Florida’s New Data Breach Law Heightens Reporting Duties

Florida Governor Rick Scott recently approved the Florida Information Protection Act of 2014 (SB 1524), Fla. Stat. § 501.171, (FIPA), repealing Florida’s previous data breach notification statute, Fla. Stat. § 817.5681, effective July 1, 2014. The amendments are both significant and important to covered entities as defined under FIPA. FIPA’s purpose is to protect Florida citizens’ data by requiring businesses and governmental entities to not only protect data, but to also report data breaches to the Florida Department of Legal Affairs (Department) and consumers earlier than previously required. According to an April 2014 press release by Attorney General Pam Bondi, “Florida consumers are one step closer to better protection from data breaches that can threaten the security of their identities and wreak havoc on their finances.” While FIPA undoubtedly affords Florida citizens additional protections in having their information protected, FIPA also places additional requirements upon covered entities.

The previous law required data breaches to be reported to the Department within 45 days; however, under FIPA, any covered entity or third-party agent must now report such breaches within 30 days. While a 15- day extension may be granted if “good cause” is shown within 30 days of data breach discovery, a violation of FIPA is now considered an unfair or deceptive trade practice under Fla. Stat. § 501.207. Should a covered entity fail to provide notice to the Department or an affected individual, a fine in the amount of $1,000 for each day following the 30-day reporting period may be enforced, in addition to a $50,000 fine for each subsequent 30-day period, or portion thereof, up to 180 days with all fines capped at $500,000.

Aside from fines, FIPA expands upon the definition of breach from being “unlawful and unauthorized acquisition” to “unauthorized access”. This new and broader definition now places previous occurrences that likely were not breaches into the realm of reportable incidents. FIPA has also expanded the definition of “personal information” to now include online account credentials. Additionally, FIPA requires notification to the Department for any breach affecting more than 500 individuals within Florida and imposes requirements for providing data breach policies and steps taken to rectify the breach upon request. Furthermore, notices to the Department must describe “any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, and situations as to how to use such services.”

In light of FIPA’s new expanded requirements, covered entities are now under even more pressure to secure their client and customer-protected information. Aside from common sense data breach protections, all covered entities should have a data breach plan in place to not only serve as a roadmap should a breach occur, but also because FIPA may now require such upon request. Covered entities should also examine their insurance policies to determine whether data breaches are covered and consider obtaining a separate cyber piracy policy. The importance of having a data breach policy and insurance in place prior to a breach is paramount.