On June 20, 2014, Florida Governor Rick Scott signed a bill into law that repeals and replaces the state’s existing breach notification statute with a similar law entitled the Florida Information Protection Act (Section 501.171 of the Florida Statutes) (the “Act”).
Below is a summary of several key changes the Act makes to the previous breach notification statute:
- The Act revises the definition of “breach of security” to cover “unauthorized access” of electronic data containing personal information; the previous law defined breach more narrowly to mean “unlawful and unauthorized acquisition” of computerized data that materially compromises the security, confidentiality or integrity of personal information.
- The Act expands the definition of “personal information” to include “[a]ny information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.” In addition, the definition of “personal information” now includes a “username or e-mail address, in combination with a password or security question and answer that would permit access to an online account.”
- The Act requires notice to affected individuals no later than “30 days after determination of the breach or reason to believe a breach occurred.” If good cause is presented in writing to the Department of Legal Affairs (the “Department”) within the 30-day window, the covered entity may receive an additional 15 days to provide notice. The previous law required notification within 45 days.
- The Act requires notice to the Department for a breach affecting 500 or more Florida residents in accordance with the 30-day timing requirement and 15-day extension period described above. The notification to the Department must include:
- a synopsis of the events surrounding the breach at the time notice is provided;
- the number of individuals in Florida who were or potentially have been affected by the breach;
- any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, and instructions as to how to use such services;
- a copy of the notice to affected individuals or an explanation of the other actions taken pursuant to the notification provision; and
- the name, address, telephone number and email address of the employee or agent of the covered entity from whom additional information may be obtained about the breach.
- Covered entities also may be required to provide the following information to the Department upon request:
- a police report, incident report or computer forensics report;
- a copy of the policies in place regarding breaches; and
- steps that have been taken to rectify the breach.
- The Act provides a harm threshold similar to the one contained in the previous law. Pursuant to the Act, however, a covered entity may rely on the harm threshold only “after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies” (emphasis added). In addition, the covered entity must provide the written determination to the Department within 30 days after the determination.
The Act took effect on July 1, 2014. View the amended breach law.