TALLAHASSEE, Fla. (6/24/14)--On Friday, Florida Gov. Rick Scott signed into law The Florida Information Protection Act of 2014, legislation which was finalized with input from the League of Southeastern Credit Unions (LSCU).
The law updates Florida's data breach notification laws, giving more power to the attorney general to protect Florida's consumers from data breaches. While the law does not go as far as requiring merchants to reimburse financial institutions for losses that occur during a breach, it makes data security more of a legal priority in Florida, LSCU said (eSignal June 23)
The law becomes effective July 1.
The action in Florida is the latest in a series of proposals and laws being considered in several states, including California, New Mexico, Iowa and Kentucky.
The law expands the definition of personal information to include health insurance, medical information, financial information and online account information, such as security questions and answers, email addresses and passwords (JDSupra Business Advisor June 23).
Previous law covers an individual's first name or initial and last name, in combination with: a social security number; drivers' license or identification card number; or account number, credit or debit card number combined with any required security code or password to access the account.
The law authorizes enforcement actions by the attorney general under Florida's Unfair and Deceptive Trade Practices Act for any violations. Civil penalties can be up to $500,000--$1,000 per day for the first 30 days of violation, and $50,000 for each subsequent 30-day period for up to 180 days. If the violation continues for more than 180 days, the penalties can be up to $500,000.
The new law requires proper notice to be provided to consumers within 30 days of a breach. Previous law required notification without unreasonable delay and no later than 45 days after discovery of the breach.
If the breach involves more than 1,000 individuals, the company must also notify the major consumer reporting agencies--Experian, TransUnion and Equifax.
Notice is not required if, after the organization conducts an appropriate investigation and consults with relevant law enforcement agencies, the company reasonably determines that the breach has not and is not likely to result in identity theft or any other final harm to the affected individuals. The determination must be documented in writing, maintained for at least five years, and provided to the attorney general within 30 days after the determination is made.
The law requires that businesses must use reasonable measures to protect and secure personal information in electronic form, although it does not provide details on what these measures may be. In the event of a security breach, the company must demonstrate at a minimum that it used commercially reasonable safeguards to protect personal information consistent with industry standards.