There have been a number of high profile data breaches in the last few years. Target suffered a data breach that affected more than 40 million customers. Neiman-Marcus recently suffered a data breach which it believes may affect more than 100 million customers. Concerns regarding these types of data breaches prompted the Florida Legislature to pass the Florida Information Protection Act of 2014 (the "Act") to prevent and minimize data breaches that are caused by computer hacking, malware, physical loss of portable devices or inadvertent exposure of confidential data on websites or in e-mail.
The Act, which repealed existing law regarding security breaches, became law on July 1, 2014. The Act requires covered entities, governmental entities and third-party agents to take reasonable steps to protect and secure electronic data containing personal information. Personal information means an individual's name, social security number, driver's license, financial account number(s), medical history/condition, health insurance policy number(s) and user names or e-mail addresses used in combination with a password or security question that would permit access to an online account.
For purposes of the Act, covered entities generally include commercial entities, such as sole proprietorships, corporations, partnerships, trusts or associations that acquire, store and use personal information.
Among other things, the Act requires covered entities to provide notice to the Department of Legal Affairs ("DLA") of any security breach affecting 500 or more individuals in Florida and individuals whose personal information was, or may have been, accessed as a result of a data breach within thirty (30) days after the determination of the breach or reason to believe a breach has occurred. Governmental entities are subject to the same notification requirements as covered entities. Third-party agents who maintain and store personal information on behalf of a covered entity or governmental entity are required to notify the covered entity or governmental entity within ten (10) days following the determination of the breach or reason to believe a breach has occurred.
All information reported to the DLA related to security breaches or received pursuant to an investigation is confidential and exempt from Florida's Public-Records Law and the State Constitution.
The DLA is given enforcement authority of the Act under the Florida Deceptive and Unfair Trade Practices Act to civilly prosecute violations. Violators, with the exception of governmental entities, are subject to civil penalties up to $500,000 per breach and not per individual affected by the breach.