Florida Governor Rick Scott is expected soon to sign into law a recent bill toughening Florida’s data breach notification law.  The law applies to commercial entities that collect, store or use personal information of Florida residents, wherever located.  (Certain provisions also apply to state governmental entities.)  The Florida Information Protection Act of 2014 makes four notable changes.

  • First, the act expands the definition of personal information to include a username or email address, when combined with a password or security question and answer that would permit access to an individual’s online accounts.  Personal information also now includes a first name or first initial and last name in combination with medical information or health insurance policy numbers or identifiers.  
  • The act also shortens the time period for individual notification from 45 days to 30 days following discovery of the breach.  Covered entities have a 15-day grace period to provide individual notification – written or emailed – if they notify the Department of Legal Affairs within 30 days and state good cause for the delay.  
  • It adds a requirement that covered entities notify the Florida Department of Legal Affairs within 30 days whenever a breach affects 500 or more Floridians.  
  • Further, the act imposes an affirmative obligation on covered entities to “take reasonable measures to protect and secure” personal information. 

The act also provides specific guidance as to the contents of the notice.  When informing the Department of Legal Affairs, covered entities must include: (1) a description of the breach, (2) the number of affected Floridians, (3) any free services being offered to affected individuals (e.g., credit monitoring), (4) a copy of the notice being provided to individuals, and (5) contact information for the covered entity from whom to obtain further details.  The Department of Legal Affairs may additionally request a police or computer forensics report, any company policies on data breaches, and information on steps taken to rectify the breach.  Notice to individuals must include: (1) the date of the breach, (2) the type of personal information affected, and (3) contact information for individuals to learn more about the breach and what type of information the covered entity maintained on that individual.

The new law maintains the exception that individual notification may be delayed if it would interfere with a criminal investigation, but imposes a new requirement that such law enforcement requests for delay be in writing and specify the time period of necessary delay.  Law enforcement may extend (or terminate) the time period for delay, but must always specify the length of time necessary. Because the act purports to require written requests from federal, state, and local law enforcement, it raises interesting questions of state authority over federal law enforcement, which may be unwilling to provide written requests for a variety of reasons.

Similarly, the new law continues the exception that covered entities may forgo individual notification if the breach is unlikely to result in identity theft or financial harm to individuals.  However, whereas the old law permitted companies to make this determination following an appropriate investigation or consultation with law enforcement, the new act requires covered entities to do both.  Such determinations that the risk of harm is low and individual notification is unwarranted must still be in writing and maintained for five years, but now must be submitted to the Department of Legal Affairs within 30 days of determination.

Covered entities that provide notice in compliance with the procedures established by their primary or functional federal regulators continue to be deemed in compliance with the act’s notice requirements.  However, the act eliminates the provision that permitted companies to follow their own notification procedures, so long they were consistent with the timing requirements of Florida law.

Potential fines and the requirement to notify credit reporting agencies when 1,000 individuals are affected remain the same under the act.