New FL data breach law requires better controls and incident response
INSIGHT ARTICLE |
In late June, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014 into law, designed to protect citizens against the growing threat of identity theft. The legislation, effective July 1, places a higher level of responsibility on businesses and government entities to store and share information safely. Organizations must adopt and implement new measures immediately to protect customer information against data breaches and avoid significant financial and reputational penalties.
The Act, Florida Statute section 501.171, replaces the previous law, section 817.5681. The new standard requires organizations to be more proactive to protect personal information and more responsive to report data breaches in a timely manner. The key considerations of the new law include:
- Expanding the definition of personal information
- Changing the definition of a breach
- Shortening the deadline to notify individuals
- Notifying the Attorney General of breaches affecting more than 500 people in Florida
- Providing copies of forensic reports and breach policies to the Attorney General upon request
- Implementing reasonable measures to protect data and dispose of personal information
While the previous statute covered many forms of personal information, the new law expands the scope to cover more health care, financial and online information. Section 817.5681 defined personal information as an individual’s first name or first initial and last name in combination with a social security number, driver’s license or other document to establish identity, or account and access numbers associated with bank, debit or credit accounts. The new legislation adds health insurance policy or identification numbers, or unique identifiers as well as online user names, email addresses, passwords and security questions and answers to the list of covered personal information.
The new law simplifies the definition of a breach, and expands how the term can be applied. In the previous statute, breach was defined as “unlawful and authorized acquisition” of any electronic personal information. Moving forward, an incident qualifies as a breach with only “unauthorized access” to such personal data.
When an organization experiences a security breach, the timeline has now been shortened to notify affected individuals. In the past, the deadline to provide notice to individuals whose personal information was potentially accessed was 45 days. With the new law, notice is expected as quickly as possible, but within 30 days of a breach, or suspicion of a breach.
A requirement of the new law dictates that any breach that affects more than 500 individuals in the state must be reported to the Florida Attorney General‘s office. The breached organization must provide notice within 30 days following the incident, but a waiver may be obtained to receive an additional 15 days. The notice must include several pieces of information, including :
- The nature of the breach
- The number of people affected
- Services offered to vulnerable individuals
- A copy of the notice provided to individuals
An organization must also provide breach-related information to the Attorney General upon request, including:
- Police and incident reports
- A copy of breach policies
- Steps taken to remedy the breach
The Act states that Florida organizations must take reasonable measures to protect and secure electronic data that contains personal information. In addition, requirements are outlined to effectively dispose of customer information, including “shredding, erasing or otherwise modifying the personal information” to protect it against a potential data breach.
The new law is comprehensive, and introduces several additional guidelines, including a requirement for government entities to submit an annual report to the Florida Senate and House of Representatives detailing any breaches and related security improvements. The law also includes regulations outlining giving timely notice to credit repotting agencies and how to manage data breaches of systems maintained by third-party entities.
The penalties for non-compliance with the Florida Information Protection Act of 2014 by an organization or related third party can reach $500,000 for delays in notifying the Attorney General or affected individuals. The fines compound daily per each breach, and in addition to the financial repercussions, the resulting reputational damage of a breach is also highly detrimental to your business.
Florida organizations must review the new legislation and align security and risk strategies for compliance and protection of personal information. Read the full text of the Florida Information Protection Act of 2014 to learn more about the legislation.