Florida Toughens Breach Notice LawIncidents Must Be Reported More Quickly
A Florida law that takes effect July 1 toughens the state's data breach notification statute by, in part, broadening the term "personal information" to include individuals' usernames and e-mail addresses under certain circumstances.
The new law, seen as one of the nation's most rigorous data breach notification statutes, also shortens the time a breached company or government agency must notify the state attorney general to 30 days, down from 45 days, if the intrusion affects 500 or more Florida residents.
Stephen Satterfield of the law firm Covington & Burling describes the new act as "one of the nation's most stringent breach notice laws," adding the Florida statute goes "beyond the narrow scope of information protected by most state data breach laws."
Philip Alexander, an operational risk manager for a major U.S. financial institution, characterizes as significant deeming e-mail addresses as personal information. "In the data security field, there's more heightened attention being placed on e-mail addresses," he says. "People use the same e-mail address for a social media site [and] for making sensitive online purchases."
The legislation, recently signed by Gov. Rick Scott, considers e-mail addresses as personal information only if the breach also exposes its associated password or security question and answer that would allow access to an online account.
The Florida Information Protection Act of 2014 makes the following changes to existing law:
- An organization must provide written notice to the state attorney general no later than 30 days after determination that a breach affecting 500 or more Floridians has occurred, down from 45 days in an earlier law.
- The breached organization must provide to the state attorney general, upon request, a copy of its breach-related policies, steps taken to rectify the breach and a police report, incident report or computer forensics report.
- After a breach affecting 500 or more, enterprises must notify individuals affected as expeditiously as possible, but no later than 30 days from discovery of the breach.
- In requiring notification of breaches of "personal information," that term is broadened to include an individual's username or e-mail address in combination with a password or security question and answer that would allow access to an online account. Also now included is an individual's full name in combination with: a passport number; medical history, treatment or diagnosis information; or health insurance identifier. Social Security number, driver license number, account number, and credit or debit card number remain in the definition of personal information.
- Organizations that must report breaches now include a sole proprietor, partnership, corporation, estate, cooperative association, governmental entity or any other commercial entity that acquires, maintains, stores or uses personal information.
The inclusion of government agencies as covered entities under the bill is also an important step forward, Alexander says. "I'm personally not a fan of 'do as I say, not as I do,'" he says. "If within a given state you're going to expect businesses to protect sensitive data, shouldn't you hold your own state agencies to the same level? This law does."
In the first 30 days of non-compliance with breach notification requirements, organizations that fail to notify the Florida attorney general can be fined $1,000 per day for the first 30 days, and then $50,000 for each subsequent 30-day period for up to six months, with a cap of $500,000, according to the law firm McDonald Hopkins.
Healthcare organizations that comply with HIPAA's breach notification requirements are generally exempt from the Florida law, notes Dominic Paluzzi, an attorney at McDonald Hopkins.
"The way the new Florida law reads is that if you are a HIPAA covered entity or business associate and you give notice of a breach under HIPAA, you're deemed to be in compliance with the Florida breach notification law," he says. "[But], even if there's notice under HIPAA, you still have to give notice to the [state] attorney general if it constitutes personally identifiable information under the Florida [law]."
But, Paluzzi notes, "There could be circumstances where you don't have to notify under HIPAA but you have to notify under the Florida law. You can't play the game where 'I'm a covered entity, I only look to HIPAA and I've determined, under HIPAA, that I don't have a notification obligation.' Your analysis does not stop there. You have to go on then and look at Florida [law]."
And healthcare organizations that fail to notify individuals after a breach may be faced with double the amount of penalties, says privacy attorney Adam Greene, a partner at the law firm Davis Wright Tremaine LLP. "While providing notice to individuals pursuant to HIPAA may satisfy both HIPAA and Florida law with respect to such notice, failing to provide notice to individuals may mean penalties under both HIPAA and Florida law, since the entity would not satisfy either's requirements," he says.
Other States to Follow?
The tougher requirements in Florida's new law may be a sign of things to come from other states, says Joseph Lazzarotti, who heads the privacy, social media and information management practice at the Jackson Lewis law firm in Morristown, N.J..
"California has updated its statute a number of times. Kentucky recently passed its statute. What continues to happen is there's some big breach, like we've seen, and you get more activity and attention," he says. "All of these incidents and updates to statutes seem to be pushing each other to create more attention to data breach notification and securing information in the first place."
(Executive Editor Eric Chabrow contributed to this story.)