On June 20, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014, which updates Florida’s data breach notification law. The changes will take effect on July 1 of this year.
Changes to the law include the addition of health insurance policy numbers, medical information, and online account information (such as security questions and answers, email addresses, and passwords) to the definition of personal information that, if breached, triggers a notification to the affected individual in Florida. The Act requires notice to be provided to individuals as soon as reasonably possible, but no more than 30 days after discovery of the breach or the business reasonably believes a breach occurred. Current law requires notification without unreasonable delay and no later than 45 days after discovery of the breach.
In addition, the Act adds a written notice requirement to the state Attorney General, no later than 30 days after discovery of the breach, if the breach affects 500 or more residents “unless good cause is shown for an additional 15 day delay.” If requested by the Attorney General, the entity must provide a copy of its policies in place regarding breaches, steps taken to rectify the breach, and a police report, incident report, or computer forensics report to the Attorney General. The Act also includes a requirement that businesses must use “reasonable measures” to protect and secure personal information in electronic form, however it does not provide details on what these measures may be.
Under the Act, notice to individuals is not required if, after an appropriate investigation and consultation with law enforcement, the affected entity reasonably believes there is no risk of identity theft or other financial harm to individuals. The entity must make this determination in writing, retain it for at least five years, and provide it to the Attorney General within 30 days of making the determination. While the Act explicitly does not establish a private cause of action, the Attorney General may pursue enforcement actions under Florida’s Unfair and Deceptive Trade Practices Act for any statutory violations and civil penalties not to exceed $500,000 per breach for failure to timely notify the Attorney General in accordance with the Statute.
Written by Bruce Sarkisian, Associate, Privacy & Data Security | Alston & Bird LLP