Effective July 1, the Florida Information Protection Act of 2014 ("FIPA" or the "Act"), expands the scope of its previous data breach notification law, and establishes more definitive guidance regarding when Florida businesses must report breaches while increasing penalties for noncompliance. All commercial entities that acquire, store, maintain, or use personal information of Florida citizens ("covered entities") need to be aware of these changes and ensure they implement measures to address and adhere to Florida's specific requirements.
Expanded Scope for Protected Information
Florida's previous breach notification law applied to breaches or "unlawful and unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the person." FIPA reduces uncertainty by simply defining a breach as unauthorized access to electronic data containing personal information.
Along with this clearer definition, FIPA includes a broader range of what constitutes personal information. Under the Act's previous version, personal information included only an individual's name in combination with a social security number, Florida license or identification card number, or account number with any code or password that would allow access to the account. FIPA expands this definition and now also includes an individual's name in combination with a passport, military identification or similar number on a government document used to verify identity, any medical history information, as well as a health insurance policy or subscriber number and a unique identifier for the individual. Additionally, a username or email address in combination with a password or security question and answer that would permit access to an online account also constitutes personal information.
Specific Notification Requirements
Covered entities must notify Florida citizens when their personal information is accessed as the result of a breach no later than 30 days after the breach or when the entity has reason to believe the breach occurred. FIPA provides an exception for this requirement by allowing covered entities to forego individual notifications after an investigation and consultation with relevant law enforcement agencies determines that the breach will not likely result in identity theft or financial harm.
Covered entities must notify Florida's Department of Legal Affairs regarding any breach that affects 500 or more individuals. Such notice must be made within 30 days and include a synopsis of the breach, the number of individuals affected, a copy of the notice sent to individuals, and contact information for an employee or agent of the covered entity. Upon request, the covered entity must provide a police, incident, or computer forensics report, the policies in place regarding breaches, and steps that have been taken to rectify the breach.
In the event that a breach occurs to a system maintained by a covered entity's third-party agent, the agent must provide notice and details of the breach to the covered entity within ten days. While the agent may provide notice of the breach to individuals and the Department of Legal Affairs, such notification remains the covered entity's responsibility. As required by the previous law, FIPA also calls for covered entities to notify all consumer credit reporting agencies without unreasonable delay regarding a breach of more than 1,000 individuals.
Increased Penalties for Noncompliance
FIPA requires covered entities and their agents to take reasonable measures to protect and secure Florida citizens' personal information in electronic form. When a breach occurs and a covered entity fails to notify affected individuals or the Department of Legal Affairs when appropriate, the entity violates the Florida Deceptive and Unfair Trade Practices Act and faces a penalty of up $500,000. Specifically, covered entities will be liable for civil penalties in the following amounts: $1,000 per day after the thirty (30) day notification period lapses, $50,000 for each subsequent 30-day period, and an amount not to exceed $500,000 if the violation continues for more than 180 days.FIPA does not create a private right of action.