Louisiana Cybersecurity Compliance: Laws, Requirements & What Businesses Must Do

Louisiana has established a regulatory framework for data protection that reflects the state's concentrated exposure to cyber risk through its petrochemical, maritime, and healthcare sectors. The state's Database Security Breach Notification Law is one of the more prescriptive in the southeastern United States, with specific notification timelines, Attorney General reporting requirements, and daily penalties for noncompliance. Combined with federal regulations that heavily impact Louisiana's dominant industries — HIPAA for healthcare, NERC CIP and TSA directives for energy, and MTSA for maritime — businesses in the state face a layered compliance environment.

This guide breaks down Louisiana's key cybersecurity laws and compliance requirements for business leaders and IT teams. Given the state's significant history of cyber incidents — including two emergency declarations in 2019 alone — understanding and meeting these requirements is both a legal obligation and a business necessity.

Louisiana's Primary Data Privacy & Cybersecurity Laws

Database Security Breach Notification Law (La. R.S. 51:3071–3077)

Louisiana's primary data protection statute is the Database Security Breach Notification Law, enacted in 2005 and codified in Louisiana Revised Statutes Title 51, Sections 3071 through 3077. The law applies to any person or business that conducts business in Louisiana and owns or licenses computerized data containing personal information of Louisiana residents. Key provisions include:

• Requirement to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information

• Mandatory notification to affected individuals within 60 days of discovery of a breach

• Notification to the Attorney General and consumer reporting agencies if the breach affects more than 1,000 Louisiana residents

• Personal information defined as name combined with Social Security number, driver's license number, account numbers with access credentials, passport numbers, or biometric data

• Civil penalties of up to $5,000 per violation per day for noncompliance

Notably, Louisiana's definition of personal information is broader than many states, including passport numbers and biometric data in addition to the standard categories. This broader definition means more types of breaches trigger notification requirements.

Louisiana Personal Online Account Privacy Protection Act

This statute prohibits employers and educational institutions from requiring employees or students to disclose social media login credentials. While narrower in scope than the breach notification law, it establishes an important privacy protection in the employment context and reflects Louisiana's recognition of digital privacy rights.

Louisiana Insurance Data Security Law

Louisiana adopted the NAIC Insurance Data Security Model Law, requiring licensed insurers, agents, and other insurance entities to establish comprehensive information security programs. The law mandates risk assessments, incident response planning, third-party vendor oversight, and notification to the Louisiana Department of Insurance within 72 hours of a cybersecurity event. This aligns Louisiana's insurance regulation with the national model that most states have adopted or are adopting.

Data Breach Notification Requirements in Louisiana

Notification to Individuals

Businesses must notify affected Louisiana residents within 60 days of discovering that a breach has occurred. Notification must be in writing, delivered by mail or electronic means if the individual has consented. The notice must include a description of the breach, the types of personal information compromised, steps the business has taken in response, and contact information for the notifying entity. Substitute notice via website posting and major statewide media is permitted if direct notification costs exceed $250,000, the affected class exceeds 500,000 individuals, or the business lacks sufficient contact information.

Notification to the Attorney General

If a breach affects more than 1,000 Louisiana residents, the business must notify the Louisiana Attorney General within the same 60-day window. The notification must include the number of affected individuals, a description of the breach, and the actions taken in response. The AG's office uses this information for enforcement and to identify trends across the state.

Notification to Consumer Reporting Agencies

Breaches affecting more than 1,000 individuals require simultaneous notification to all nationwide consumer reporting agencies. This requirement ensures that credit monitoring services are aware of potential identity theft risks affecting Louisiana residents.

Industry-Specific Compliance in Louisiana

Energy and Petrochemical

Louisiana's petrochemical corridor and energy infrastructure are subject to extensive federal cybersecurity regulations. NERC CIP standards apply to operators of bulk electric systems, requiring specific controls for critical cyber assets including asset identification, access management, personnel training, and incident reporting. Pipeline operators must comply with TSA Security Directives, which were substantially strengthened after the Colonial Pipeline attack and require cybersecurity coordinators, incident response plans, and implementation of specific cybersecurity measures. Louisiana's LNG export terminals face additional Coast Guard and FERC cybersecurity requirements. Energy companies should explore industrial IT security services that address both IT and OT environments.

Maritime and Port Operations

Ports and maritime facilities in Louisiana are subject to the Maritime Transportation Security Act (MTSA) and related Coast Guard cybersecurity guidance. In 2021, the Coast Guard began incorporating cybersecurity into MTSA facility security assessments, and port facilities must now address cyber threats in their Facility Security Plans. The Port of South Louisiana and Port of New Orleans handle critical cargo that makes them high-value targets for both criminal and nation-state actors.

