By John R. Squitero, Esq.
and Matan A. Scheier, Esq.
In response to increasing incidence and sophistication of cybercrimes, the State of Florida has expanded the guidelines of its existing data breach notification law. As a result, Florida businesses are well advised to upgrade their security protocols to decrease the likelihood of data theft, and consult with their legal counsel about rapid-response mechanisms when valuable personal information is “hacked.”
Passed during this year’s Legislative session, the Florida Information Protection Act (FIPA) of 2014 represents the first expansion of the state’s data breach notification laws in nine years. Its goal is to require the private sector and government entities to promptly inform aggrieved parties when cyber thieves appear to have stolen their unencrypted personal information from computer records.
The greatest change to the latest FIPA standards is an increase inof the types of personal information that require notification after computer breaches are detected. The 2014 law defines personal information as a person’s first name, middle initial, or any middle name and last name in combination with unencrypted records containing:
- A driver’s license, passport, military identification or Florida Identification Card number;
- A Social Security number;
- A financial account number, credit card number or debit card number, and a required security code or password that would permit access to the relevant account;
- Any information regarding the individual’s mental or physical condition, medical history or medical treatment; or
- A health insurance policy or subscriber identification number and any unique identifier used by a health insurer.
Additionally, the statute requires notification whenever a user name or email address may has been breached in combination with a password or security question and answer that would permit access to an online account.
The updated FIPA statute provides that any person conducting business in the state must notify the person whose unencrypted personal information is reasonably believed to have been stolen within 30 days of the determination of the breach.
In addition, the Florida Department of Legal Affairs must be notified of any breach affecting more than 500 individuals in Florida within 30 days of determination of the breach. A 15-day extension to notify the department may be granted, if good cause for delay is provided in writing within 30 days after determination of a breach.
An entity that discovers a breach affecting more than 1,000 individuals at a single time also must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices. Failure to notify individuals affected by the breach is treated as an unfair or deceptive trade practice, and subjects the entity to a civil penalty as follows:
- $1,000 for each day the breach goes undisclosed for 30 days;
- $50,000 for each 30-day period for up to 180 days;
- A maximum of $500,000, if notification is not made within 180 days.
These sanctions apply per breach, not per individual affected by the breach.
Substitute notice, in the form of a conspicuous announcement on the entity’s website or in print and/or broadcast media where the affected individuals reside, may be provided in lieu of direct notice if:
- The cost of providing notice would exceed $250,000;
- The affected individuals exceed 500,000 persons; or
- The entity does not have email addresses or mailing addresses for the affected individuals.
There are certain limited exceptions to the notification requirements under the statute. Required notification may be delayed upon a request by a law enforcement agency, if it is determined that the notification will impede a criminal investigation.
Additionally, notification is not required if, after an appropriate investigation and consultation with relevant law enforcement agencies, the person responsible for storing the information reasonably determines that the breach has not and is not likely to result in harm to the individuals whose data was unlawfully accessed.
The person responsible for data storage must make this determination in writing, and the documentation must be maintained for five years. Failure to make the written determination or to preserve it for five years subjects the responsible professional to a $50,000 administrative fine. A copy of the written determination must be provided to the Florida Department Legal Affairs within 30 days of the determination. The statute does not set specific guidelines to be followed in making a reasonable determination of no harm.
Today’s sophisticated hackers are capable of breaching even the most up-to-date and robust data security defenses. Therefore, businesses are well advised to consult their attorneys about developing rapid response systems that comply with the FIPA guidelines in advance of any serious breaches.
Executives should develop a companywide data breach response plan and teach employees on all levels of the organization about the protocols to follow. Various departments will have specific roles to play in the data breach protocol.
For example, the company’s public relations executives should have a plan in place to notify the required parties and enact a proactive crisis communications program. Additionally, human resources personnel may be required to coordinate a hotline to respond to affected customers and employees.
In addition to installing and updating data security software, the company should retain the services of an outside expert towho periodically reviews the data breach precautions. Other defensive steps should include:
- Limiting employees’ access only to data that each specific employee needs to complete his/her job requirements;
- Instituting standard procedures for reporting data breaches or violations of security protocol;
- Educating employees on steps to take to ensure data security as part of their job duties; and
- Updating employees about new threats to data security on a regular basis.
By seeking the advice of their attorneys about compliance with FIPA guidelines before data breaches occur, business executives can alert their clients and employees to potential threats of data theft, and can take steps to preserve their companies’ public reputations. Beyond considerations of the fines associated with violation of the statutes, these face-saving outcomes alone should encourage executives to prepare before hackers strike their businesses.
John R. Squitero, Esq. is a founding partner and Matan A. Scheier is an associate with the law firm of Katz, Barron, Squitero, Faust, Friedberg, English & Allen, P.A.