The Florida Information Protection Act of 2014, aimed at strengthening Florida’s data breach notification law, goes into effect tomorrow, July 1, 2014. The act contains major changes to Florida’s existing data breach notification statute and makes it one of the toughest in the nation.
Shortened notice period
For example, notice to consumers must be given within 30 days of the discovery of the breach or belief that a breach occurred, unless delayed at the request of law enforcement for investigative purposes or for other good cause shown. Previously, the law allowed 45 days for such notice. Fines may be imposed on private entities for failure to comply with the notice provisions ($1,000 per day for the first 30 days following a violation of the notification requirements; $50,000 for each subsequent 30-day period thereafter; and, if the violation continues for more than 180 days, an amount not to exceed $500,000). The notice requirement applies to personal information contained in any computerized data system and is triggered when unencrypted personal information may have been acquired by an unauthorized person.
Duty to protect data
Perhaps most notably, the new law imposes an affirmative duty on businesses, Florida government departments, and third-party agents to take reasonable measures to protect and secure personal information stored or maintained by these entities. This places Florida in a growing minority of states that impose such an affirmative duty. All businesses and government entities that collect personal information of individuals should ensure that they have adopted and implemented appropriate data security programs and incident response plans.
Expanded definition of personal information
Mirroring other states such as California, the new law also broadens the definition of “personal information” to include medical and health insurance information in connection with a Florida resident’s first and last name. This expansion also included a resident’s user name or e-mail address in connection with a password that would allow access to online accounts.
Notice to Department of Legal Affairs
Businesses and other entities that encounter a data breach affecting more than 500 Florida residents will now also be required to notify the Florida Department of Legal Affairs within 30 days of discovery of the breach, regardless of whether or not the breach adversely impacted Florida residents. This notification must include a synopsis of the breach and a copy of the notice sent to Florida residents whose personal information may have been accessed, among other requirements. Covered entities will also now be able to notify Florida residents via email that there was a data breach involving their personal information.
This law clearly places Florida firmly among the group of states with the most stringent data breach notification requirements. This group of states is growing as state legislatures grapple with recently publicized high impact data breaches.