By: Tracy M. Evans, Esq., Associate, Saxon, Gilmore, Carraway & Gibbons, P.A.
The Florida Information Protection Act of 2014, Florida Statutes Section 501.171 (FIPA) went into effect just last year and substantially expanded Florida’s previous law regarding data breach notifications. FIPA replaced the previous data breach notification statute, Florida Statutes Section 817.5681, and clarified and expanded the previous law by imposing stricter notification requirements and increased penalties for violations. Commercial and government entities that acquire, maintain, store or use Florida residents’ personal information are subject to FIPA, and should pay close attention to the new requirements and verify appropriate measures are in place to ensure compliance in the event of a data breach. The following is a brief summary highlighting the major changes introduced by FIPA.
FIPA defines a breach as “unauthorized access of data in electronic form containing personal information.” Under the prior statute, personal information included an individual’s first and last name, or first initial and last name, in combination with a social security number, Florida license or identification card number, or account number with any code or password that would allow access to the account. FIPA expanded the definition of personal information to also include a person’s name in combination with a number on a government document used to verify identity, health insurance account information, a wide variety of personal medical information, and login information that would permit access to any online account held by the person. The new definition also creates a safe harbor for certain information made publicly available by a government entity, or encrypted or otherwise altered to render the information unusable.
As in the previous statute, FIPA applies to both commercial and government entities that acquire, maintain, store, or use personal information in Florida. However, FIPA eliminated the prior statute’s language limiting its application only to entities conducting business in Florida. Thus, any entity that stores or maintains Florida residents’ personal information should be aware of potential liability.
New Notification Requirements
FIPA also reduced the time to notify each individual affected by a data breach once it is determined a breach occurred. FIPA now requires notification within 30 days, as opposed to the previous statute’s 45 day requirement. In addition, in the event that a breach affects more than 500 individuals, written notice must be provided to the Department of Legal Affairs within 30 days after the determination of the breach. If more than 1,000 individuals are affected by the breach, notice must also be provided to the consumer credit reporting agencies.
An entity may also be liable for breaches of a third-party agent that maintains, stores, or processes personal information on behalf of the entity. Third-party agents must provide notice to the entity they are serving within 10 days after determination of a breach, and the entity then must provide the required notice to the affected individuals and the Department of Legal affairs within the time-frames described above.
FIPA provides for some exceptions to the notice requirement. For instance, no notice is required if the entity determines, after conducting the necessary investigation, the breach will not lead to identify theft or financial harm to the affected individuals.
FIPA also requires entities to take “all reasonable measures” to properly dispose of records containing personal information. Proper disposal can be accomplished through any means rendering records unreadable or undecipherable.
FIPA does not provide a private right of action for individuals harmed by data breaches. Rather, FIPA authorizes the Department of Legal Affairs to bring enforcement actions against entities that fail to comply with FIPA’s notice requirements, which is considered a violation of the Florida Deceptive and Unfair Trade Practices Act. FIPA penalties can result in a civil penalty of up to $500,000. Government entities and their instrumentalities are not subject to the civil penalty, but are still required to comply with the FIPA requirements.
Any business or government entity that stores Florida residents’ personal information should be aware of the new FIPA requirements and develop a response plan to ensure proper and timely notification in the event of a data breach. In addition, entities with existing data breach procedures should revisit their procedures to ensure they comply with FIPA’s more stringent notice requirements.
© 2015 Saxon Gilmore. Saxon Gilmore publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Saxon Gilmore. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact form via the link below. This site may contain hypertext links to information created and maintained by other entities. Saxon Gilmore does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.