Effective July 1, 2014, Florida has repealed its existing data breach law in favor of a new, more stringent, law. Florida has joined the list of states requiring notice to regulators: specifically, an entity must notify the Department of Legal Affairs of any breach affecting 500 or more Florida residents as soon as possible, but no later than 30 days after determining that a breach has occurred or having reason to believe that a breach has occurred. The new law also specifies the content of that notification (e.g., description of the breach, number of Florida residents affected, services offered to individuals, copy of the notice to be provided to the individual, and contact person to field questions regarding the breach).
Florida also has expanded the definition of personal information. Under the prior law, Florida had defined personal information to include name plus a social security number, a driver’s license (or other government identification number), or certain financial account information. The new Florida law also includes the following in the definition of personal information: (1) name plus an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify an individual; and (2) user name or email address, plus a password or answer to security question that would enable access to an online account.