Louisiana makes no secret of its desire to be a leader in cybersecurity. Last year, Governor John Bel Edwards signed the Louisiana Cybersecurity Information Sharing Act into law, as well as added a definition of “internet-connected devices” and laws against computer trespass and communication interference to Louisiana’s computer crimes.
Following the conclusion of the 2020 Regular Session, Governor Edwards again signaled his determination to protect cyber infrastructure within the Pelican state by signing the following bills, now acts:
Act No. 117: Requires Managed Service Providers and Managed Security Service Providers doing business with the State of Louisiana or any political subdivision thereof to register with the Louisiana Secretary of State’s Office.
Act 117 further requires these service providers to report cyber incidents (malware, compromised networks, unauthorized accesses, ransomware) and the payment of ransom to the Louisiana Secretary of State within twenty-four hours of the discovery of the event. Payments of ransomware must also be reported to the Louisiana Fusion Center within ten days of payment. Both reports must include the name of the affected public body and public bodies are prohibited from executing contracts with providers who fail to register with the Secretary of State as required by the Act.
Submitted as Senate Bill No. 273 by Senator Sharon Hewitt.
Act No. 217: Requires each Clerk of Court and registrar of voters to report any cyber incidents impacting their offices to the Secretary of State within twenty-four hours. Reporting can be done via email, telephone, or facsimile.
Submitted as Senate Bill No. 140 by Senator Mike Reese.
Act No. 301: Creates the Joint Legislative Committee on Technology and Cybersecurity to assist the legislature on evaluating and overseeing information technology matters for the State of Louisiana. IT matters to be overseen shall include servers, network systems, telecommunication systems, software and software applications, platform systems, storage systems and services, and mobile, video, and radio systems and services.
Similar to the existing Louisiana Cybersecurity Commission, the Joint Legislative Committee shall assess all cybersecurity risks facing public entities in Louisiana, including the potential likelihood, frequency, and severity of cyber-attacks and data breaches. The committee shall work with law enforcement and the office of technology services and develop recommendations and strategies to mitigate the damage to the public relative to those cybersecurity risks.
However, unlike the Louisiana Cybersecurity Commission, the Joint Legislative Committee shall have the power and authority to hold hearings, subpoena witnesses, administer oaths, require the production of books and records, punish for contempt, and initiate the prosecution of any individual who refuses to testify or is charged with false swearing or perjury before the committee.
Submitted as House Bill No. 636 by Representative Barry Ivey.
Act No. 155: Requires all public servants to receive cybersecurity training to prevent cyber-attacks. Public agencies shall further require any contractor who has access to state or local government information technology assets to complete cybersecurity training during the term of the contract and any renewal periods.
The training can be given in an online course format, focused on forming information security habits and procedures that protect information resources and teach best practices for detecting, assessing, reporting, and addressing information security threats.
Submitted as House Bill No. 633 by Representative Barbara Reich Freiberg.
Additional bills that intend to promote cybersecurity within the State of Louisiana are as follows:
Act No. 144 By Representative Jerome Zeringue: Allows emergency response funds to be spent on cybersecurity training for employees, hardware, software, and the retention of private sector information technology professionals to combat cyber incidents that affect the state of Louisiana and its political subdivisions.
Act No. 273 by Representative Barry Ivey: Exempts certain state procurement rules for the purchase of software and hardware approved by the Joint Legislative Committee on Technology and Cybersecurity.
Act No. 28 By Representative Stephen Dwight: The Secretary of State shall require one hour of annual cybersecurity training for all employees and persons with network credentials and access to Secretary of State computer systems.
Act No. 57 by Senator Mark Abraham: Establish the Louisiana Cybersecurity Talent Initiative Fund as a special fund in the state treasury for the purpose of funding degree and certificate programs in cybersecurity fields offered by public post-secondary education institutions in order to meet the state's workforce needs.