Healthcare

Louisiana healthcare organizations must comply with HIPAA Security Rule requirements and the HITECH Act, which expanded breach notification obligations and increased penalties. Louisiana's state breach notification law applies in addition to HIPAA, meaning healthcare organizations may face dual notification requirements. The state's healthcare sector should implement healthcare-specific IT security measures that address clinical workflows, connected medical devices, and third-party vendor risk.

Education

The 2019 ransomware attacks on Louisiana school districts prompted increased attention to educational cybersecurity. Louisiana school districts must comply with FERPA for student records protection and are increasingly expected to implement baseline cybersecurity measures. The Louisiana Department of Education has issued guidance on cybersecurity best practices for school districts, though compliance is largely voluntary beyond federal FERPA requirements.

Louisiana Compliance Checklist for Businesses

The following checklist covers baseline compliance requirements applicable to most Louisiana businesses:

• Implement reasonable security procedures — Louisiana law requires security measures appropriate to the nature of the personal information you handle

• Maintain a written information security policy that defines data classification, access controls, and acceptable use standards

• Conduct regular risk assessments to identify vulnerabilities in systems that store or process personal information

• Encrypt sensitive data at rest and in transit, including Social Security numbers, financial account data, biometric data, and passport numbers

• Establish a breach notification process that can meet the 60-day notification timeline, including templates for individual notices and AG notifications

• Train employees annually on data handling, phishing recognition, and incident reporting

• Audit third-party vendor security through due diligence assessments and contractual data protection requirements

• Maintain incident response documentation sufficient to demonstrate compliance with notification timelines and response procedures

How Businesses Stay Compliant

Compliance in Louisiana requires ongoing vigilance, particularly given the state's layered regulatory environment. Businesses that maintain strong compliance programs share common characteristics:

• Designated cybersecurity leadership — a CISO, privacy officer, or IT director with accountability for the security program

• Regular security testing — vulnerability scans, penetration tests, and tabletop exercises conducted on a defined schedule

• Incident response readiness — a documented and tested plan that covers detection, containment, notification, and recovery within the 60-day statutory window

• Vendor management — ongoing oversight of third-party providers, particularly those with access to personal information or critical systems

• Thorough documentation — records of security measures, training, risk assessments, and incident responses that demonstrate due diligence

Many Louisiana businesses partner with managed IT services providers and managed security services firms to maintain continuous compliance monitoring. This approach is especially valuable for businesses in the petrochemical and maritime sectors that need OT security expertise alongside traditional IT compliance capabilities.

Frequently Asked Questions

Does Louisiana have a comprehensive consumer data privacy law?

No. As of 2025, Louisiana does not have a comprehensive consumer data privacy law comparable to the California Consumer Privacy Act or the Texas Data Privacy and Security Act. Louisiana's primary data protection law is the Database Security Breach Notification Law, which focuses on breach notification and reasonable security procedures rather than broad consumer rights like data access, deletion, or opt-out. However, Louisiana legislators have introduced privacy bills in recent sessions, and a comprehensive law may emerge in the coming years.

What makes Louisiana's breach notification law different from other states?

Louisiana's law is notable for several features: a 60-day notification deadline, which is more prescriptive than states that use vague standards like 'most expedient time possible'; a broader definition of personal information that includes passport numbers and biometric data; mandatory Attorney General notification for breaches affecting more than 1,000 residents; and daily civil penalties of up to $5,000 per violation.

Are Louisiana port operations subject to cybersecurity regulations?

Yes. Louisiana port facilities are subject to the Maritime Transportation Security Act (MTSA), which now includes cybersecurity requirements. The Coast Guard has incorporated cybersecurity into MTSA facility security assessments, and port facilities must address cyber threats in their Facility Security Plans. Given the critical role of the Port of South Louisiana and Port of New Orleans in national commerce, cybersecurity compliance is an area of increasing federal attention.

How do federal energy regulations interact with Louisiana state law?

Louisiana energy companies face overlapping federal and state requirements. NERC CIP standards govern cybersecurity for bulk electric system operators, TSA Security Directives apply to pipeline operators, and FERC has cybersecurity oversight for LNG facilities. Separately, Louisiana's Database Security Breach Notification Law applies to any personal information these companies handle. A breach involving employee records, customer data, or contractor information triggers state notification requirements regardless of whether the breach also involves regulated operational technology.

What happened after Louisiana declared cybersecurity emergencies in 2019?

The 2019 emergency declarations activated the Louisiana National Guard's cyber unit and the state's Cybersecurity Commission. The state deployed incident response resources to affected school districts and state agencies, and the experience prompted Louisiana to invest in upgrading state government IT infrastructure and cybersecurity capabilities. The events also led to increased cybersecurity awareness training across state agencies and school districts.

Are Louisiana businesses required to have cyber insurance?

Louisiana does not require businesses to carry cyber insurance. However, many industry contracts, healthcare affiliations, and government partnerships increasingly require evidence of cyber insurance as a condition of doing business. The state's history of major cyber incidents has made cyber insurance a practical necessity for most Louisiana businesses, even where it is not legally mandated.