Last week, Florida signed into law the Florida Information Protection Act of 2014, effective July 1, 2014. This new law is broader than Florida’s prior law and includes some important, and in some instances unique, provisions. Of particular interest are the following:
- Short Time Frame for Notice: Under this new law, companies must provide notice to individuals and, if applicable, the Department of Legal Affairs, no later than 30 days after the determination of a breach or reason to believe a breach occurred. Florida previously required notice no later than 45 days, which was already more rigorous than many states that require notice as soon as practicable, without unreasonable delay.
Noncompliance with this 30-day time frame may result in civil penalties including $1,000 for each day up to the first 30 days, and thereafter, $50,000 for each subsequent 30-day period or portion thereof for up to 180 days (not to exceed $500,000).
- The Department of Legal Affairs May Require a Copy of Policies in Place Regarding Breaches and Additional Information: For any breach of security affecting 500 or more individuals in Florida, notice must be provided to the Department of Legal Affairs. Upon the Department of Legal Affairs’ request, the company must provide the following: (i) a police report, incident report, or computer forensics report; (ii) a copy of the policies in place regarding breaches; and (iii) steps that have been taken to rectify the breach.
- Broader Definitions of “Personal Information” and “Breach”: The definition of “personal information” is broader under Florida’s new law and includes a username or email address, in combination with a password or security question and answer that would permit access to an online account. Although not unique, Florida’s new definition of “breach” is now based on “access” rather than “acquisition” of data containing personal information.