Modern wireless POS-terminal with battery and GPRS module
Modern wireless POS-terminal with battery and GPRS module ()

Watch out Florida businesses! The Florida Information Protection Act of 2014 became law this month, and it will impact how you handle data breaches. In recent years, data breaches have almost become commonplace.

Most recently, Target’s massive data breach—affecting over 70 million credit and debit card accounts. The frequency of data breaches and the havoc they create necessitated this response from the Florida Legislature and the Florida attorney general for the protection of Florida consumers.

Signed into law by Gov. Rick Scott on June 20, FIPA’s new requirements took effect July 1 under a newly created statutory provision, Florida Statute Section 501.171. Florida’s previous data breach law has been repealed.

FIPA is designed to increase safeguards to Florida consumers from security breaches of personal information by expanding the scope of key terms, heightening notice requirements, and demanding greater accountability from covered entities.

Expansive Scope

The act requires each covered entity, governmental entity or third-party agent to take reasonable measures to protect and secure data in electronic form containing personal information. The term covered entity replaces the term “business entity” and includes within its scope various forms of commercial entities that acquire, maintain, store or use personal information. Governmental entities are deemed covered entities for the purpose of the notice provisions of the statute.

The old definition of personal information only included Social Security numbers, driver’s license numbers or FL identification numbers, account numbers, credit card numbers, or debit card numbers in combination with required codes permitting access. While these items continue to be a part of the new definition, personal information has been expanded to passport numbers, military identification numbers or other government issued identifiers; information regarding medical history, treatment or diagnosis; health insurance policy and related identifiers; username or email address in combination with a password or security question-and-answer combination that would allow access to an online account. A breach of security is the unauthorized access of data in electronic form containing personal information.

Stricter Notice

The new law delineates three key areas of notice. Notice is required to the department of legal affairs for any breach of security involving 500 or more individuals in Florida. The covered entity must provide notice as expeditiously as practicable, but not later than 30 days after determination of the breach or reason to believe a breach occurred. Notice is also required to each individual in Florida whose personal information was accessed, or is reasonably believed to have been accessed, as a result of the breach. The timing of the notice cannot be later than 30 days after determination of a breach or reasonable belief thereof unless there is a determination by a law enforcement agency that the notice would interfere with a criminal investigation or if there is a reasonable determination, after appropriate consultation with a law enforcement agency, that the breach has not and will not likely result in theft or financial harm to individuals. A covered entity can provide substitute notice if costs of providing notice would exceed $250,000, and provided that other statutory criteria are met. Notice is additionally required to consumer reporting agencies in the event of a breach involving more than 1,000 individuals at a single time. Third-party agents who contract to maintain, store or process personal information should be mindful of the new notice provisions requiring them to notify the covered entity no later than 10 days following determination of a breach of security.

The new law requires reasonable measures to dispose or arrange for disposal of customer records containing personal information when the records are no longer to be retained. Customer records include any material, regardless of physical form, on which personal information is preserved or recorded by any means, and provided by an individual in this state to a covered entity for the purpose of purchasing or leasing a product or obtaining a service.

Consequences

A violation of the new law is treated as an unfair or deceptive trade practice under Florida Statute Section 501.207 in any action brought by the department; however, sadly for the plaintiffs bar, the act does not establish a private cause of action.

A covered entity that violates the act can be liable for an amount of $1,000 for each day up to the first 30 days and $50,000 for each subsequent 30-day period or portion thereof for up to 180 days. The penalty cannot exceed $250,000.

The new law mandates quicker incident response times and stricter notice to individuals affected by the breach and the Florida attorney general’s office.

These and other aspects of the statute will force businesses to review and revise their internal controls and procedures for data security. Florida businesses would be prudent in gearing up for compliance with the new law by recruiting the assistance of compliance professionals.