Florida Information Protection Act of 2014 Explained: Data Breach Notification and Protection Requirements for Certain Entities

 

SB 1524, the Florida Information Protection Act of 2014 (“Act”),¹ took effect July 1, 2014. The Act imposes requirements on covered entities that experience data breaches. When a covered entity suffers such a data breach, it must notify government entities and the affected individuals of the breach. There are also notification procedures for breaches of third-party agents of covered entities. Failure to comply with the provisions of the Act can result in civil penalties. This memorandum discusses these requirements, and notes some important exceptions.

Previously, section 817.5681, F.S. outlined the procedures for notification following a security breach. SB 1524 repealed and replaced section 817.5681. The new law is generally more stringent with regards notice requirements. Significant differences are noted in the summary below.

The Act requires covered entities, governmental entities, and third party agents to “take reasonable measures to protect and secure data in electronic form containing personal information.”²

“Covered entity” is defined as a “sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.”³

“Personal information” is defined as either:

a)  An individual’s first name or first initial and last name in combination with any one or more of the following data elements for that individual:

1.  A social security number;
2.  A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity;      
3.  A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account;
4.  Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
5.  An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.

b)  A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.⁴

This definition is broader than the previous definition, which did not include references to personal health information or email addresses.

However, the definition creates a safe harbor. “Personal information” does not include information that has been made publicly available by a governmental entity, or information that is encrypted, secured, or modified to remove the elements that personally identify an individual or otherwise renders the information unusable.⁵

The Act further provides notification requirements in the event of a breach of personal information. “Breach” is defined as:

“unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of the covered entity does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.”⁶

Covered entities must provide written notice to the Department of Legal Affairs (“DLA”) if there is a breach of security affecting 500 or more individuals in Florida.⁷ Notice should be as expeditious as possible, but no more than 30 days after the determination that there was a breach or reason to believe a breach occurred.⁸ Previously, covered entities were not required to provide such notice to DLA.

The written notice should contain: a synopsis of the events surrounding the breach at the time notice is provided; the number of individuals in Florida who were affected; related services the entity will offer free of charge; a copy of the notice provided to the individuals effected; and contact information of a covered entity employee who may provide additional information.⁹

Covered entities must also notify each individual in Florida whom it reasonably believes was affected by the breach. Notice should be as expeditious as possible, but no more than 30 days after the determination that there was a breach or reason to believe a breach occurred.¹⁰ Previously, covered entities had a maximum of 45 days to provide notice to affected individuals. Covered entities may receive an additional 15 days to provide notice to affected individuals if good cause for the delay is provided in writing to DLA within the original 30 day timeframe.¹¹ The Act also provides requirements for the content of the notice, including the date of the breach, a description of what information was compromised, and how the covered entity may be contacted regarding the breach.¹² Notice may be by mail or by email.¹³

The Act provides for alternative methods of notification in some circumstances. If the cost of providing notice would exceed $250,000; the number of affected individuals exceeds 500,000; or the covered entity does not have mail or email addresses for the affected individuals, then alternative notification may be used.¹⁴ This alternative notification may be made by publishing notice on the entity’s website or in major media outlets.¹⁵

There is an important exception to the individual notice requirement under the law. If the covered entity determines that the breach has not and will not lead to identity theft or other financial harm to the affected individuals, it does not need to notify those individuals.¹⁶ The covered entity must notify DLA of its determination within 30 days of the determination.

Additionally, if the covered entity provides notice to affected individuals according to the regulations promulgated by its primary or functional federal regulator, then such notice is deemed compliant with the Act, provided DLA is also notified.¹⁷

Covered entities must also provide notice to certain credit reporting agencies if more than 1,000 individuals are affected by the breach.¹⁸

State and federal law enforcement agencies may delay notification if they determine that notification would interfere with a criminal investigation.¹⁹

Covered entities can be liable for breaches that occur with their third-party agents.²⁰ A “third-party agent” is defined as “an entity that has been contracted to maintain, store, or process personal information on behalf of a covered entity or governmental entity.”²¹ Third-party agents must notify the covered entity within 10 days after the determination that there was a breach or reason to believe a breach occurred at the third party agent.²² Once the covered entity receives such notice from a third-party agent, it must provide notice in accordance with the above provisions.²³ Alternatively, the third-party agent may provide notice on behalf of the covered entity in accordance with the above provisions.²⁴ However, the covered entity will be held liable for any failure of the third-party agent to provide proper notice.²⁵ Previously, only the party with a direct business relationship to the affected individual would be responsible to take action based on a breach of personal information.

Covered entities and third-party agents must take all reasonable measures to dispose of customer records containing personal information.²⁶ Disposal means that the information has been rendered unreadable.²⁷

The Act provides for penalties for failure to comply with these requirements. Violations are treated as unfair or deceptive trade practices in any action brought by DLA under § 501.207, F.S. (the Florida Unfair and Deceptive Trade Practices Act) against a covered entity or third party agent.²⁸ Covered entities are liable for additional penalties not to exceed $500,000.²⁹

Governmental entities that acquire, maintain, store, or use personal information are subject to the notice requirements, including breaches of their third-party agents, but they are not liable for civil penalties.³⁰

The Act provides that it does not establish a private cause of action for any individual harmed by a violation of the provisions of the law.³¹

 

---

1. 501.171, F.S.

2. 501.171(2), F.S.

3. 501.171(1)(b), F.S.

4. 501.171(1)(g)(1), F.S.

5. 501.171(1)(g)(2), F.S.

6. 501.171(1)(b), F.S.

7. 501.171(3)(a), F.S.

8. 501.171(3)(a), F.S.

9. 501.171(3)(b), F.S.

10. 501.171(4)(a), F.S.

11. 501.171(3)(a), F.S.

12. 501.171(4)(d), F.S.

13. 501.171(4)(d), F.S.

14. 501.171(4)(f), F.S.

15. 501.171(4)(f), F.S.

16. 501.171(4)(c), F.S.

17. 501.171(4)(g), F.S.

18. 501.171(5), F.S.

19. 501.171(4)(b), F.S.

20. 501.171(6)(b), F.S.

21. 505.171(1)(h), F.S.

22. 505.171(6)(a), F.S.

23. 505.171(6)(a), F.S.

24. 501.171(6)(b), F.S.

25. 505.171(6)(b), F.S.

26. 505.171(8), F.S.

27. 505.171(8), F.S.

28. 505.171(9)(a), F.S.

29. 505.171(9)(b), F.S.

30. 501.171(1)(b), F.S.

31. 505.171(10), F.S.

 

 

 

To unsubscribe from this newsletter, please send an email to Brooke Ellis at bellis@cftlaw.com.