Louisiana passed a data breach notification law which went into effect on January 1, 2006. The law is called the "Database Security Breach Notification Law" (Senate Bill 205 Act 499), and requires any people or companies that lose sensitive, personal data to notify those that are affected. If the information was protected using encryption software, the breach notification is not necessary. I must warn at this point that I'm not a lawyer, and this is not legal advice. At the same time, I should note the contents are lifted directly from the senate bill that was ratified.
Louisiana passed a data breach notification law which went into effect on January 1, 2006. The law is called the "Database Security Breach Notification Law" (Senate Bill 205 Act 499), and requires any people or companies that lose sensitive, personal data to notify those that are affected. If the information was protected using encryption software, the breach notification is not necessary.
I must warn at this point that I'm not a lawyer, and this is not legal advice. At the same time, I should note the contents are lifted directly from the senate bill that was ratified.
Personal information is defined under the law as any of the following, but it must be in combination with an individual’s first name or first initial and last name (otherwise, the loss of the following does not require notification, it looks like): Social Security number, Driver’s license number, Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. As stated before, if data encryption was used to protect the data, notification is not required. I don't think that I also need to lay out what constitutes a "data breach." I mean, if you truly didn't know, you'd assume you didn't have one, and you wouldn't be reading this right now.
Personal information is defined under the law as any of the following, but it must be in combination with an individual’s first name or first initial and last name (otherwise, the loss of the following does not require notification, it looks like):
As stated before, if data encryption was used to protect the data, notification is not required.
I don't think that I also need to lay out what constitutes a "data breach." I mean, if you truly didn't know, you'd assume you didn't have one, and you wouldn't be reading this right now.
Disclosure of a data breach must be made "in the most expedient time possible" barring delays requested by law enforcement. Notification can be made via: Written notification Electronic notification Substitute notification (including email, posting of notification on the web site of the agency or person with breached data, or notification to major statewide media) Substitute notifications are only possible if: The cost of providing notification exceeds $250,000; or Over 500,000 people must be notified; or The notifying agency does not have sufficient contact informationThere is a clause in there that kind of blows all of the above out of the water. Subsection G notes that, Notification under this title is not required if after a reasonable investigation the person or business determines that there is no reasonable likelihood of harm to customers. In other words, the fox is in charge of the henhouse....
Disclosure of a data breach must be made "in the most expedient time possible" barring delays requested by law enforcement. Notification can be made via:
Substitute notifications are only possible if:
Notification under this title is not required if after a reasonable investigation the person or business determines that there is no reasonable likelihood of harm to customers.
In other words, the fox is in charge of the henhouse....
A civil action (which, apparently, is just lawyer-speak for "lawsuit") can be started to recover any damages a person experienced due to a delay in timely disclosure of a data breach. I'm not a lawyer, but the way it's worded, it almost sounds as if there is no legal remedy for the actual breach itself. That is, a person falls victim to identity theft because of a data breach but, because the company notified the person in a timely manner, it has fulfilled its duties and is in good legal standing. Hmph. Between this and subsection G, it almost sounds as if there's very little incentive for a company to invest in encryption. That just doesn't sound right, meaning you should consult with your legal representative.
A civil action (which, apparently, is just lawyer-speak for "lawsuit") can be started to recover any damages a person experienced due to a delay in timely disclosure of a data breach.
I'm not a lawyer, but the way it's worded, it almost sounds as if there is no legal remedy for the actual breach itself. That is, a person falls victim to identity theft because of a data breach but, because the company notified the person in a timely manner, it has fulfilled its duties and is in good legal standing.
Hmph. Between this and subsection G, it almost sounds as if there's very little incentive for a company to invest in encryption. That just doesn't sound right, meaning you should consult with your legal representative.
Related Articles and Sites:http://www.legis.state.la.us/billdata/streamdocument.asp?did=317617