Florida has a new rule in town! As the drum roll of data breaches occurring everywhere has gotten louder and louder, Florida decided to bolster its data protection laws. On June 30, 2014, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014 (FIPA). Its provisions become law effective July 1, 2014. FIPA expands data breach obligations in Florida.
Under the new law, the type of data covered has been broadened. Notice is required if there is a breach of an individual’s name in combination with a Social Security number, driver license/other identification card, or financial account numbers. It also requires notice if an individual’s mental or physical condition, medical treatment, medical history or health insurance policy number or subscriber identification number is exposed. Also covered are usernames and e-mail addresses used in combination with a password or security question and answer that would allow access to an on-line account.
Under FIPA, “covered entities” in Florida will need to update their breach policies and procedures. Under FIPA, a “covered entity” includes corporations, associations, and other commercial entities that acquire, maintain, store, or use personal information.
Under the new law, covered entities will have no more than 30 days after discovery of a breach to provide the required notifications to the individuals whose information was subject to the breach. The Department of Legal Affairs must also be notified if the breach affects 500 or more Florida residents.
Also under the new law, violations are treated as unfair or deceptive trade practice. Civil penalties could be imposed in the amount of $1,000 per day for the first 30 days and then $50,000 for each 30-day period. Violations that continue for more than 180 days would have a maximum penalty of $500,000. However, there is no private cause of action under the law.
“Covered entities” in Florida should update breach policies and procedures to ensure compliance with FIPA. It would be prudent for such entities to take an additional preventative step to create policies that prevent a breach in the first place.