On June 20, 2014, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014 (FIPA) into law. FIPA imposes stringent new security and notice requirements on businesses and employers that maintain personal information regarding individuals, employees and customers. FIPA became effective on July 1, 2014.
Prior Florida Law
Prior to July 1, 2014, Section 817.5681, Florida Statutes, required entities that conduct business in Florida and maintain computerized data in a system that contains personal information to provide notice of any breach of the personal information to affected Florida residents within 45 days. "Personal information" included an individual's first name, first initial and last name, or any middle name and last name, in combination with the individual’s (1) Social Security number; (2) driver's license number or Florida Identification Card number; or (3) account number, credit card number, debit card number together with any required security code, access code, or password that would permit access to an individual’s financial account.
A "breach" under the prior law was an "unlawful and unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the person”. However, entities were not required to notify affected individuals if, "after an appropriate investigation" or after consultation with law enforcement, it is determined that the breach will not likely result in harm to the affected individuals.
The New FIPA
FIPA repeals and replaces the existing data breach statute and applies to the following "covered entities:" sole proprietorships, partnerships, corporations, trusts, estates, cooperatives associations, and other commercial entities that acquire, maintain, store, or use personal information.
Expanded Protected Personal Information The definition of “personal information” in the FIPA incorporates the personal information listed in the prior law and adds the following information concerning the individual: (1) passport number, military identification number or similar number issued on a government documents used to verify identity; (2) medical history, mental or physical condition, and medical treatment or diagnosis by a health care professional; and (3) health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual. Additionally, personal information now includes a user names or email addresses, in combination with a password or security question and answer that would permit access to an online account. information. However, “personal information” does not include information that has been made publicly available by a federal, state, or local governmental entity; or information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify and individual or that otherwise renders the information unusable.
New Definition of Data Breach
A “breach of security” or “breach” under the new law means any unauthorized access of data in electronic form containing personal information whether or not such access materially compromises the security, confidentiality, or integrity of personal information. However, good faith access of personal information by an employee or agent of the covered entity does not constitute a breach of security so long as the information is not used for a purpose unrelated to the business or subject to further unauthorized use.
Stricter Notification Requirements
Notice to affected individuals. Covered entities now have up to 30 days after a determination of a breach to provide the required notifications to affected individuals in Florida. The 30-day notice deadline may be delayed if a federal, state or local law enforcement agency determines that the notice to individuals would interfere with a criminal investigation and requests the delay in writing. The law enforcement agency may revoke or extend the delay upon a subsequent written request.
The notice must include: (1) the date, estimated date or estimated date range of the breach, (2) a description of the personal information accessed, and (3) contact information for the covered entity for inquiries about the breach and the personal information the covered entity maintained about the individual. Notice to affected individuals may be made by written notice sent to the individual’s mailing address or by e-mail notice. However, f providing direct notice is not feasible because the cost of providing such notice exceeds $250,000, the number of affected individuals exceeds 500,000 persons, or the covered entity does not have a mailing address or e-mail address for affected individuals; then the covered entity can provide substitute notice. Substitute notice includes a conspicuous notice on the covered entity’s website (where the covered entity maintains a website) and notice in print and broadcast media, including major media in urban and rural areas where the affected individuals reside.
FIPA retains the exception to the notice requirement for breaches that do not create a risk of identity theft or other financial harm. However, covered entities must now consult with relevant federal, state, of local law enforcement agencies before making a determination about the risks of the harm. However, covered entities must document such determination, provide the documentation to the Department within 30 days after the determination, and maintain the written determination for at least 5 years.
Notice to the Department of Legal Affairs. Covered entities must also notify the Department of Legal Affairs within 30 days of any actual or suspected breach affecting 500 or more Florida residents. Covered entities may receive 15 additional days to provide notice if good cause for the delay is provided to the Department in writing within 30 days after the determination of the breach or suspected breach.
Notice to the Department of must include (1) a synopsis of the events surrounding the breach, (2) number of Florid residents affected or potentially affected, (3) any services related to the breach being offered, without charge, by the covered entity to affected individuals along with instructions how to use the services, (4) a copy of the notice provided to affected individuals, and (5) the name, address, telephone number and e-mail address of the employee or agent of the covered entity who can provide further information. Covered entities must also provide the Department, upon request, (1) a police report, incident report, or computer forensics report; (2) a copy of the policies in place regarding breaches; and (3) steps taken to rectify the breach.
Notice to Credit Reporting Agencies. If notice is required to more than 1,000 individuals at a single time, the covered entity must also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis
Notice required of third-party agents. Similar to the current law, third-party agents that maintain or process data on behalf of another entity and experience a breach must provide notice to the data owner within ten days.
Duty to Protect Personal Information
Unlike the prior law, FIPA requires each covered entity, governmental entity or third-party agent to take reasonable measures to protect and secure data in electronic form containing personal information. The law does not specify what “reasonable measures” must be taken but courts in other states with data breach notification laws have applied a standard of “commercially reasonable security”. Factors to be considered include whether the measures are commensurate with the risks involved and the magnitude of potential harm and the cost and difficulty of implementation of the measures.
Requirements for Governmental Entities
Government agencies are considered covered entities under FIPA only for purposes of the notice requirements regarding affected individuals, the Department of Legal Affairs, credit reporting agencies and third-party agents.
New Enforcement Tool
FIPA provides that a violation of the law will be treated as an unfair or deceptive trade practice and that the Department of Legal Affairs is authorized to bring an action against a covered entity or third-party agent for injunctive relief and actual damages pursuant to the Florida Deceptive and Unfair Trade Practices Act (FDUTPA). FIPA does not provide for a private cause of action, meaning that affected individuals cannot file suit under FIPA on their own behalf.
Civil Penalties Retained
Like the prior law, civil penalties for violations of FIPA include: $1,000 per day for the first 30 days of noncompliance, and $50,000 for each subsequent 30-day period. Violations that continue for more than 180 days would have a maximum penalty of $500,000.
Impact on Businesses and Employers
Companies conducting business in Florida or employing employees in Florida must now contend with one of the nation’s most stringent data breach notification laws. Immediately impacted will be businesses covered by HIPAA as FIPA requires these businesses to provide affected individuals whose medical information has been breached with notice within 30 days rather than the 60 days as required under HIPAA. Further, employers must now protect the medical information, medical insurance information, and user names and passwords of employees from unauthorized access and must provide the required notice to affected employees for any breach. Therefore, employers should review and revise their breach notification policies to comply with the new requirements.