Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 60 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- constitutes unfair act or practice

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • If any Louisiana residents are affected by a breach, notification must be given to each affected individual within 60 days of discovery of the breach.
  • Organizations must notify the Louisiana Attorney General within 10 days of consumer notification.
  • There are specific considerations when determining if a breach is reportable.
  • If breach notification is not required, the organization must retain a copy of the written determination and supporting documentation for 5 years from the date of discovery of the breach of the security system.
  • If requested in writing, the organization must send a copy of the written determination and supporting documentation to the Attorney General within 30 days.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Organizations conducting business in Louisiana must implement and maintain reasonable security procedures and practices to protect computerized personal information in their possession.
  • Organizations who conduct business in Louisiana must have measures in place for the secure disposal of personal information.
  • Vendors must notify Organizations without delay after discovery of a breach or suspected breach. The Organization is responsible to complete any regulatory reporting and consumer notification.
  • Vendors who conduct business in the state must have security procedures and practices in place for the protection of personal information.
  • Vendors who conduct business in the state must have measures in place for the destruction of records containing personal information so the records are unreadable or undecipherable.
  • Civil action may be instituted to recover actual damages resulting from the failure to provide breach notification in a timely manner.
  • Fines of up to $5,000 may be imposed for violations of the requirements for regulatory reporting to Attorney General.
  • Organizations may be fined or penalized for Vendor violations.
  • Louisiana passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective August 1, 2020, licensees must comply with the breach notification requirements; August 1, 2021 must comply with requirements for a written information security program; and August 1, 2022 must comply with the vendor management requirements.
Statutes and Laws
  • LA Admin. Code § 701 Part III Consumer Protection, Database Security Beach Notification – Reporting Requirements

    LA RS § 51:3071 – 51:3075 Database Security Breach Notification Law

    LA RS § 51:3073 Definitions

    LA RS § 51:3074 Protection of Personal Information; Disclosure Upon Breach in the Security of Personal Information; Notification Requirements

    LA RS § 51:3075 Recovery of damages

    LA RS §§ 22:2501 – 2511 Insurance Data Security Law

BAck to map