Notifying Louisiana Citizens That Their Data May Have Been Compromised: Your Obligations Once the E-Fox Breaches Your Henhouse

Companies are always looking for ways to improve their customers' experiences, offer their customers new products and services, and anticipate their customers' future needs.  Technological improvements have driven companies into more data-centric models—looking at their customer's habits, how they pay, where they are located, etc.—to improve their marketing efforts and customer offerings.  The collection and retention of customer data by companies has made companies a target for hackers that seek to either sell this data or exploit it to commit financial crimes or identity theft.  According to USA Today, 43% of U.S. companies experienced a data breach from 2013–2014.  See Elizabeth Weise, 43% of companies had a data breach in the past year, USA Today, Sept. 24, 2014, available at

As a result of this threat, many states have enacted statutes that require companies to notify individuals if the personal information maintained by the companies has been compromised.  Louisiana has passed the Database Security Breach Notification Law.  La. R.S. § 51:3071 et seq. (hereinafter, the "Breach Notification Law").  The Breach Notification Law requires any person or company who conducts business in Louisiana, or that owns or licenses computerized data that includes personally identifiable information ("PII")[1], to notify any resident of Louisiana whose PII was or is reasonably believed to have been acquired by an unauthorized person if, after a reasonable investigation, the person or company determines that there is a reasonable likelihood of harm to customers.  La. R.S. § 51:3074.  If a person or company experiences a breach of a database that contains PII that it does not own, such person or company is obligated to notify the owner or licensee of the PII that was compromised. Id.

Regarding the timing and method of notification, a person or company that experiences a breach is required to make the notification as soon as possible and without unreasonably delay, although there is an exception if a law enforcement agency determines that the notification would impede a criminal investigation.  Id.  Further, the notification must be made by one of three methods: written notification, electronic notification, or substitute notification.  Id.

Failure to comply with the Breach Notification Law can lead to severe consequences, including, civil liability and governmental penalties.  The Breach Notification Law specifically authorizes an individual whose PII has been compromised to file a civil action to recover actual damages resulting from the failure to disclose in a timely manner a breach that resulted in the disclosure of PII.  La. R.S. § 51:3075.  Moreover, Louisiana administrative regulations require the person or company that experiences such a breach to provide written notice of the breach to the Consumer Protection Section of the Louisiana Attorney General’s Office within ten (10) days of properly notifying Louisiana residents of the breach pursuant to La. R.S. § 51:3074.  See La. Admin. Code tit. 16, § 701.  Compliant notification to the Consumer Protection Section must include the names of all Louisiana citizens affected by the breach.  Failure to comply with these regulations can result in a fine of up to $5,000.00 a day until notification is provided. Id.

Obviously, prevention is the preferred method of handling data security and privacy issues.  Given the escalation in the frequency of data breach incidents, we recommend that you review your security measures regularly and develop a comprehensive plan for responding to a data breach incident.  If you need assistance creating such a plan or evaluating your current policies and procedures for responding to such an incident, please contact us. We also understand that sometimes a data breach incident can catch you off-guard.  If you have recently experienced a data breach incident and need assistance determining how to proceed, we will be happy to assist you with this as well.

[1] The statute uses the term "personal information" and defines what combinations of information create "personal information" within the meaning of the statute. See La. R.S. § 51:3073(4)(a) which provides that “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted: (i) Social security number; (ii) Driver's license number; and (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

             Author: Keith J. Fernandez              Practice Area: Technology Law              Date: July 1, 2015

Disclaimer: The information provided herein (1) is for general information only; (2) does not create an attorney-client relationship between the author or the author’s firm and the reader; (3) does not constitute the provision of legal advice, tax advice, or professional consulting of any kind; and (4) does not substitute for consultation with professional legal, tax or other competent advisors. Before making any decision or taking any action in connection with the matters discussed herein, you should consult with a professional legal, tax and/or other advisor who should be provided with all pertinent facts relevant to your particular situation. The information provided herein is provided “as is,” with no assurance or guarantee of completeness, accuracy, or timeliness of the information.