Senate Bill 1524, known as the “Florida Information Protection Act of 2014,” was signed into law by Florida Governor Rick Scott on Friday, June 20, 2014.
The impact of this legislation is significant to the retail and service industry sectors in particular, and to all companies doing business in Florida in general.
The law takes effect July 1 and it requires, among other things:
- that covered entities take reasonable measures to protect and secure data containing personal information in electronic form
- notice of security breaches be provided to affected customers as well as to the state Department of Legal Affairs
Note that “data … in electronic form” means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices.
The bill was sponsored by Senator John Thrasher, and it repeals Section 817.5681, Florida Statutes (“Breach of Security Concerning Confidential Personal Information in Third-Party Possession”).
Pursuant to the newly enacted law, “covered entity” includes a sole proprietorship, partnership, corporation, trust, estate, cooperative, association or other commercial entity that acquires, maintains, stores or uses personal information.
For the purpose of the notice requirements described below, “covered entity” also includes governmental agencies.
According to the new law:
- A covered entity shall provide notice to the Florida Department of Legal Affairs of any breach of security affecting 500 or more individuals.
- Such notice must be provided to the department as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred. Notice shall also be provided to the affected individuals.
The legislation defines “breach of security” or “breach” as the unauthorized access of data in electronic form containing personal information.
The legislation defines “personal information” as either of the following:
An individual’s first name or first initial and last name in combination with one or more of the following for that individual:
- A social security number;
- A driver license or identification card number;
- A passport or military identification number or number issued on a government document used to verify identity;
- A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account;
- Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
- An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual; or
- A user name or email address, in combination with a password or security question and answer that would permit access to an online account.
The legislation gives the Department of Legal Affairs enforcement authority under the Florida Deceptive and Unfair Trade Practices Act, Chapter 501 Florida Statutes, to prosecute violations in civil court.
Companies are required to provide information related to the data breach to the Department of Legal Affairs upon the department’s request.
The bill provides exceptions for those entities that comply with breach notifications as required by the appropriate federal regulator.
Customer records, physical and electronic, are also required to be disposed of in a manner that protects personal information from being disclosed.
In conjunction with this legislation, SB 1526 (“Public Records/Department of Legal Affairs”) was approved to create exemptions to Florida’s public records law to cover information received by the Department of Legal Affairs on the data breach investigations.
* * * *
If you have any questions, or wish to know more about the new law, please contact Lila Jaber or any member of Gunster’s government affairs practice.
|Yes! Please sign me up to receive email alerts from other Gunster practice areas.|
|Image courtesy of FreeDigitalPhotos.net|
This publication is for general information only. It is not legal advice, and legal counsel should be contacted before any action is taken that might be influenced by this publication.
Gunster, Florida’s law firm for business, provides full-service legal counsel to leading organizations and individuals from its 11 offices statewide. Established in 1925, the firm has expanded, diversified and evolved, but always with a singular focus: Florida and its clients’ stake in it. A magnet for business-savvy attorneys who embrace collaboration for the greatest advantage of clients, Gunster’s growth has not been at the expense of personalized service but because of it. The firm serves clients from its offices in Fort Lauderdale, Jacksonville, Miami, Orlando, Palm Beach, Stuart, Tallahassee, Tampa, The Florida Keys, Vero Beach and its headquarters in West Palm Beach. With more than 160 attorneys and 200 committed support staff, Gunster is ranked among the National Law Journal’s list of the 350 largest law firms. More information about its practice areas, offices and insider’s view newsletters is available at www.gunster.com.