Louisiana’s breach notice law has been amended to require companies to protect personal information. The definition of personal information matches that which -if breached- would give rise to a duty to notify. This includes name combined with social security numbers, drivers’ license (and state ID/passport numbers) or financial account numbers. The law applies to companies that “maintain computerized information” and require that entities (1) have reasonable security procedures and practices “appropriate to the nature of the information” that protects against unauthorized access, destruction, use, modification and disclosure and (2) destroy personal information or make it unreadable when it is no longer needed by “shredding, erasing” or making the information otherwise unreadable.  Louisiana joins a growing list of states that have such data protection requirements, including California, Connecticut, Delaware, Florida, Massachusetts, Nevada, and New Jersey to name but a few. The requirement goes into effect August 1, 2018.

Putting it Into Practice: Companies that suffer a data breach should keep in mind these data breach protection requirements. Often an inquiry will be made after an incident to determine if the company took sufficient steps to protect information in compliance with these data protection laws. In other words, if the company had taken more steps to protect the information, would the breach have occurred?