Florida’s Strict New Data Breach Notification Law Takes Effect
The new law sets up one of the most robust data protection regimes in the United States and is relevant to any business that collects personal information nationwide.
Florida Governor Rick Scott signed into law a new data breach notification statute on June 20, Florida Statutes section 501.171, called the Florida Information Protection Act of 2014 (FIPA). FIPA took effect on July 1 and replaced Florida’s existing data breach notification statute, Florida Statutes section 817.5681. FIPA significantly expands the definitions of what constitutes personal information and a data breach, introduces a shortened deadline for providing notice to affected Florida residents, and creates unique document disclosure requirements.
Key Provisions of FIPA
The definition of a “breach” has been expanded from an “unlawful and unauthorized acquisition” of personal information to the “unauthorized access” of personal information. As such, Florida has become one of a few states where mere access to personal information without authorization, as opposed to actual theft, can trigger the breach notification requirement; however, notice to affected individuals will not be required if, after appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the affected company determines that the breach is unlikely to cause identity theft or other financial harm.
The deadline to provide notice to individuals affected by a data breach has been shortened to 30 days. This 30-day deadline is now the shortest such deadline among all similar existing state breach notification statutes. A 15-day extension of the 30-day deadline may be obtained from the Florida Department of Legal Affairs (the Department) upon a showing of good cause. Also, as with the old statute, the notice may be delayed at the request of law enforcement so it will not interfere with a criminal investigation. If an affected company determines that identity theft or other financial harm is unlikely, notice of such determination must be made to the Department within 30 days.
The definition of “personal information” has been expanded to include not only a name in combination with a Social Security number, driver’s license number, financial account number, credit or debit card number, or similar identification number, but also to include the following new elements: (1) a username or email address in combination with a password or security question with an answer that would permit access to online accounts and (2) a name in combination with a passport number, health insurance policy number, or other health information or conditions. (Encrypted information is expressly excluded from this definition.)
In the case of a breach that affects more than 500 Florida residents, notice of the breach must be provided to the Department within 30 days. A 15-day extension of the 30-day deadline may be obtained upon a showing of good cause. Also, in connection with such a breach, there is a unique requirement to provide documentation related to the breach to the Department on request, including copies of any police reports, incident reports, forensic reports, internal policies regarding data breaches, and information about the specific steps that have been taken to rectify the breach. (Another Florida statute, SB 1526, was simultaneously enacted on June 20 and will, subject to certain exceptions, afford confidential treatment under Florida’s public records law to such documents provided to the Department.) This is another reason to have appropriate data protection plans in place before a potential breach occurs.
There is a general requirement to take “reasonable measures” to protect and secure personal information and to dispose of records (whether in paper or in electronic form) containing personal information once the records are “no longer to be retained.”
Third-party agents that maintain systems containing personal information are required to notify the relevant data owners of a data breach within 10 days. If notice of a breach is sent to more than 1,000 Florida residents, consumer credit reporting agencies must also be notified of the breach.
Like the old Florida statute, FIPA treats violations as unfair or deceptive trade practices under Florida law and sets forth civil penalties up to $500,000. However, there is no private right of action under FIPA.
Companies that collect personal information about Florida residents may need to update their data breach policies and procedures to ensure compliance with FIPA. If unauthorized access to personal information of Florida residents occurs, companies must quickly determine (in consultation with authorities) whether identity theft or other financial harm is likely to occur, as various legal obligations may need to be addressed within 30 days.