As part of a growing trend in state legislatures across the country, the Florida Information Protection Act of 2014 (FIPA), § 501.171, expanded the requirements on covered entities that acquire, maintain, store or use personal information of Floridians. Effective July 1, 2014, FIPA’s new requirements should be reviewed by any entity with a presence in Florida. This post provides a few of FIPA’s highlights, including the significant changes from the state’s prior data breach notification statute. Click here for a more in-depth analysis of this new statute in the recent McGuireWoods Legal Alert.
What Type of Personal Information is Protected Under the New Law?
Under FIPA, personal information was expanded to include an individual’s medical or health insurance information. FIPA also expands the definition of personal information to include any personal login information that would permit access to a person’s online accounts. Notably, this expansion, which may be the first of its kind in any state data breach notification law, would include login information to social media sites or applications, regardless of whether such sites include more traditional forms of personal information.
Like most similar statutes, FIPA also covers an individual’s name (or last name with their first initial) in combination with social security number, driver’s license number or other similar number of a government-issued ID, or a financial account or card number. FIPA does not cover breaches of information already in the public domain or information that is encrypted in some fashion.
Who is a Covered Entity Under FIPA?
Any commercial or governmental entity that acquires, maintains, stores or uses personal information of individuals in the state is subject to this law. Accordingly, companies based elsewhere should assume this statute will apply in the event they experience a breach of security affecting any individuals in Florida, regardless of their number.
What are the New Notice Requirements Under FIPA?
FIPA reduced the time period for reporting breaches to 30 days from the time the breach is discovered, compared to 45 days under the previous Florida statute.
- Upon a showing of good cause, the Florida Department of Legal Affairs (FDLA) may grant up to a 15-day extension to the notice period.
- If the breach affects 500 or more persons, FIPA requires that notice also be provided to FDLA.
- If the breach affects 1,000 or more persons, additional notice must be given to all nationwide consumer credit reporting agencies.
- A covered entity subject to federal regulation still may defer to those applicable notice requirements if it provides the requisite notice to FDLA.
- No notice is required to affected individuals if, after conducting an investigation and consultation with a law enforcement agency, the covered entity reasonably determines that no affected individual has or is likely to suffer identity theft or any other financial harm. However, the covered entity must provide its written determination to FDLA.
- Law enforcement may require a delay in providing notice if such notification would interfere with a criminal investigation.
What about Breaches Discovered or Caused by Third-Party Agents?
A third-party agent that maintains a security system for covered entities and that suffers a data breach has no more than 10 days to report the breach to the affected covered entity. After such notice is provided, the covered entity becomes responsible under FIPA for providing any necessary notice to affected individuals within the requisite 30-day notice period.
What Potential Penalties or Liability can be Assessed for Failure to Comply with FIPA?
- FDLA may bring an enforcement action against a covered entity that commits a statutory violation, which is considered a violation of the Florida Deceptive and Unfair Trade Practices Act (FDUTPA).
- The following civil penalties may be imposed:
- $1,000 per day for the first 30 days
- $50,000 thereafter for each 30-day period or portion thereof for up to 180 days
- $500,000 as the maximum amount of total penalties for violations continuing more than 180 days
- Penalties can be assessed for any violation of FIPA’s notice requirements. Penalties are assigned on a per-incident basis, without regard to the number of individuals affected by a breach.
- There is no private cause of action under FIPA.
How Does FIPA Affect Breach Notification Under HIPAA?
FIPA complements but otherwise does not affect the requirements for breach notification under HIPAA. In many cases, a single notice will satisfy both HIPAA and FIPA, assuming that it is made within FIPA’s time limits, which are shorter than those of HIPAA.
Does FIPA Address Disposal of Records?
FIPA expressly requires covered entities and their third-party agents to take “all reasonable measures” to ensure proper disposal of records that are no longer to be retained, including “shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.” As always, however, records that are otherwise scheduled for disposal must be preserved if they are subject to a litigation hold.