Recently, more and more headlines concern breaches of commercial computer systems – leading to the exposure of credit card data, personal information, and even private pictures. In the wake of these breaches, congress and state legislatures are considering and enacting new legislation to protect the victims of these breaches – the consumers. Florida businesses that regularly access confidential customer information would be well-advised to stay apprised of developments in other jurisdictions as a forebear of things to come. Moreover, a Florida business with access to out-of-state customer’s information could very well be subject to that state’s privacy laws. For example, a Florida business conducting business over the internet could be found to be conducting business in Minnesota based on a number of factors. If so, that Florida business could be subject to proposed Minnesota data breach legislation that states that “Any person or business that conducts business in this state, and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any individual whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person.” Although it is possible that a Florida business may not be found to conduct business in a state other than Florida, such an analysis is fact and law specific.
Florida, Kentucky, Iowa, California and Minnesota have enacted or considered new data breach legislation in 2014. As the prevalence of online business-to-consumer interaction continues to grow, Florida businesses would be well-served to keep a watchful eye on the development of these laws in other states.