Data Breaches Prompt Change in Florida Law

A new state law has been passed to give Florida residents greater protection by ensuring both private companies and government agencies store electronic data securely.
The recent spate of cyber attacks and HIPAA breaches have highlighted the fact that consumers now face a very real threat and that their personal and confidential data could fall into the hands of criminals. The elevated risk has prompted Florida to draft new legislation to better protect its residents and in July of this year the Florida Information Protection Act of 2014 (FIPA) came into force.

The new FIPA act is similar to the Health Insurance Portability and Accountability Act of 1996. The legislation has been introduced to protect the privacy of consumers and to hold offenders accountable for data breaches. The Attorney General’s Office also wants rapid action following a data breach to limit the harm, damage and loss caused. By sending notifications to victims promptly they are able to take action to protect their identities and prevent further loss or damage.
Under FIPA, organizations must take “reasonable measures” to protect consumer information although different standards exist for different industries. It would be unreasonable and unnecessary for a small hardware store to implement the same level of protection required in the healthcare industry for instance.

Personal information such as first name, initial and last name must not be used in conjunction with a Social Security number, passport or driver’s license number, credit card details or a bank account number. The same rule applies for passwords and security codes and questions, online accounts and other identifiers such as email as well as personal information such as medical history.

Over 91 million Americans were affected by data breaches in 2013 in 600 data breaches researched by the Florida Senate prior to the final bill being prepared. In a recent talk at a Tallahassee Technology Alliance luncheon, Messer Caparello, P.A. Attorney William Dillon summed up the current state of data security in America and painted a poor outlook for any organizations that fails to take the appropriate precautions to secure their data from being stolen or intercepted.
“These things happen every day and I have come to the belief that there are two types of organizations – those that have had a breach and those that are going to have a breach. It happens.”

FIPA stipulates that organizations are required to issue a notice to the Florida Department of Legal Affairs of any data breach involving more than 500 Florida residents, and that the notification must be issued as soon as possible to limit the damage caused. The new law applies a 30 day time limit on the issuing of notifications to consumers affected by a security breach or whose data may have been viewed by an unauthorized third party data.

In cases involving data of over 1,000 individuals in a single breach there is an additional requirement to notify all credit reporting agencies that hold and maintain files on consumers under the Fair Credit Reporting Act. However, individual consumers do not need to be notified of data breaches under FIPA if there is likely to be no risk of identity or data theft or any financial harm caused.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.