduct business in Louisiana or license/own such computerized data, or any agency that owns or licenses computerized data that includes personal information?

Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

What are the requirements for destruction of personal information for individuals who conduct business in Louisiana or license/own such computerized data, or any agency that owns or licenses computerized data that includes personal information?

Take all reasonable steps to destroy or arrange for the destruction of the records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.

What are the requirements for disclosure upon breach in the security of personal information for individuals who conduct business in Louisiana or license/own such computerized data?

Following the discovery of a security breach of the system containing personal information, any person that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information, shall, notify any resident of the state whose personal information was, or is reasonably believed to have been acquired by an unauthorized person.

What are the requirements for disclosure upon breach in the security of personal information for individuals who maintain computerized data (but do not own) that includes such information?

Any agency or person that maintains computerized data that includes personal information that the agency or person does not own shall notify the owner or licensee of the information if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person through a security breach of the system containing such data, following discovery by the agency or person of a breach of security of the system.

How may notification be provided?

Notification must be made in the most expedient time possible and without unreasonable day but not later than sixty days from the discovery of the breach.

Notification may be provided by one of the following methods:

  • written notification,
  • electronic notification,
  • substitute notification if applicable (including email, posting of notification on the Internet site of the agency or person, or notification to major statewide media).

What are the legal ramifications of the Database Security Breach Notification Law?

A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person’s personal information.

What is identity theft?

Identity theft occurs when someone obtains sensitive personal information such as a name, social security number (SSN), driver’s license number, credit card number, or other identifying information to take on that person’s identity in order to commit fraud or other crimes.

Is identity theft only a problem for people who submit information online?

No, you can be a victim of identity theft even if you never use a computer. People may be able to obtain personal information by stealing your wallet, overhearing a phone conversation, or picking up a receipt at a restaurant that has your account number on it. In addition, the Internet has made it easier for individuals to obtain personal and financial data. Most companies and other institutions store information about individuals in databases; if one can access that database, he or she can obtain information about many people at once rather than focus on one person at a time.

Are there ways to avoid being a victim?

Unfortunately, there is no way to guarantee that you will not be a victim of identity theft. However, there are ways to minimize risk:

  • Do business with reputable companies
  • Take advantage of security features (passwords and other security features add layers of protection if used appropriately)
  • Check privacy policies
  • Be careful what information you publicize
  • Use and maintain anti-virus software and a firewall
  • Be aware of your account activity

How do you know if your identity has been stolen?

Some changes that could indicate that someone has accessed your information include:

  • Unusual or unexplainable charges on bills
  • Phone calls or bills for accounts or services that one does not have
  • Failure to receive regular bills or mail
  • New, strange accounts appearing on your credit report
  • Unexpected denial of one’s credit card

What can you do if you think, or know, that your identity has been stolen?

To minimize the extent of the damage, act as soon as possible:

  • Contact institutions, including banks, where you have accounts
  • Contact the main credit reporting companies (Equifax, Experian, TransUnion)
  • File a report
  • Consider other information that may be at risk (Social Security Administration, Department of Motor Vehicles)
8112
7/16/2019 7:49:59 AM