On June 20, 2014, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014 (FIPA) into law. FIPA imposes stringent new security and notice requirements on businesses and employers that maintain personal information regarding individuals, employees, and customers. FIPA becomes effective on July 1, 2014.
Existing Florida Law
Currently, Section 817.5681, Florida Statutes, requires entities that conduct business in Florida and maintain computerized data in a system that contains personal information to provide notice of any breach of the personal information to affected Florida residents within 45 days. “Personal information” includes an individual’s first name, first initial and last name, or any middle name and last name, in combination with the individual’s (1) Social Security number; (2) driver’s license number or Florida Identification Card number; or (3) account number, credit card number, debit card number together with any required security code, access code, or password that would permit access to an individual’s financial account.
A “breach” under current law is an “unlawful and unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the person.” However, entities are not required to notify affected individuals if, “after an appropriate investigation” or after consultation with law enforcement, it is determined that the breach will not likely result in harm to the affected individuals.
The New FIPA
FIPA replaces the existing data breach statute and applies to the following “covered entities”: sole proprietorships, partnerships, corporations, trusts, estates, cooperatives associations, other commercial entities, and governmental entities that acquire, maintain, store, or use personal information.
Expanded Protected Personal Information
The definition of “personal information” in FIPA incorporates the personal information listed in the current law and adds the following information concerning the individual: (1) medical history, mental or physical condition, and medical treatment or diagnosis by a health care professional; (2) health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual; and (3) user names or email addresses, in combination with a password or security question and answer that would permit access to an online account. However, “personal information” does not include information that has been made publicly available by a federal, state, or local governmental entity or information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.
New Definition of Data Breach
A “breach of security” or “breach” under the new law means any unauthorized access of data in electronic form containing personal information. However, good faith access of personal information by an employee or agent of the covered entity does not constitute a breach of security so long as the information is not used for a purpose unrelated to the business or subject to further unauthorized use.
Stricter Notification Requirements
Covered entities now have only 30 days after a determination of a breach to provide the required notifications to affected individuals. The notice must include: (1) the date, estimated date, or estimated date range of the breach; (2) a description of the personal information accessed; and (3) contact information for the covered entity for inquiries about the breach and the personal information the covered entity maintained about the individual. Notice to affected individuals may be made by written notice sent to the individual’s mailing address or by email.
FIPA retains the exception to the notice requirement for breaches that do not create a risk of identity theft or other financial harm. However, covered entities must now consult with relevant federal, state, of local law enforcement agencies before making a determination about the risks of the harm.
Covered entities must also notify the Department of Legal Affairs regarding any breach affecting 500 or more Florida residents. Notice to the Department of must include: (1) a synopsis of the events surrounding the breach; (2) number of Florida residents affected or potentially affected; (3) any services related to the breach being offered, without charge, by the covered entity to affected individuals along with instructions how to use the services; (4) a copy of the notice provided to affected individuals; and (5) the name, address, telephone number, and email address of the employee or agent of the covered entity that can provide further information. Covered entities must also provide the Department, upon request, (1) a police report, incident report, or computer forensics report; (2) a copy of the policies in place regarding breaches; and (3) steps taken to rectify the breach.
Similar to the current law, third party agents that maintain or process data on behalf of another entity and experience a breach currently must provide notice to the data owner within 10 days.
Civil Penalties Retained
Like the current law, civil penalties for violations of FIPA include: $1,000 per day for the first 30 days of noncompliance, and $50,000 for each subsequent 30-day period. Violations that continue for more than 180 days would have a maximum penalty of $500,000. FIPA does not provide for a private cause of action.
Impact on Businesses and Employers
Companies conducting business in Florida or employing employees in Florida must now contend with one of the nation’s most stringent data breach notification laws. Immediately impacted will be businesses covered by the Health Insurance Portability and Accountability Act (HIPAA) as FIPA requires these businesses to provide affected individuals whose medical information has been breached with notice within 30 days rather than the 60 days as required under HIPAA. Further, employers must now protect the medical information, medical insurance information, and user names and passwords of employees from unauthorized access and must provide the required notice to affected employees for any breach. Therefore, covered entities should review and revise their breach notification policies to comply with the new requirements.