In a harbinger of data-breach-laws to come, the Florida State Legislature just passed a new Florida Information Protection Act, which establishes tough new notification requirements for businesses and governmental entities. With the rapid increase in data breaches and growing awareness of the dangers, this Act may become a model for other states.
Florida’s Act provides new notice requirements and possible civil penalties arising out of a data breach incident when the notice requirements are not followed. It requires covered businesses and governmental entities to take “reasonable measures to protect and secure data in electronic form containing personal information.”
In the Florida Act, “personal information” is defined to include (1) a person’s name in combination with (a) a social security number, driver’s license number, passport number, and/or other similar number on a government ID, (b) a financial account, debit card or credit card number in combination with a related password or access code, (c) medical history information, or (d) a health insurance policy number or identification number; or (2) a user name or email address in combination with a password or security question and answer that would permit access to an online account. Under the Act, a “breach” is considered the “unauthorized access of data in electronic form containing personal information.”
With regard to the new notice requirements, the Act requires businesses and government entities to give notice to consumers “no later than 30 days after the determination of a breach or reason to believe that a breach occurred” unless the breach qualifies for exceptions. Exceptions include circumstances where information was released during an ongoing criminal investigation or the covered entity determines, after consultation with law enforcement, “that the breach has not and will not likely result in identify theft or other financial harm.” This latter exception must be documented in writing and it must be maintained for 5 years.
The Act sets out exactly what must be included in the notice to individuals. And if a breach could affect more than 500 people, the Attorney General’s office must also be notified within 30 days, along with other notice requirements.
Failure to adhere to the Act could be deemed “an unfair and deceptive trade practice” and also subject the covered entity to a civil penalty up to $500,000, with the penalties being imposed based on the number days the party is in violation of the Act. However, the Act does specifically state that it does not create a private right of action.
Forty-seven states have now enacted data breach notification statutes, but Florida is one of just seven states that require notification within a specific period of time – 30 days from determination of the breach. States that do not require a specific time period tend to use broader language merely requiring notice in a reasonable time. Florida is also one of only a handful of states that has expanded the definition of “personal information” to specifically include a user name/email address and password to access an online account.