Data breach rules will officially become stronger in Louisiana on Aug. 1.
Amending the Act 382 Database Security Breach Notification Law on May 20, Gov. John Edwards is following in other states' digital footsteps by enforcing data security and is giving residents two months to consider the expanding definition of personal information.
Up until the amendment, personal information included Social Security and license numbers as well as password and access codes to financial accounts records. Now, personal information comprises state identification and passport numbers as well as all biometric data including voice, finger and eye prints connected to any personal account.
To make the data breach law even stricter, the governor has amended the notification requirements.
“Any agency or person that maintains computerized data that includes personal information that the agency or person does not own shall notify the owner or licensee of the information if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person through a breach of security of the system containing such data, following discovery by the agency or person of a breach of security of the system,” according to the act text, adding notification must be provided in written or electronic form .
There is only one exemption for notification, according to the new amendment.
“If a law enforcement agency determines that the notification required under this section would impede a criminal investigation, such notification may be delayed until such law enforcement agency determines that the notification will no longer compromise such investigation,” according to the act text.
According The National Law Review, the amendment “lowers the bar for allowing substitute notification (notification by e-mail, posting to the business’s Internet site and statewide media).”
“Whereas before substitute notice was only permitted if providing notification would exceed $250,000 or notifying more than 500,000 affected residents, the amended law allows for notification where providing notification would exceed $100,000 or notifying more than 100,000 affected residents,” The National Law Review reports.