After being unanimously passed by the Florida legislature on April 30, 2014, on June 20, 2014, Florida's Governor Rick Scott signed the Florida Information Protection Act of 2014 (Act or FIPA). This Act repeals and wholly replaces Florida's existing data breach law (at Flat. Stat. Section 817.5681) with new Section 501.171. FIPA takes effect on July 1, 2014.

A few preliminary comments.... This statute is a relatively sweeping change for Florida and raises the bar for other states. It applies to every business that handles "personal information" of Florida residents and requires these businesses to take proactive "reasonable measures" to secure data. But, like many other data breach and data security statutes, FIPA fails to define what it means to take "reasonable measures." In general, this means that companies need to follow industry best practices. As a starting point, businesses should conduct a risk analysis to better gauge their risks. FIPA also implements a records disposal requirement.

Given the increased liability brought about by this statute, Florida-based businesses that share data with other entities should review their contracts to ensure that data breach notification requirements are included together with appropriate cyberliability (i.e., data breach) insurance requirements, damages caps, and indemnification language. Non-Florida based businesses that handle "personal information" of Florida residents should be aware that they too may be subject to the requirements can be pulled into court under the Florida Long-Arm Statute.[1]

What Steps Should Companies Take?
Companies should consider taking a few proactive steps to gauge their risks and liabilities in light of the proactive requirement to take security measures, shortened deadline to provide data breach notification, and notification requirements for down-stream entities (e.g., business associates, vendors, contractors, etc.).

  • Under take a risk analysis to better assess potential risks and vulnerabilities to the confidentiality, integrity and availability of all personal information handled by the company
    • For a good starting point for a risk analysis, consider looking to the HIPAA materials and the NIST guidance documents
  • Review existing privacy and security policies and procedures and update as needed
    • Policies should reflect what the organization actually does and not what it would do in an ideal world. Policies that are in place but are not followed may demonstrate willful negligence and be the proverbial "smoking gun" in litigation
  • Develop an incident response plan, which should include a data breach notification plan
    • This plan should be called an "incident response plan" because not every incident is a breach. By calling something a "breach" your team may be attributing a legal meaning to an event that is merely a potential security incident. Keep in mind that the term "breach" is defined in the statue.
    • Any security incident is a stressful event. Having a plan in place, that at the very least contains important phone numbers for contacts who can assist you through the process will ease the stress a bit. Your attorney should be the first call because you never know what you are going to find.
  • Encrypt personal information to the extent possible and definitely encrypt all mobile devices
    • The loss and theft of laptops is one of the leading causes of data breaches. Laptops should have hard drive encryption (as opposed to a separate drive that each employee should use to store personal information). If your company is using a Windows based product, check to see if BitLocker is available on the version you're using because it comes preinstalled in some Windows products and only needs to be enabled.
    • Employee owned mobile devices that have access to "personal information" should be enrolled in a mobile device management system and the company should have written authorization from the employee to wipe the device, copy the device, seize it in the event of litigation, etc.
    • Encryption is particularly important because it pulls the information out of the definition of "personal information" and therefore also pulls it out of the breach notification requirement.
  • Identify all vendor and business relationship that impact "personal information" and review the existing contracts to ensure that your business will receive timely notification in the event of an incident as well as cooperation during the investigation
A Few Highlights from the New Law
  • Arguably, every organization is covered under the law because the definition of "covered entity" is quite broad:
“Covered entity” means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information. For purposes of the notice requirements . . ., the term includes a governmental entity.
Those in the healthcare space will be familiar with the term "covered entity" but note that this provision covers every organization that acquires, maintains, stores, or uses personal information.
  • The definition of personal information is quite broad and includes social security numbers, healthcare information, health insurance policy number, credit card numbers, and "a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account."
  • There is a shorter timeline to notify affected Florida individuals - Under Florida's previous law, organizations were required to notify within 45 days. Now, it is "no later than 30 days after the determination of a breach or reason to believe a breach occurred" unless there is a law enforcement delay or "if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.
  • As noted above, covered entities must take proactive measures to protect the personal information. "Each covered entity, governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal information."
  • There is no private right of action. But, a "violation of this section shall be treated as an unfair or deceptive trade practice in any action brought by the [Department of Legal Affairs (i.e., the Florida Attorney General)] under s. 501.207 against a covered entity or third-party agent." Civil penalties are not to exceed $500,000 and will go into the General Revenue Fund.
  • FIPA includes a data records disposal provision. "Each covered entity or third-party agent shall take all reasonable measures to dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained. Such disposal shall involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means."

The text of the new law is available here - https://laws.flrules.org/2014/189.

---------------------
[1] Interestingly, the Florida legislature addressed the possibility of this in the "Bill Analysis and Fiscal Impact Statement" as follows:
Although the bill does not specifically provide that the covered entity must be conducting business in this state, the Florida Long-Arm statute may provide courts with the authority to assert personal jurisdiction over a nonresident covered entity. The statute enumerates a number of actions that a person or his or her representative may take that would submit that person to the jurisdiction of Florida courts. Those actions include, among other things, operating, conducting, engaging in, or carrying on a business venture in this state or having an office or agency in this state; committing a tortious act within this state; or breaching a contract in this state by failing to perform acts required by the contract to be performed in this state. A person may also become subject to the jurisdiction of a Florida court if the person is engaged in substantial and not isolated activity within Florida.
Florida Senate, Bill Analysis and Fiscal Impact Statement: CS/SB 1524, April 1, 2014, https://www.flsenate.gov/Session/Bill/2014/1524/Analyses/2014s1524.pre.rc.PDF.

---------------------

Posted by: Tatiana Melnik on June 27, 2014