Louisiana Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Louisiana's Database Security Breach Notification Law requires any person or agency that owns, licenses, or maintains computerized personal information to notify affected Louisiana residents when that data is compromised. Originally enacted in 2005, the law was significantly strengthened in 2018 through Senate Bill 361, which added a hard 60-day notification deadline, expanded the definition of personal information to include biometric data and passport numbers, and created mandatory attorney general reporting obligations.

If your organization handles data belonging to Louisiana residents, understanding these requirements is not optional. The state treats every day of delayed AG notification as a separate violation with penalties up to $5,000.

For broader context on Louisiana's overall privacy framework, see the parent guide to [Louisiana Data Privacy Laws](/us-laws/data-privacy-laws/louisiana-data-privacy-laws).

What Triggers the Notification Requirement

Louisiana law defines a "breach of the security of the system" as the compromise of the security, confidentiality, or integrity of computerized data that results in the unauthorized acquisition of personal information. The key word is "acquisition." Simply accessing a system without authorization does not necessarily trigger the law. The personal information must actually be acquired, or reasonably believed to have been acquired, by an unauthorized person.

There is one statutory exception: good faith acquisition of personal information by an employee or agent of the data holder does not count as a breach, as long as the information is not used for unauthorized purposes or subject to further unauthorized disclosure.

The law applies to three categories of entities under La. R.S. 51:3074:

• Any person that conducts business in Louisiana and owns or licenses computerized data containing personal information
• Any government agency that owns or licenses such data
• Any person or agency that maintains computerized data containing personal information that it does not own (these entities must notify the data owner or licensee)

What Counts as Protected Personal Information

Under La. R.S. 51:3073, "personal information" means an individual's first name or first initial and last name combined with any one or more of the following data elements:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to the account
• Passport number
• Biometric data, defined as data generated by automatic measurements of an individual's biological characteristics (such as fingerprints, voice print, eye retina or iris, or other unique biological characteristics) used to uniquely authenticate an individual's identity when accessing a system or account

The data element must not be encrypted or redacted to qualify. If the compromised data was encrypted at the time of the breach, the notification requirement does not apply. This is Louisiana's encryption safe harbor.

Publicly available information from federal, state, or local government records is excluded from the definition of personal information.

The 60-Day Notification Timeline

Notification must be made "in the most expedient time possible and without unreasonable delay" but no later than 60 days from the date the breach is discovered. This hard deadline was added by the 2018 SB 361 amendments and replaced the prior open-ended "most expedient time possible" standard.

The 60-day clock starts on the date of discovery, not the date the breach actually occurred. Discovery means the point when the entity becomes aware that a breach has happened.

Permitted Delays

Two circumstances allow the notification period to extend beyond 60 days:

Law enforcement delay. If a law enforcement agency determines that notification would impede a criminal investigation, the notification may be delayed until law enforcement determines it will no longer compromise the investigation.

Scope and remediation delay. If the entity determines that additional time is needed to determine the scope of the breach, prevent further disclosures, or restore the reasonable integrity of the data system, it may delay notification. However, the entity must provide the Attorney General written reasons for the delay within the original 60-day period. The AG then grants a reasonable extension.

In both cases, the entity must still provide written justification to the AG within 60 days. There is no blanket exception that allows indefinite delay.

Attorney General Notification Requirements

Louisiana imposes separate, mandatory notification to the Attorney General's office. Under Louisiana Administrative Code Title 16, Part III, Section 701, entities must:

• Send written notice to the AG's Consumer Protection Section within 10 days of distributing breach notices to Louisiana residents
• Include the names of all Louisiana citizens affected by the breach in the notification
• Submit the notification to the Consumer Protection Section at the Louisiana Department of Justice

Notice can be filed through the LA Database Security Breach Online Reporting Form or mailed to:

Louisiana Department of Justice Office of the Attorney General Consumer Protection Section 1885 N. Third Street Baton Rouge, LA 70802

Failure to provide timely AG notification carries fines up to $5,000 per violation, with each day of late notice counting as a separate violation.

