Florida has repealed its existing data breach law and has enacted a new law, the “Florida Information Protection Act of 2014,” which became effective on July 1st, 2014. The new law imposes more stringent, and in some cases, unique requirements on companies facing a security breach – including a shorter, 30 day notification requirement and detailed reporting requirements.
Under the law, a covered entity – defined as a company that “acquires, maintains, stores, or uses personal information” – must take “reasonable measures” to protect and secure data in electronic form containing personal information. The definition of “personal information” has been broadened from the prior law and now includes, among other things, account, credit, or debit card numbers in combination with any required security code, access code, or password needed to permit access to an individual’s financial account, as well as user names or email addresses in combination with a password or security question that would permit access to an online account. In addition, the new law also applies to breach of any information regarding an individual’s mental or physical condition, treatment, diagnosis, medical history, health insurance policy number or any other personal identifier used by a health insurer.
A covered entity must provide three different kinds of notice of a breach – defined to include “unauthorized access” of data in electronic form containing personal information.
NOTICE TO THE FLORIDA ATTORNEY GENERAL
A covered entity must provide notice to the Florida Attorney General of any breach of security affecting 500 or more individuals in Florida. The notice must be provided to the Attorney General as “expeditiously as practicable,” but no later than 30 days after the determination of the breach or reason to believe a breach has occurred. (There is now a possibility of a 15 day extension for “good cause.”) Interestingly, upon the Attorney General’s request, a covered entity must provide a police report, incident report, or computer forensics report; a copy of its breach policies at the time of the breach; and steps the covered entity has taken to rectify the breach.
NOTICE TO INDIVIDUALS
A covered entity also must provide notice to each individual in Florida whose personal information was, or the covered entity reasonably believes was, accessed as a result of the breach. This notice must be made as “expeditiously as practicable” and “without unreasonable delay,” taking into account the time necessary to allow the covered entity to determine the scope of the breach, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached. Generally, however, this notice must be provided no later than 30 days after the determination of a breach or reason to believe a breach has occurred. In addition, while the old law allowed notice requirements to be avoided if the breach was not likely to result in identity theft or other financial harm, the new law requires an investigation and written consultation with relevant federal, state or local law enforcement agencies prior to avoiding the notice requirement.
Notice to individuals must be in writing via mail or via email, except the law permits “substitute notice” if the cost of providing direct notice would exceed $250,000 – for example, because the number of affected individuals exceeds 500,000 or because the covered entity does not have an email address or mailing address for the affected individuals.
Substitute notice requires notice on the covered entity’s website plus notice to major media outlets.
NOTICE TO CONSUMER REPORTING AGENCIES
Finally, if a covered entity discovers circumstances requiring notice of more than 1,000 individuals at a single time, the covered entity also must notify, without “unreasonable delay,” all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in the Fair Credit Reporting Act.
NEW RECORDKEEPING RULES
The new Florida law also provides new recordkeeping rules. Under the law, a covered entity (or its third-party agent) must take “all reasonable measures” to dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained. Disposal must involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
Violation of the law is deemed an unfair or deceptive trade practice. In addition, a covered entity that fails to timely notify the department or affected individuals may face a civil penalty of as much as $500,000 per breach (if notice is not made within 180 days of the breach). The law specifically provides that it does not establish a private cause of action.
THE BOTTOM LINE
There are 47 states with security breach notification laws, many of which have different standards. Any company that may possess personal information of Florida residents would be advised to (1) have a written information security policy in place; and (2) have an incident response plan and team ready to go in the event of a breach.