Florida’s Cybersecurity and Data Breach Law
Data breaches have been common place in the age of social media. We are all well aware of the proliferation of big data and the desire of big business to accumulate more and more of it. Sadly, legislatures have not been quick to respond with appropriate laws to protect people’s personal information.
Cybersecurity will remain weak and data breaches will continue unabated until lawmakers do more. However, in Florida, there is at least some protection afforded by the Florida Information Protection Act of 2014 (the “FIPA”), which governs the important issues of cybersecurity and data breaches. See Fla. Stat. 501.171. This article gives an overview of important aspects of the FIPA.
The FIPA Sets the Rules for Collecting Sensitive Data
In Florida, the FIPA generally applies to any entity that collects individuals’ personal data, including governmental entities. See Slanker, Under the Radar: Florida’s Cybersecurity and Data Breach Law, 31 No. 4 Fla. Emp. L. Letter 3 (June 2019). The law requires certain disclosures to be made when data containing personal information has been breached or accessed without authorization.
Personal information includes an individual’s first name and last name in combination with any one of the following:
- Social Security number;
- Driver’s license number;
- Passport number;
- Military identification number; or
- Any other number issued on a government document used to verify identity.
The FIPA also protects an individual’s medical information, information about an individual’s health insurance coverage that could be used to identify her in conjunction with a policy or subscriber number, and information about an individual that could be used to gain access to her online accounts.
The purpose of the law is to encourage covered entities to properly store records before they are breached, including minimizing the amount of personal information that is stored. After a breach has occurred, a covered entity must take steps to notify the affected individuals and inform them which information has been compromised.
The FIPA’s Notice Requirements
Once a data breach occurs, the entity must provide notice of the breach to the individuals whose information has been compromised or may have been compromised. The notice can be sent by mail or e-mail, but it must be given without unnecessary delay as soon as the entity becomes aware of the data breach or potential data breach. Notice must be provided within 30 days of when the entity first became aware of the data breach. The notice must include the estimated date of the breach, a description of the personal information believed to have been taken, and the entity’s contact information.
If a breach affects 500 or more individuals, the FIPA requires the entity to provide notice to the Florida Attorney General’s (“AG”) Office. The notice must include a summary of the data breach and details of any steps or services being offered by the entity to mitigate its effects. If a system maintained by a third party was breached, the third party is required to notify the covered entity within 10 days of becoming aware of the breach.
If the cost of notice exceeds $250,000, more than 500,000 individuals’ data was breach, or the entity doesn’t have access to the affected individuals’ e-mail or mailing addresses, it may provide notice on its website, in print, or in broadcast media.
The FIPA unfortunately does not provide for an individual legal claim. However, violations are treated as an unfair or deceptive trade practice, and claims can be filed by the AG’s Office. An entity can be subject to civil penalties of $1,000 per day for the first 30 days of the violation and $50,000 for each 30-day period after that up to 180 days, with a maximum penalty of $500,000 for violations that last longer than 180 days. Additional remedies apply under Florida’s Deceptive and Unfair Trade Practices Act.