In response to the growing threat of unauthorized access and/or use of personal information, Louisiana, along with at least 12 other states, has enacted security breach notification laws. In essence, these statutes create a duty upon any person conducting business in the state to notify affected individuals if their personal information has been disclosed because of a breach in security allowing access to personal information.
Originally enacted in 2005 in Louisiana, the “Database Security Breach Notification Law” remains largely unknown to most businesses. “Personal Information” in Louisiana means the first name or first initial plus the last name of the individual in combination with a Social Security number, driver’s license number, account, credit or debit card number along with associated passwords. In Louisiana, “Breach of the security of the system” means the compromise of the security, confidentiality or integrity of computerized data which results in, or where there is a reasonable basis to conclude has resulted in, the unauthorized acquisition of and access to Personal Information maintained by any individual or legal entity. The person or entity whose system has been breached is liable to the person whose information has been released if timely notice is not given in accordance with the statutes. Other states provide for specific monetary penalties without the need to show actual damages.
These statutes, as well as laws in other states, are intended to allow the individual whose personal information has been compromised to take actions to protect that data, as well as to encourage businesses to put in place appropriate safeguards to deter such releases of information.
In addition, other federal laws may apply depending on the facts and circumstances, most notably, these are the Health Insurance Portability and Accountability Act (HIPPA) designed to protect individually identifiable health information and the Gramm-Leach-Bliley Act (GLBA) designed to protect financial institutions’ customer information.
Any business that suspects data has been accessed improperly should immediately investigate the nature and extent of the data access, design new safeguards to prevent a repeat of the breach and comply as soon as possible with notification requirements.