The Florida Information Protection Act of 2014 has been passed by both the House and the Senate and now merely awaits the governor’s signature. While Florida already has laws which require disclosure to consumers in the event of a data security breach, this new Act would strengthen the current law regarding the security of personal information by creating further notification requirements and more expedited timeframes for such notification when a data breach takes place.
The new law would require a “covered entity” to give notice to those whose personal information has been compromised or disclosed. If the breach affects 500 or more Floridians, notice must also be given to the Florida Department of Legal Affairs. A “covered entity” includes a sole proprietorship, partnership, corporation or other commercial entities that acquire, maintain, store or use “personal information”. Personal information is broadly defined to be an individual’s first name or first initial and last name in combination with one of the following: a social security number, driver’s license or identification card number, passport number, military identification number or other number issued by a government entity; a financial account number or credit or debit card number, in combination with any required security code, access code or password needed to permit access to the financial account; an individual’s medical history, mental or physical condition or medical treatment or diagnosis or an individual’s health insurance policy number. In general, such notice would be required to be provided within 30 days of the breach or a belief that a breach has occurred. While current law allows 45 days for notice of a data breach to be provided to customers, the new act requires covered entities to provide a direct, personal notice (by either mail or e-mail) for each individual in Florida whose personal information was, or is reasonably believed to have been, accessed as a result of a breach.
The penalties for non-compliance are severe (i.e. $1,000 per day for each day that the breach goes undisclosed for up to 30 days and, thereafter, $5,000 for each 30-day period that the breach goes undisclosed).
In light of the above, and beyond the security precautions against data breaches that should already be in place, it is advisable that every enterprise review the requirements of this new Act and take steps to ensure compliance in the event of a future breach of what should be secure personal information.