Methods of Notification to Individuals

Louisiana allows three methods of notifying affected individuals under La. R.S. 51:3074(G):

Written notification. A physical letter sent to the affected individual.

Electronic notification. Email notification, provided it complies with the federal E-SIGN Act (15 U.S.C. 7001).

Substitute notification. Available when the cost of direct notification would exceed $100,000, the affected class exceeds 100,000 people, or the entity lacks sufficient contact information. Substitute notification requires all three of the following:

• Email notification to individuals for whom the entity has email addresses
• Conspicuous posting on the entity's website
• Notification to major statewide media outlets

Entities that already maintain a notification procedure as part of their information security policy may use that procedure instead, provided it is consistent with the statute's timing requirements.

Harm-Based Exemption

Notification is not required if, after a reasonable investigation, the entity determines there is no reasonable likelihood of harm to Louisiana residents from the breach.

This exemption comes with documentation requirements. The entity must retain a written copy of its determination and supporting documentation for five years from the date of discovery. If the Attorney General requests this documentation in writing, the entity must provide it within 30 days.

Security Requirements

Beyond notification, Louisiana law imposes affirmative data security obligations. Under La. R.S. 51:3074(A), any entity that conducts business in Louisiana or owns or licenses computerized personal information must implement and maintain "reasonable security procedures and practices appropriate to the nature of the information" to protect personal information from unauthorized access, destruction, use, modification, or disclosure.

The law also requires entities to take "all reasonable steps" to destroy records containing personal information that are no longer needed. Acceptable destruction methods include shredding, erasing, or otherwise making the information unreadable and undecipherable.

Enforcement and Penalties

Violations of the Database Security Breach Notification Law constitute unfair acts or practices under Louisiana's Unfair Trade Practices and Consumer Protection Law (La. R.S. 51:1405). This means the Attorney General can bring enforcement actions using the full range of consumer protection remedies.

For AG notification failures specifically, fines can reach $5,000 per violation per day.

Under La. R.S. 51:3075, individuals may also bring a civil action to recover actual damages resulting from the failure to provide timely breach notification. However, Louisiana does not provide a broad private right of action for the breach itself. The private cause of action is limited to damages caused by the failure to notify, not by the breach.

Notable Legislative History

Louisiana's breach notification law has been amended several times since its 2005 enactment:

Act 499 (2005). Established the original Database Security Breach Notification Law, effective January 1, 2006. Required notification in the "most expedient time possible" with no hard deadline.

Act 382 / SB 361 (2018). The most significant overhaul. Added the 60-day notification deadline, expanded personal information to include biometric data and passport numbers, created the harm-based exemption with five-year documentation retention, required written justification to the AG for delayed notifications, and added the reasonable security procedures requirement.

Proposed Louisiana Data Privacy Act (SB 386, 2026)

Louisiana is considering a comprehensive data privacy law through Senate Bill 386 in the 2026 Regular Session, sponsored by Senator Connick. If enacted, the Louisiana Data Privacy Act would create broader consumer privacy rights beyond breach notification.

Key provisions of the proposed law include:

• Applies to businesses that conduct business in Louisiana, process or sell personal data, and are not small businesses
• Prohibits the sale of sensitive personal data without prior consumer consent
• Authorizes the Attorney General to enforce violations with a 30-day cure period
• Civil penalties of up to $7,500 per violation for uncured violations
• Exempts state agencies, financial institutions, nonprofits, higher education institutions, and entities already governed by HIPAA or GLBA

As of March 2026, the bill is pending in the Louisiana Legislature. Its passage would make Louisiana the latest state to adopt a comprehensive consumer privacy framework, complementing the existing breach notification requirements.

More Louisiana Laws

• Louisiana Hit and Run Laws
• Louisiana Data Privacy Laws
• Louisiana Data Privacy Laws
• Louisiana Recording Laws
• Louisiana Recording Laws
• Louisiana Recording Laws
• Louisiana Statute of Limitations
• Louisiana Child Support Laws

This article provides general legal information about Louisiana data breach notification laws. It is not legal advice. Laws and regulations change frequently, and this content may not reflect the most recent developments. Consult a qualified attorney licensed in Louisiana for advice about your specific situation.