On June 20, Florida’s governor signed into law a replacement to its former breach notification statute, called the Florida Information Protection Act of 2014. This law is going into effect very quickly (July 1, 2014), and will be one of the most robust breach notification laws in the country. The Florida law did not necessarily break new ground, but it incorporated into one law many of the recent trends that have been passed in other states.
Highlights of the Information Protection Act include:
- Changing the definition of breach to “unauthorized access” of electronic data. This will expand the number of breaches because the former law defined breach more narrowly to mean unauthorizedacquisition of electronic data that materially compromised the security, confidentiality or integrity of the personal information.
- Expanding the definition of personal information to include name in combination with an individual’s health information or health insurance policy number. Florida also followed California’s lead by expanding personal information to cover a login or email address in combination with the password or security question with answer. However, unlike California, Florida did not provide a simpler notice provision for online account/password breaches.
- Requiring breached entities to provide notice to the Department of Legal Affairs within 30 days if more than 500 Florida residences are affected.
- Adding specific requirements for the content of the notice letter to consumers, and shortening to 30 days the time in which notice letters must be sent to consumers. This is down from 45, but breached entities may request the Department of Legal Affairs for approval of a delay of up to 15 additional days to send notice to consumers. As with the former law, this notice may be delayed upon the request of law enforcement to avoid interfering with a criminal investigation.
- Adding new general data security obligations to require businesses to take reasonable measures to protect electronic personal information and to securely dispose of customer records (whether in paper or electronic form) containing personal information.
- Requiring third-parties maintaining systems containing personal information to notify the data owners of a breach as expeditiously as possible, but no later than 10 days.
- Making violations of the Information Protect Act an unfair or deceptive trade practice, which allows the attorney general to seek civil penalties up to $500,000. However, the Act specifically indicates that there is no private right of action.
In the wake of recent high profile data breaches, it is not surprising that states are considering and, in the case of Florida, passing updates to their breach notification laws and adding data security obligations. We will continue to monitor activity in the area.