My last post described what the recently passed Florida Information Protection Act (FIPA) will do. This post analyzes how FIPA differs from Florida’s existing breach notification law and explains why those differences will hurt or help companies that maintain information about Florida residents. Florida’s Governor must still sign the FIPA into law, but his signature is expected given the unanimous support of FIPA in the state legislature. Once signed, the law will go into effect on July 1, 2014. So what do businesses need to know about FIPA?
Attorney General Notification
The first significant difference between FIPA and Florida’s existing breach notification law is that, with some limited exceptions, breached entities will be required to notify Florida’s Attorney General within 30 days of any breach that affects more than 500 Florida residents. Until now, Florida has been part of the majority of states that does not require notice of a breach to the state Attorney General.
The law also requires breached entities to notify the Attorney General’s office even when the entities decide notification to affected consumers is not necessary because the breach will not likely result in harm to affected individuals. It remains to be seen whether this change in the law will result in a flood of “non-notifications” to the Attorney General’s office.
The FIPA provides teeth for the Attorney General’s Office to enforce it. A violation of FIPA may be automatically considered a violation of Florida’s Deceptive and Unfair Trade Practices Act. Though the FIPA does not create a private cause of action, we could see the Attorney General actively enforce the law against breached entities that fail to meet the law’s requirements.
Broader Definition of PII
Another significant change in Florida law as a result of the FIPA is the expansion of the definition of personally identifiable information (PII). PII will now include the username or email address in combination with a password or security questions and answer that would permit access to an online account. This change is based on a realization that consumers are increasingly storing information online and, unfortunately, often using the same usernames and passwords. The net result, however, will be an increased number of data breaches under the law.
Shortening the Breach Response Period
FIPA also shortens the time a breached entity has to notify affected individuals of a breach. Currently, breached entities must notify affected individuals “without unreasonable delay” but they have up to 45 days. The new law requires breached entities to notify affected individuals “as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred,” unless a waiver or authorized delay is issued.
This change raises a couple of concerns for breached entities. First, while in most instances 30 days may be enough time to notify affected individuals of a breach, in some cases that will not be enough time. There are many steps that must take place as part of the notification process, including determining the source and scope of the instruction, identifying what information is affected, identifying who is affected and where they live, and ensuring that the threat is no longer in existence. Adopting a bright line deadline may end up punishing breached entities that are working as quickly as possible to respond to a breach.
Second, it is not clear under the FIPA what starts the clock running on the 30 days. When is “determination of the breach” triggered? Is it when the breached entity reasonably believes an intrusion has occurred? Is it when the entity knows that PII has been affected? Is it when the entity knows whose PII has been affected? I would argue that clock shouldn’t start running until the entity knows that the PII of a Florida resident has been affected, but we are left to guess how regulators will interpret this requirement.
Notification by Email
A welcome change that the FIPA will usher in is breach notification by email. This will help significantly reduce the cost of breach notification in matters that involve a large number of Florida consumers. It is also recognition that the best contact information a company may have for its customers is their email address.
Be prepared to turn over your incident and forensic reports
Perhaps the most significant change is that the FIPA purports to require breached entities to provide incident reports, data forensic reports, and the company’s policies in place regarding breaches, if the Florida Attorney General’s Office requests them. These documents sometimes contain unintentionally damaging statements or proprietary information about a company’s security infrastructure that the company would not want to be made public. And, once disclosed to the Attorney General’s office, the documents may become subject to a public records request? As a result of this change, we could see breached entities either not requesting reports at all (out of concern that they will have to disclose them to third parties), or requesting two versions – a sanitized version that contains little information and can be produced to the Attorney General, and a more fulsome version for internal use. Either result could not have been what the legislature intended when it passed this law. It will also be interesting to see how the FIPA will affect the work product and self-critical analysis privileges that apply to data forensic reports prepared at the direction of counsel.
Proactive Security Requirements
The FIPA adds a new type of protection of PII: it requires that an entity maintaining PII adopt “reasonable measures” to protect and secure the PII. With this change, Florida joins the minority of jurisdictions that statutorily require entities maintaining PII to adopt safeguards regardless of whether the entity ever suffers a breach. To be sure, adopting safeguards to protect PII is a good idea regardless of whether it is statutorily required, and the failure to adopt those safeguards could expose a company to an enforcement action by the FTC or state attorney general under the FTC Act or “little FTC Acts,” respectively, even in states where those safeguards are not required. But the FIPA provides no guidance as to what is meant by “reasonable measures.” Does this mean encryption? Password protection? Are written policies and training required? Does it differ depending on the size of the breached entity? Again, we are left to guess.
Some Final Observations
A few closing observations about the FIPA:
- The definition of a breach is still limited to electronic personal information; so a breach involving purely paper records may not trigger the statute.
- A violation of the statute is automatically considered a violation of Florida’s Deceptive and Unfair Trade Practices Act, but that violation appears to be enforceable only by the Florida Attorney General and not a private cause of action.
- A breach now means unauthorized “access” of PII, where before it was defined as unauthorized “acquisition” of PII. This change broadens the number of scenarios that could be considered a breach.
In short, the FIPA is generally a consumer-friendly law that will increase the number of breaches that require notification, shorten the time by which notification must take place, require that the Attorney General be included in the breach notification process, and demand that companies adopt security safeguards to protect PII regardless of whether they ever suffer a breach.