Broad Florida Information Security Law Impacts Numerous Companies
A new Florida information security law promises to impact nearly every company, nationwide, which has customers and, likely, employees in Florida. The Florida Information Protection Act of 2014 (“FIPA”) replaces and generally expands a prior Florida information security law. Although FIPA was recently signed into law, companies have little time to comply with its changes — FIPA becomes effective July 1, 2014. Below we detail FIPA’s requirements.
Update of Existing Law. FIPA is an update of a previous Florida law, which was repealed when FIPA was enacted. A summary of the changes is as follows, while a more detailed explanation is below.
|No notice of breach required to Florida Attorney General (“AG”)
|Entity must notify the Florida AG of a breach within 30 days if over 500 individuals affected
|Personal information only included an individual's first name or first initial along with his or her last name combined with either a social security number, drivers license number or Florida ID number, or a credit card or debit card account number along with a password or access code.
|Personal information now also includes usernames and email addresses combined with passwords, health insurance information, and medical history.
|Entity has 45 days to give notice
|Entity has 30 days to notify, unless given a 15-day extension if good cause for a delay is shown
|Breach is defined as “unauthorized acquisition”
|Breach is defined as “unauthorized access”
|Notifications must be sent by snail mail
|Notifications can be sent by snail mail or email
|No requirement to turn over police, incident, or computer forensics report
|Entity required to turn over a police, incident, or computer forensics report if requested by AG
|No requirement to take proactive security measures
|Entity must take reasonable and proactive security measures to protect personal information, however these security measures are not specifically laid out
Categories of Protected Information. FIPA sets out two types of records which receive heightened protection: “personal information” and “customer records.”
Personal Information. Under FIPA, personal information includes:
- An individual’s first name or first initial combined with the individual’s last name in combination with one or more of the following:
- Social security number;
- Drivers license or identification card number, passport number, military ID number, or other similar government issued ID;
- Financial account number or credit or debit card number combined with the required security code;
- Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
- An individual’s health insurance policy number or subscriber identification number, along with any unique identifier used by a health insurer to identify the individual.
- A user name or email address, in combination with a password or security question and answer.
However, it is important to note that personal information does not include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.
|Quarles Insight: On its face, this is an extremely broad definition of “personal information.” For example, suppose a Florida employee calls in sick, informing his supervisor that he has the flu. This would seem to be “information” about an individual’s “physical condition” and would seem to be “personal information.” As discussed below, this would seem to trigger the security and, possibly, breach requirements noted below if such data was improperly accessed. Employers who do not treat this information as sensitive currently might need to modify their human resources policies and procedures to begin protecting even this rather “basic” information. However, note that while FIPA’s broad language would arguably apply in the employer-employee context, other, technical details suggest that it may not. Further guidance from the Florida AG or other governmental entity would be helpful.
Customer Records. FIPA also protects customer records, which is any personal information (noted above) provided “by an individual in this state” (i.e., Florida) to a covered entity for the purpose of purchasing or leasing a product or obtaining a service.
|Example of “Customer Records.” Goodco, which is based in Florida, sells widgets through a website. Goodco’s website requires that a customer register with the site by providing the customer’s email address, along with a preferred password. Goodco collects information from Joe, a Florida resident, who is in Florida when he uses the website. All the information Goodco collects from Joe would seem to be “customer records” which are subject to FIPA.
Other scenarios are less clear. For example, would the result be different if Joe lived in another state (e.g., Illinois) instead of Florida? If Joe was a Florida resident but visited the website while Joe was traveling in California? If Goodco was based in a state other than Florida? Unfortunately, while FIPA is clear on the first scenario, noted above, it is somewhat vague on these other scenarios. Related legislative history suggests that Florida’s “long-arm” statute could provide courts with authority to assert jurisdiction over a “nonresident” covered entity.
Notify Florida Government Upon Breach. FIPA sets forth the requirements in the event of a security breach of your company or a third-party agent of your company that stores personal information on the your company’s behalf. Under FIPA, a “breach” only applies to “data in electronic form containing personal information.” Therefore, it does not appear that the FIPA requirements for a breach will not apply if unauthorized access is made to your company’s physical files rather than electronic information.
