As we wrote when the law passed, Louisiana updated its data breach notification statute earlier this year. The new law becomes effective today (August 1), and comes close on the heels of the July 20th effective date of Arizona’s update to its breach law. As modified, the Louisiana law adds biometric information as well as state ID and passport numbers to the definition of personal information. It also joins a trend that imposes a specific notification timeline by requiring that notice be made (namely within 60 days of the discovery of the breach). The law also requires that companies keep written records of unreported breaches for five years. Companies must provide that record to the state Attorney General if requested.
Putting it Into Practice: Companies with breach notice plans should keep in mind the 60 day requirement, the record keeping requirement, and the modification to the definition of personal information under the now-amended law.