New Florida Information Protection Act Expands Data Breach Notification Requirements

July 3, 2014

The Florida Information Protection Act of 2014 (FIPA), which became effective July 1, 2014, expanded the requirements on covered entities that acquire, maintain, store or use personal information of Floridians. As part of a growing trend in state legislatures, Florida’s new data breach and security law expands notification requirements on covered entities that experience a breach of security. These new requirements should be reviewed by any entity with a presence in Florida.

After a unanimous passage of Senate Bill 1524, FIPA was signed into law by Florida Governor Rick Scott on June 20, 2014. The new law repealed Florida’s prior data breach notification statue, Fl. Stat. § 817.5681, and replaced it with § 501.171. The new statute made several significant modifications to Florida law that can reach businesses, government and other entities far beyond the state’s borders.

Below is a brief summary of the Florida Information Protection Act, including significant changes from the state’s prior data breach notification statute.

What Type of Personal Information is Protected Under the New Law?

Under FIPA, like its predecessor statute, personal information includes an individual’s first name or first initial combined with the individual’s last name, in combination with social security number, driver’s license number or other similar number of a government-issued ID, or a financial account number or credit or debit card number combined with the required security code. New under FIPA, personal information also will include any information about an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional; or an individual’s health insurance policy number or subscriber identification number, along with any unique identifier used by a health insurer to identify the individual.

FIPA also expands the definition of personal information to include any personal login information that would permit access to a person’s online account. Notably, this expansion, which may be the first of its kind in any state data breach notification law, would include login information to social media sites or applications, regardless of whether such sites include more traditional forms of personal information.

Personal information excludes information already made public or information that is encrypted in some fashion.

Who is a Covered Entity Under FIPA?

Any commercial or governmental entity that acquires, maintains, stores or uses personal information of individuals in the state is subject to this law. The new statute no longer has language limiting its application to those who “conduct business” in Florida.

Accordingly, although this is a Florida statute, companies in other jurisdictions, including international entities, should assume this statute will apply in the event they experience a breach of security affecting any individuals in Florida, regardless of their number.

What are the New Notice Requirements Under FIPA?

FIPA reduced the time period for report of breaches to 30 days from the time the breach is discovered, compared to 45 days under the previous Florida statute. FIPA authorizes the Department of Legal Affairs to grant up to 15 additional days to provide notice if good cause is provided in writing to the department within 30 days of the determination of a breach. Although the language is somewhat imprecise, it is apparent that the statute does not seek to require notice to affected persons residing outside of Florida.

If the breach affects 500 or more persons, FIPA requires that notice also be provided to the Florida Department of Legal Affairs. A covered entity subject to federal regulation still may defer to those applicable notice requirements if it provides the requisite notice to the Florida Department of Legal Affairs. If the breach affects 1,000 or more persons, additional notice must be given to all nationwide consumer credit reporting agencies.

Prompt coordination with a law enforcement agency is an essential tool while navigating FIPA’s notice requirements. Indeed, no notice is required to affected individuals if, upon conducting an investigation and consultation with a law enforcement agency, the covered entity reasonably determines that no affected individual has or is likely to suffer identity theft or any other financial harm. Even in such a scenario, the covered entity must still provide a written determination to the Florida Legal Affairs Department within 30 days of the covered entity’s decision that no notice to individuals is required. Finally, law enforcement may require a delay in providing notice if such notification would interfere with a criminal investigation.

What about Breaches Discovered or Caused by Third-Party Agents?

A third-party agent that maintains a security system for covered entities and that suffers a data breach has no more than 10 days under FIPA to report the breach to affected covered entities. Following receipt of this notice, a covered entity becomes responsible under FIPA for providing any necessary notice within the requisite 30-day notice period. This is a departure from the prior statute’s imprecise approach of encouraging such parties to reach an agreement regarding who should provide notice to the affected individuals and, if such an agreement could not be reached, leaving ultimate responsibility for notice with the “person who ha[d] the direct business relationship with the resident.”

Does FIPA Address Disposal of Records?

FIPA expressly requires covered entities and their third-party agents to take “all reasonable measures” to ensure proper disposal of records that are no longer to be retained. This includes “shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.” As always, however, records that are otherwise scheduled for disposal must be preserved if they are subject to a litigation hold, whether it is expressed or implied.

What Potential Penalties or Liability can be Assessed for Failure to Comply with this Statute?

FIPA explicitly states that it does not create a private cause of action. The statute instead contains provisions to authorize the Florida Department of Legal Affairs to bring an enforcement action against someone committing a statutory violation. Failure to provide adequate notice under FIPA is deemed a violation of the Florida Deceptive and Unfair Trade Practices Act (FDUTPA) and is subject to following civil penalties:

  • $1,000 per day for the first 30 days
  • $50,000 thereafter for each 30-day period or portion thereof for up to 180 days
  • $500,000 as the maximum amount of total penalties for violations continuing more than 180 days

It is important to note that the foregoing penalties could be assessed for any violation of FIPA’s notice requirements. This includes scenarios of incomplete or insufficient notice, as well as late notice. Furthermore, the above penalties are assigned on a per-incident basis, without regard to the number of individuals affected by a breach.

How Does FIPA Affect Breach Notification Under HIPAA?

FIPA complements but otherwise does not affect the requirements for breach notification under HIPAA. In many cases, a single notice will satisfy both HIPAA and FIPA, assuming that it is made within FIPA’s time limits, which are shorter than those of HIPAA.

Given the varying landscape of data breach notification law, it is important to proactively assess what laws may apply in the event of a breach and to have plans in place, before a breach occurs, to effectively comply with all such requirements. The McGuireWoods data privacy and security team will continue to monitor similar legislation in other jurisdictions and inform our clients of how it will impact their data security practices in the marketplace.