The Florida Legislature recently passed the Florida Information Protection Act of 2014 (FIPA). This post describes the FIPA and analyzes the advantages and disadvantages to businesses governed by the new law. The FIPA must still be signed by the Governor, but the law received unanimous support in the legislature, so his signature is expected. Once signed, the law would go into effect in a less than two months.
What is the FIPA? The FIPA will replace Florida’s existing data breach notification law. It has a reactive component (what companies must do after a breach) and a proactive component (what companies must do to protect personally identifiable information they control regardless of whether they ever suffer a breach). The FIPA governs “covered entities.” A covered entity is a commercial entity that acquires, maintains, stores or uses personally identifiable information. A “breach” triggering the FIPA is the unauthorized access of data in electronic form containing personally identifiable information (PII). The FIPA applies only to PII in electronic form, though an argument can be made that the secure disposal requirement under the FIPA applies to PII in any form given its use of the term “shredding.”
What is PII? PII is defined as a first name or first initial and last name in combination with any of the following:
- social security number;
- driver’s license or ID card number, passport number, military identification number, or other similar number issued on a government document used to verify identity;
- a financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account;
- information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
- an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
PII also includes a username or email address in combination with a password or security question and answer that would permit access to an online account. The FIPA does not apply to PII that is encrypted, secured, or modified such that the PII is rendered unusable.
Do covered entities have to notify the Florida Attorney General’s Office of a breach? Yes. Covered entities must notify Florida’s Department of Legal Affairs (i.e., the Florida Office of the Attorney General) of any breach that affects more than 500 people. Notice must be provided as expeditiously as practicable, but no later than 30 days after determination of the breach or reason to believe a breach occurred. An additional 15 days is permitted if good cause for delay is provided in writing to the Attorney General within 30 days after determination of the breach or reason to believe a breach occurred.
The notice to the Attorney General must include:
- a synopsis of the events surrounding the breach;
- the number of affected Floridians;
- any services related to the breach being offered without charge to the affected individuals (e.g., credit monitoring) and instructions as to how to use such services;
- a copy of the notice sent to affected individuals or an explanation as to why such notice was not provided (e.g., there was no risk of financial harm); and
- the name, address, telephone number, and email address of the employee or agent of the covered entity from whom additional information may be obtained about the breach.
Additionally, if the Attorney General asks for any of the following, the covered entity mustprovide it:
- a police report
- an incident report
- a computer forensics report
- a copy of the policies in place regarding breaches
- steps that have been taken to rectify the breach
When must affected individuals be notified? Notice to affected individuals must be made as expeditiously as practicable and without unreasonable delay. The law allows covered entities to take into account the time necessary to allow the covered entity to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached. But even with those considerations, notice to affected individuals cannot take longer than 30 days after determining or having a reason to believe that a breach has occurred.
Two exceptions can permissibly delay or eliminate the obligation to notify affected individuals. One exception is an authorized delay, which occurs when law enforcement determines that notice to individuals would interfere with a criminal investigation. The determination must be in writing and must provide a specified period for the delay, based on what law enforcement determines to be reasonably necessary. The delay may be shortened or extended at the discretion of law enforcement.
The second exception is a waiver, which occurs where, after an investigation and consultation with law enforcement, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the affected individuals. If a waiver applies, the covered entity must document it, maintain the documentation for five years, and provide the documentation to the Attorney General within 30 days after the determination.
How must notice to affected individuals take place and what must it include? Direct notice to affected individuals can take one of two forms: it can be in writing (sent to the mailing address of the individual in the records of the covered entity) or it can be by email to the email address of the individual in the records of the covered entity. In either form, the notice must include: (a) the date, estimated date, or estimated date range of the breach; (b) a description of the PII that was accessed; and, (c) information that the individual can use to contact the covered entity to inquire about the breach and the PII that the covered entity maintained about the individual.
Can a covered entity provide substitute notice to affected individuals? If the cost of direct notice would exceed $250,000, more than 500,000 individuals are affected, or the covered entity does not have a mailing or email address for the affected individuals, then substitute notice can be provided. The substitute notice must include a conspicuous notice on the covered entity’s website and notice in print and to broadcast media where the affected individuals reside.
What if the covered entity is governed by HIPAA or some other federal regulations? Notice provided pursuant to rules, regulations, procedures, or guidelines established by the covered entity’s primary or functional federal regulator is deemed to be in compliance with the notice requirement to individuals under the FIPA. However, a copy of that notice must be timely provided to the Attorney General. For example, if a company is governed by HIPAA, then their notice pursuant to the Breach Notification Rule will be sufficient to meet the requirements under the FIPA, but a copy of that notice still must be sent to the Attorney General.
Do covered entities have to notify credit reporting agencies? If more than 1,000 individuals are affected, then notice to all consumer reporting agencies must be provided without unreasonably delay.
What if the breach occurs with a third-party agent (e.g., a vendor)? A third-party agent is an entity that has been contracted to maintain, store, or process PII on behalf of a covered entity or governmental entity. If a third-party agent suffers a breach, it must notify the covered entity within 10 days following the determination of the breach or reason to believe the breach occurred. Upon receiving notice of the breach, the covered entity must then comply with the requirements to notify affected individuals and the Attorney General. In that case, the third-party agent must provide all information necessary for the covered entity to comply with its notice requirements. The third-party agent may notify affected individuals and the Attorney General on behalf of the covered entity, but the agent’s failure to provide proper notice is deemed a violation against the covered entity.
Are there obligations other than notification after a breach? In addition to the reactive component of the FIPA (actions covered entities must take after a data breach), the FIPA also has a proactive component that imposes obligations on covered entities regardless of whether they ever suffer a breach. Specifically, covered entities must take reasonable measures to protect and secure PII. Covered entities must also take reasonable measures to dispose, or arrange for the disposal, of customer records containing PII within their custody or control when the records are no longer to be retained. Such disposal must involve shredding, erasing, or otherwise modifying the PII in the records to make it unreadable or undecipherable through any means.
Who enforces the FIPA and how? A violation of the FIPA is an unfair or deceptive trade practice subject to an action by the Attorney General under Florida’s Deceptive and Unfair Trade Practices Act against the covered entity or third-party agent. A covered entity that does not properly notify affected individuals or the Attorney General may be fined up to $500,000 per breach, depending on the number of days in which the covered entity is in violation of the FIPA. The law creates no private cause of action, nor does the presumed FDUTPA violation for the Attorney General appear to apply to a private action under FDUTPA.
The law will become effective on July 1, 2014 if it is signed by the Governor.