Florida has a new law to combat the recent surge of data security breaches involving sensitive personal information. On July 1, 2014, Florida’s current data breach notification statute will be replaced by the Florida Information Protection Act of 2014 (Act). Though similar to Florida’s current statute, the Act makes some significant changes that businesses must incorporate into their data security practices and procedures.
Under the Act, sole proprietors, partnerships, corporations, trusts, estates, cooperatives, associations and other commercial entities that acquire, maintain, store or use personal information (Covered Entities) are required to take reasonable measures to protect and secure such personal information. The Act broadens the definition of Personal Information to include:
- An individual’s first name or first initial and last name in combination with that individual’s social security number, driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity. (Broader)
- Financial account, credit and debit card numbers, in combination with any security code, access code or password.
- Information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. (New)
- An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual. (New)
- A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account. (New)
Like the current statute, Personal Information does not include information that is encrypted, secured or modified by any other method or technology that removes personally identifying elements or that otherwise renders the information unusable.
In the event of a breach, Covered Entities must follow one or more of the Act’s various notice requirements. The Act generally defines a breach as unauthorized access of electronic data containing personal information. Covered Entities must notify each individual in Florida whose Personal Information was, or is reasonably believed to have been, breached no later than 30 days after the Covered Entity determines that a breach occurred or has reason to believe a breach occurred. Under the current statute, Covered Entities had 45 days to provide notice.
This notice, which may be sent by mail or e-mail, must include:
- The date, estimated date or estimated date range of the breach
- A description of the Personal Information that was or may have been accessed during the breach
- Contact information that individuals can use to inquire about the breach
If a Covered Entity is required to notify more than 1,000 individuals at a single time, the Covered Entity must also provide notice to all national consumer reporting agencies. If a breach affects 500 or more individuals in Florida, the Department of Legal Affairs must be notified no later than 30 days after the Covered Entity determines that a breach occurred or had reason to believe a breach occurred. This is a new notice requirement.
If a Covered Entity uses a third-party vendor to maintain, store or process Personal Information, then that third-party agent must notify the Covered Entity no later than 10 days after the third-party agent determines that a breach occurred or had reason to believe a breach occurred. Though a third-party agent may provide the required notices, the Covered Entity is ultimately responsible for compliance with the Act.
The Act also requires Covered Entities and their third-party agents to take all reasonable measures to dispose, or arrange for the disposal, of customer records containing Personal Information within its custody or control when they are no longer retained. Disposal shall involve shredding, erasing, or otherwise modifying the records to make Personal Information unreadable or undecipherable through any means.
Unlike the general descriptions provided in this article, the Act is highly technical and very specific. Though the Act does not create a private cause of action, civil penalties of up to $500,000 should be enough motivation for Covered Entities to learn more about Florida’s new law and ways to limit the new risks with insurance.
If you would like to learn more about insuring against data security breaches, contact us.
If you would like to learn more about preventing data security breaches, take our online course Information Risk Management: Strategies for Preventing and Mitigating Information Security Breaches.
If you would like to subscribe to our newsletters please click here.