Florida’s new data breach notification law, effective July 1, 2014, follows a recent trend of expanding the definition of personal information and requiring entities to notify state attorney general offices or other regulators. The Florida Information Protection Act, signed into law June 20, repeals the existing data breach notification law and imposes new requirements on covered entities. First, the definition of personal information has been expanded. Personal information includes those data points that are present in most data breach notification laws – an individual’s name in combination with Social Security number, driver’s license number, or financial account number with a its corresponding security code or password – but also includes medical history and health insurance policy number. In addition, the definition now includes a user name or email address in combination with a password or some other information that allows access to an online account.
The Florida law requires notification to be made to the affected individuals, the state Department of Legal Affairs with the attorney general’s office, and credit reporting agencies, under certain circumstances. Notification to individuals and to the attorney general must occur within 30 days after determination of the breach or reason to believe a breach occurred. Florida already allows an entity to conduct a risk-of-harm analysis to determine if notification is required, and the new law retains that right. An entity is not required to notify individuals if it “reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.” That determination must be documented in writing and maintained for five years, and must be provided to the attorney general within 30 days. If an entity determines that notification to individuals is required, such notification should include the date of the breach, a description of the information compromised, and contact information for the entity.
Notification to the attorney general must include a description of the breach, the number of Floridians affected, information regarding any services being offered, a copy of the notice, and contact information for an individual who can provide additional information. Upon request, an entity must also provide a copy of any police report or incident report, as well as a computer forensic report and internal policies relating to breaches. These sensitive documents – forensic reports and internal policies – do not have to be disclosed in any other state.
The new law also requires entities to take reasonable measures to protect and secure data in electronic form containing personal information.