Florida Statute § 817.5681 requires that anyone conducting business in Florida who maintains computerized data in a system that includes personal information must notify individuals whose personal information may be at risk as a result of a breach of an information system. The statute, almost identical to statutes passed in many other states, is designed to reduce and mitigate identity theft.
Potential liability for disclosures about employees, customers or other stakeholders is not new, but the apparent application of this statute is extremely broad. The law applies to companies not only physically located in Florida, but also those doing business in Florida.
The statute protects personal information in electronic form. Personal information is the combination of (1) an individual's name (first name or initial and last name or middle name and last name) and (2) one of several data elements that are not encrypted – Social Security number, driver's license or state identification card number or account, credit or debit card number along with the password or other information allowing access to an individual's financial account.
The statute requires businesses to notify Florida residents if there is a "breach of the security of the system." This is defined as the "unlawful and unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information."
In the event of a breach covered under the statute, the entity must provide notification not more than 45 days after discovery of the breach to any Florida resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The law does not, however, allow aggrieved individuals to bring a lawsuit. Rather, the Florida Attorney General/Florida's Department of Legal Affairs is responsible for enforcing the statute. Proceedings may be instituted to assess and collect fines of up to US$1,000 per day for the first 30 days the breach goes undisclosed and US$50,000 for each subsequent 30-day period up to 180 days, to a maximum of US$500,000 per breach.
Although the need for personal data protection is nothing new, the spread of data privacy laws and their complexity requires companies and employers to be pro-active in addressing potential breaches of security. Companies doing business in Florida should consider the following tips:
- Develop a data breach notification plan. Companies should have a fully developed data security breach plan in place before a breach occurs.
- Establish data security procedures. Companies should have a plan in place for tracking, securing and restricting access to the personal information of customers and employees.
- Depending on where the company does business and where its employees live, know and understand the various state law requirements for data breach notification.
- Encrypt data. Under Florida's data privacy law, encrypted data is not considered "personal information."
- Consider establishing procedures on data portability (i.e., "personal information" stored on laptop computers, computer tapes, computer discs, etc.).