If your business stores personal information of Florida Residents, you must be aware of a new Florida statute that has created specific reporting requirements in the case of a data breach.  Failure to comply can result in significant fines up to a half a million dollars. This newly passed Florida Information Protection Act of 2014 requires that any data breach affecting 500 or more individuals must now be reported to the Florida Department of Legal Affairs. The individuals whose data was exposed must be notified as well. 

The Florida Information Protection Act of 2014 (“FIPA”) became effective July 1, 2014 (F.S. 501.171).  Florida expands the definition of “personal information” to include:

• email addresses and account numbers with passwords
• first and last names with health or medical information
• social security and driver license numbers
• online account credentials. 

The FIPA also contains the following requirements under Florida law:

• An expanded definition of “breach” to include any “unauthorized access”;
• A shortened deadline of 30 days after discovery of the breach to notify the Florida Attorney General;
• Third party agents or vendors have 10 days to notify a Covered Entity of a breach;
• Breaches affecting more than 500 individuals require notice to the Florida Department of Legal Affairs within thirty (30) days of the discovery of a breach;
• Covered Entities who report a breach must provide the Florida Attorney General copies of forensic reports and policies concerning breaches upon request;
• Covered Entities are required to take reasonable measures to protect and secure data in electronic form such as encrypting data or removing personally identifiable information from data;
• Covered Entities must, within 30 days, notify all individuals in writing located in Florida whose personal information was accessed as a result of a breach, unless after appropriate investigation and consultation with law enforcement, the Covered Entity determines and documents in writing that the breach will not likely result in identity theft or financial harm to those affected;
• Covered Entities must notify all credit reporting agencies if the breach involves more than 1,000 persons;
• Covered Entities that fail to make the required disclosures face fines of $1,000 per day for the first 30 days and $50,000 for each subsequent 30 day period, to a maximum of $500,000.

All Florida Covered Entities that accept and maintain the personal information of Florida residents should immediately create an action plan to protect and secure electronic data.  Current policies and procedures should be reviewed and updated as necessary, and new procedures should be developed to identify and deal with data breaches.  Covered Entities who share personal information with third party vendors should review and update agreements with such vendors to ensure they too are compliant, as a covered entity could face liability from the actions of its vendors.  Finally, Covered Entities should review or update liability policies to cover the rising cost of data breaches and consider the purchase of a separate cyber-liability policy.