Florida Amendments to Data Breach Notification Law
The Florida Information Protection Act of 2014 (“FIPA”) takes effect tomorrow. The FIPA essentially repeals Florida’s existing data breach notification law and replaces it with one of the nation’s most extensive laws relating to data security and notification.
The definition of “personal information” now includes “a user name or e-mail in combination with a password or security question and answer that would permit access to an online account.
Notice must be provided within 30 days of the incident.
When a breach affects more than 500 Florida residents notice must be provided to the Attorney General’s office (see more below).
If you rely on Florida’s “risk of harm” exception to avoid providing notice, it will require that the entity investigate the incident, consult with federal, state or local law enforcement and report to the AG of such determination within 30 days.
The Attorney General notice requirement differs in a material way from the other states that have a regulatory reporting requirement. The notice must contain information about “[a]ny services related to the breach to be offered or scheduled to be offered…” Although the AG is specifically required to be notified of credit monitoring or identity theft services to be offered, most notices to consumers contain all the information required by FIPA. Attention must be paid to the second requirement: Upon request, the entity must provide: (1) “a police report, incident report, or computer forensics report”; (2) “a copy of the policies in place regarding breaches”; and (3) “steps that have been taken to rectify the breach.” When launching into an investigation of a data breach, remember that attorney-client privilege is important when engaging with investigatory service providers who will create documentation such as “incident” reports or “computer forensics” reports.
Kentucky’s New Data Breach Notification Law
Kentucky became the 47th state to enact a data breach notification law. Consult the latest version of the Mintz Matrix for the details of the Kentucky law (and all the other July 1 effective amendments).
Canada’s Anti-Spam Law
Canada’s draconian anti-spam law (known as CASL) goes into force tomorrow. U.S. companies should have compliance programs in place and should have been carefully examining email lists to either obtain express consent or at least determining whether they could be subject to CASL. Fines of up to CSD$10 million can be imposed under CASL and the Canadian Radio-Television and Telecommunications Commission has already announced its intention to enforce. Take it seriously.