The Florida Information Protection Act of 2014 (the “Act”) became effective July 1, 2014 and replaced Florida’s previous data breach notification law. Under the Act, all Florida businesses must take “reasonable measures to protect and secure data in electronic form containing personal information.”
The Act broadens the definition of “personal information” that businesses must protect, modifies the notification timeframes in the event of a “breach of security,” and requires notice to the Florida Attorney General (AG) in certain instances.
All businesses operating in Florida need to know what “personal information” they collect and store, how they protect “personal information” in compliance with the Act, and how they will respond in the event of a “breach of security”.
Several changes brought about by the new law are highlighted below.
The Act Expands the List of “Personal Information” That Businesses Must Protect
Personal information can be used to accomplish identity theft and other actions that have negative financial consequences for individuals. The Act expands the definition of “personal information” to include:
an individual’s user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account;
an individual’s full name plus passport number medical history, treatment or diagnosis information; health policy number or unique health insurance identifier.
An individual’s Social Security number, driver license or identification card number, military identification number, financial account number, and credit or debit card number continue to be “personal information.”
The Act specifically excludes from “personal information” that information that has been encrypted, secured or modified so that it cannot personally identify an individual or be used.
All businesses operating in Florida should consider encrypting or otherwise securing personal information stored in electronic format where feasible.
New And Revised Notice Requirements in the Event of a “Breach of Security”
Provide Notice of a Breach to Affected Individuals Within 30 days (Revised from 45 days)
A business must give notice to every Florida individual whose personal information was or may have been accessed no later than 30 days after discovery of the breach.
Provide Notice to the Florida AG of Certain Breaches
Any breach of security affecting 500 or more individuals in Florida requires the business to notify the AG. The Act generally requires this notice to be provided within 30 days of the discovery of the security breach, and specifies the contents of the notice. In addition, the business must provide certain information to the Attorney General on request, including but not limited to a copy of the business’s “policies in place regarding breaches.”
Does your business have a policy or plan of how to respond in the event of a “breach of security”?
Violations, Enforcement, and Penalties
The Act provides for the assessment of civil penalties of up to $500,000 in the event that a business fails to notify individuals or the AG in violation of the Act.