Act Imposes New Information Security and Management Needs on All Florida Companies
On June 20, 2014, as well as in the wake of countless much talked about data breaches, Governor Ron L. Scott signed into law the Florida Information Protection Act of 2014 (FIPA), that will replace Florida’s existing data breach notification law, Fla. Stat. Ann. § 817.5681. FIPA has far-reaching implications for companies owning Floridians’ private information, and it’ll require companies to instantly concentrate on data privacy and security issues inside their organizations. Failure to stick to FIPA’s needs could cause a company facing an enforcement action introduced through the Department of Legal of Matters (the “Department”).
Florida has maintained legislation regarding notification within the situation of breach for a long time however, there’s restored interest after several high-profile breaches and attempts by plaintiffs’ attorneys to make use of breaches like a new chance for litigation. FIPA shortens the present 45-day breach notification deadline and needs companies to inform individuals within thirty days. FIPA may also require companies to inform the Department of breaches affecting 500 or even more individuals. And when a breach continues to be reported, FIPA will need a company to supply, upon request in the Department, relevant incident reports, computer forensics reports, procedures and policies, and publish-breach minimization steps. Observe that this assumes that companies maintain such procedures and policies when handling private information.
Additionally towards the new breach notification protocol, FIPA will need just about all companies to consider reasonable measures to safeguard and secure electronic data that contains “private information.Inch Under FIPA, “private informationInch is determined to incorporate a name or first initial along with a surname in conjunction with the following data elements:
- a ssn
- a license or ID card number, passport, military ID or similar number issued on the government document accustomed to verify identity
- an economic account number or debit or credit card number in conjunction with any needed the three, access code or password that’s essential to access an economic account
- any specifics of a person’s health background, mental or health or treatment or diagnosis with a doctor or
- a person’s health insurance plan number or subscriber identification number and then any unique identifier utilized by any adverse health insurer to recognize a person.
“Private informationInch can also be defined to incorporate a reputation or current email address, in conjunction with your password or security question and answer that will permit use of a web-based account. Particularly, “private informationInch doesn’t include information that’s been encrypted, guaranteed or modified in a manner that removes factors that personally identify a person or that otherwise renders the data unusable.
Furthermore, FIPA will need companies to consider reasonable measures to get rid of consumer records, in all forms, which contain private information when this info are “no more to become retained.” While no specific period of time is mandated for retention or destruction of records, FIPA requires information to become discarded in ways by “shredding, erasing, or else modifying the private information within the records to really make it unreadable or unreadable.”
FIPA grants the Department the ability to enforce the statute in 2 ways. First, any breach of FIPA constitutes an unfair or deceitful trade practice in almost any action introduced through the Department under Fla. Stat. Ann. § 501.207. Second, the Department can levy significant civil penalties against companies that violate FIPA’s notification needs.
Although FIPA’s obligations to secure and get rid of private information act like federal needs, these obligations will align Florida having a small minority of other claims that require comprehensive information security/management programs. FIPA’s effective date is This summer 1, 2014. Accordingly, companies without security and privacy programs must start planning to get compliant with FIPA’s new needs, including documentation of certain procedures and policies. Companies with existing programs also needs to go ahead and take chance to audit their very own procedures and policies to make sure compliance using the new legislation.