Florida Enacts Stringent Breach Notice Law
Last Friday, Florida’s governor signed into law the Florida Information Protection Act of 2014 (“FIPA”), a bill repealing Florida’s existing data security breach notice law and replacing it with what will be one of the nation’s most stringent breach notice laws. This post summarizes the key aspects of the new law, which becomes effective July 1, 2014.
The Definition of “Personal Information” Now Includes Online Account Credentials
FIPA broadly defines that type of information that, if breached, could require a company to provide notice to consumers and (as discussed below) regulators (“personal information”). Going beyond the narrow scope of information protected by most state data breach laws, FIPA’s definition of personal information includes “a user name or e-mail, in combination with a password or security question and answer that would permit access to an online account.” (California’s breach notice law also defines covered information to include online account credentials.)
Notice to Individuals Must Now Be Provided Within 30 Days of the Incident
The new law states that any required notices to individuals generally must be provided “no later than 30 days after the determination of a breach or reason to believe a breach occurred.” This represents a shortening of Florida’s existing 45-day notice requirement.
Businesses Now Must Notify the Office of the Attorney General About Certain Breaches
For breaches affecting the personal information of 500 or more Florida residents, businesses will now be required to notify the Department of Legal Affairs in the Office of the Attorney General. The notice generally must be provided within 30 days after the business determines or has “reason to be believe” that breach occurred. Requiring businesses to notify regulators about breaches is increasingly common, with over a dozen states requiring such notice. But Florida’s regulator new notice requirement differs from other states’ in a few respects.
First, businesses will be required to notify the attorney general about “[a]ny services related to the breach being offered or scheduled to be offered, with charge, by the covered entity to individuals, and instructions as to how to use such services.” Thus, where businesses provide services such as credit monitoring and identity theft insurance, these will need to be disclosed to the attorney general.
Second, FIPA’s provisions concerning notice to the attorney general state that the covered entity must provide certain information to the department “upon request”: (1) “a police report, incident report, or computer forensics report”; (2) “a copy of the policies in place regarding breaches”; and (3) “steps that have been taken to rectify the breach.”
These provisions are unprecedented, but they may not be as burdensome as some commentators have suggested. On the first requirement, businesses providing credit monitoring or identity theft insurance already must describe these services in their notices to individuals. Requiring that this information be relayed to the attorney general should not materially add to the burdens associated with notifying.
As for the second, FIPA explains these materials need only be provided where the attorney general requests them. In other words, the statute merely authorizes the attorney general to ask for the items for which regulators often ask during investigations. Particularly with respect to the references to “incident” and “computer forensics” reports, it is important to note that nothing in the statute purports to abrogate the attorney-client privilege or work product doctrine, which could, in certain circumstances, protect these reports from compelled disclosure.
Risk of Harm Determinations Now Require Consultation With Law Enforcement and Reporting to the Attorney General
The new law retains Florida's exception to the notice requirement for incidents that do not create a risk of harm (i.e., “identity theft or . . . other financial harm”) to individuals whose information has been breached. However, the new law requires that an entity first investigate the incident and then “consult with relevant federal, state, or local law enforcement agencies” before making a determination about the risks of the breach. Moreover, the entity must report any decision not to notify based on this risk determination to the attorney general within 30 days after the determination.