Notice to the Florida Department of Legal Affairs is required within 30 days if there is a security breach of personal information related to 500 or more individuals residing in Florida. An additional 15 days may be granted upon the showing of good cause for delay provided in writing to the Department of Legal Affairs within 30 days after the determination of breach. This written notice of breach must include the following:
- A synopsis of the events surrounding the breach;
- The number of individuals in Florida affected;
- Any services being offered or to be offered without charge and instructions on how to use such services;
- A copy of the notice to the consumers affected;
- The name, address, phone number, and email address of the employee or agent from whom additional information can be obtained.
|Quarles Insight: FIPA assumes — perhaps unrealistically — that companies will have not just “personal information” and “customer records” but also knowledge of where an individual lives (e.g., when FIPA refers to providing notice of a breach “affecting 500 or more individuals in this state”). Some companies will simply not have this information. For example, a company operating a website may collect a user name and password but never ask where the individual lives.
Even if a company has information about where an individual lives, it may be in a different database. For example, the Human Resources Department of a company may have an employee’s “medical information” while the company’s Payroll Department may have the individual’s current address. FIPA may require coordination between the two departments in a way that employers had not previously anticipated. (As we note above, though, it is unclear whether FIPA even applies in the employer-employee context.)
Furthermore, upon the request of the Department of Legal Affairs, the entity must provide the following information:
- A police, incident, or computer forensics report of the incident;
- A copy of the policies in place regarding security breaches;
- The steps taken to rectify the breach.
Notify Individuals Upon Breach. Notice must also be given to the individuals affected no later than 30 days after the discovery of the breach. Such notice may be given either in writing to the address on file or via email and must include:
- The date or estimated date of the breach;
- A description of the personal information accessed;
- Information about how an individual can contact your company to inquire about the breach.
If the notice requirement will have a cost exceeding $250,000, will be issued to over 500,000 individuals, or a company does not have the required address or email address for the individuals affected, substitute notice can be given by placing a conspicuous notice on the company’s website and by giving notice in print and broadcast media in the locations where the individuals were affected.
If the breach affects over 1,000 individuals in Florida then FIPA requires the company to give notice to all consumer reporting agencies that maintain files on individuals on a nationwide basis.
Vendor’s Breach Can Be Your Problem. In the case that your company’s third-party vendor has a breach that involves your company’s customer records, such third party must give notice to you within 10 days of the breach. After such notice is given, you must follow the same procedures as set forth above regarding notice.
|Liability for Third Parties. If the third-party vendor fails to give such notice then such failure will be seen as a violation of FIPA by your company, so it is vital to stress the importance of such notice to all third parties that store data for your company. Many companies will likely try to include some terms in the underlying agreement with their third-party providers to ensure that those providers will be liable for their breaches (or for failing to notify the company of the breach).
Exceptions to Breach Notice. Note that the notice requirements set forth above are not required in the case that, after proper investigation with federal, state, or local law enforcement, your company determines that the breach will likely not result in identity theft or other financial harm to individuals whose personal information was accessed. If such a determination is made, written documentation of the determination must be kept by you for at least five years after the breach. Furthermore, such determination must be provided in writing to the Department of Legal Affairs within 30 days of being decided.
Penalties. It is very important to follow these notice requirements set forth in this Act. The penalty for not abiding by these rules is $1,000 each day for the first 30 days following any violation of the notice requirements, and $50,000 for each subsequent 30-day period or portion thereof up to 180 days. The maximum penalty for violation of this Act is $500,000, so it is crucial that your company has the necessary policies in place to not only recognize a breach, but to give the proper notice to individuals located in Florida within the required timeframe.
For more information on data privacy issues of all kinds, please contact Maggie Utterback at (608) 283-2443 / firstname.lastname@example.org, Heather Buchta at (602) 229-5228 / email@example.com, or your Quarles & Brady attorney.