As we reported earlier, Florida lawmakers passed extensive revisions to its existing data breach notification law, SB 1524. On June 20, 2014, Florida’s Governor Rick Scott signed the bill into law, which becomes effective on July 1, 2014.
Our earlier post provides more of a discussion about key provisions of the law. But here are a few reminders:
- The law adds to the definition of “personal information” an individual’s user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
- Individuals must be notified of a breach as expeditiously as possible, but no later than thirty (30) days from discovery of the breach when the individual’s personal information was or the covered entity reasonably believes it was accessed as a result of a breach.
- If the breach affects 500 or more Floridians, the state’s Attorney General must be notified no later than thirty (30) days after the determination that a breach has occurred or reason to believe one occurred. Current Attorney General Pam Bondi has promised greater enforcement. Note also that under the new law the Attorney General may require covered entities to provide copies of their policies regarding breaches, steps taken to rectify the breach, and a police report, incident report, or computer forensics report.
- The law also imposes a statutory requirement to safeguard personal information. So, as in a number of other states such as California, Connecticut, Maryland, Massachusetts, and Oregon, businesses in Florida (and possibly businesses outside of the Sunshine State) that maintain personal information about Florida residents should take steps to be sure they have reasonable policies and procedures in writing to safeguard such information.