It seems like just about every week there is a new report on a data breach related to credit cards, debit cards or other sensitive information. Here in Florida, hospitals and doctor's offices are a popular source of identity information.
In response, Florida Gov. Rick Scott recently signed the Florida Information Protection Act of 2014 (SB 1524) into law, amending Florida's breach notification statute effective July 1, 2014. The amendments to Florida's data breach law include an unique statutory requirement to provide copies of forensic reports and "policies regarding breaches" to the Florida attorney general upon request; an expanded definition of "personal information" to include online account credentials (i.e. email address and passwords); and a shorter deadline (30 days) for individual notice.
While FIPA will likely have a major impact on businesses and how they respond to consumer data breaches, employers and Human Resource professionals need to be proactive and aware that data breaches regarding employee information may also be covered by this law.
What Employers Need to Know
The definition of personal information has been expanded and is defined to include an individual's first name or initial and last name in combination with one of the following:
(1) Social Security number;
(2) Driver's license or identification card number, passport number, or similar government document;
(3) A financial account number or credit or debit card number, in combination with any required security code or password that is necessary to permit access to the account;
(4) Information about an individual's medical history, treatment or diagnosis;
(5) Health insurance policy number or subscriber identification number and any unique identifier used by the health insurer to identify the individual;
(6) Username or email address in combination with password or security question and answer that would permit access to an online account.
A covered entity under FIPA includes sole proprietorships, partnerships, corporations, trusts, estates, cooperative, or other commercial entity that acquires, maintains, stores, or uses personal information.
The term breach now means unauthorized access of electronic data containing personal information.
Covered entities must take "reasonable measures" to protect and secure personal information and dispose of records containing personal information (paper or electronic) once the records no longer need be retrained. Of course, "reasonable measures" is undefined in the law and likely will be established through Court opinions.
What Happens if There is a Breach
If there is a breach, an individual must be notified via email or letter, as soon as possible, but not more than 30 days after the breach was discovered.
If a breach impacts 500 or more Floridians, then notice must be provided to Florida's Attorney General within 30 days.
Penalties for violations do not include a private right of action. What that means is that an employee or customer cannot sue you directly under FIPA. Rather, the law provides that the Attorney General may bring an enforcement action against a covered entity and levy penalties up to $500,000.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
