Businesses that maintain individuals’ confidential, personal information may need to be more alert in protecting this data under the Florida Information Protection Act of 2014, signed into law by Governor Rick Scott.
The new law, which some have called one of the broadest and most encompassing data security breach laws in the nation, imposes on covered entities a statutory requirement to safeguard Floridians’ personal information, to report a breach to the state attorney general, and to comply with other affirmative obligations. The new law becomes effective July 1, 2014; the previous statute (Section 817.5681, Florida Statutes) is repealed.
Key provisions of the new law state:
- A “covered entity” means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.
- “Personal information” means an individual’s first name or initial and last name, in combination with (i) a social security number, (ii) drivers’ license or identification card number, or (iii) account number, credit or debit card number in combination with any required security code or password to access the account OR an individual’s user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.
- Covered entities must safeguard the personal information they maintain. Other states with this requirement include California, Connecticut, Maryland, Massachusetts, and Oregon.
- An individual affected by a breach must be notified as expeditiously as possible, but no later than 30 days from discovery of the breach when the individual’s personal information was, or the covered entity reasonably believes it was, accessed as a result of a breach.
- If the breach affects at least 500 Floridians, the state’s Attorney General must be notified no later than 30 days after determination that a breach has occurred or reason to believe one had occurred. In addition, the attorney general may require covered entities to provide copies of their policies regarding breaches, steps taken to rectify the breach, and a police report, incident report, or computer forensics report.
On the passage of the law by the state Senate, current Attorney General Pam Bondi promised greater enforcement of the data breach law.
Businesses in Florida (and possibly those outside the Sunshine State) that maintain personal information about Florida residents should take steps to be sure they have reasonable policies and procedures in writing to safeguard such information.