All businesses maintain personal information on the individuals they employ and those with whom they do business. This may include the individual’s name, address, age, gender, identification numbers, assets, liabilities, payment records, personal references, and health records. If this sensitive data falls into the wrong hands, it can lead to fraud, identity theft, or similar difficulties for the individuals affected.
Florida is one of many states requiring that businesses safeguard appropriately personal information of customers, employees and other individuals, as well as be prepared to respond to a breach should one occur. The Florida Information Protection Act of 2014 (effective July 1, 2014), which has been called one of the broadest and most encompassing data security breach laws in the nation, imposes on covered entities (definition below) a statutory requirement to safeguard Floridians’ personal information, to report a breach to the state attorney general, and to comply with other affirmative obligations.
Upon passage of the data breach law, Florida Attorney General Pamela Bondi promised greater enforcement.
Key provisions of the law include:
- A “covered entity” means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.
- “Personal information” means an individual’s first name or initial and last name, in combination with (i) a social security number, (ii) a drivers’ license or identification card number, or (iii) an account number, credit or debit card number in combination with any required security code or password to access the account or an individual’s user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account without the account number.
- Covered entities must safeguard the personal information they maintain. (Other states with this requirement include California, Connecticut, Maryland, Massachusetts, and Oregon.)
- An individual affected by a breach must be notified as expeditiously as possible, but no later than 30 days from discovery of the breach when the individual’s personal information was, or the covered entity reasonably believes it was, accessed as a result of a breach.
- If the breach affects at least 500 Floridians, the state’s Attorney General must be notified no later than 30 days after determination that a breach has occurred or reason to believe one had occurred. In addition, the Attorney General may require covered entities to provide copies of their policies regarding breaches, steps taken to rectify the breach, and a police report, incident report, or computer forensics report.
Businesses in Florida that maintain personal information about Florida residents should ensure they have reasonable and adequate safeguards to prevent data breaches, including clearly written, disseminated, and published policies and procedures, regular employee training and reminders, and purging of mobile electronic devices before they are sold, donated or otherwise discarded. Published policies should make it clear to employees that the employer’s business information, regardless of where it is located, is confidential and should not be used or disclosed other than for purposes of performing work for the employer.
Moreover, as data becomes more easily accessible and portable, the risks for breaches increase. Businesses need to assess and address these risks continuously from an enterprise-wide perspective. A key source of these risks, many experts have noted, is the widespread use of smartphones. In addition to network and perimeter e-security, a good place for many companies to start is by dealing with a mobile workforce and employees’ demand to use their own devices. State-of-the-art policies should address Bring-Your-Own-Device (BYOD) guidelines, use of social media, employee monitoring and protection of private data, as well as standard protection of trade secrets and confidential information.