July 31, 2014
Technology Law
Florida’s Revised Data Breach Notification Laws
In the wake of major data breaches in late 2013 and early 2014, the Florida Legislature unanimously adopted new, more stringent data breach notification requirements. Effective July 1, 2014, The Florida Information Protection Act of 2014 requires notification to affected consumers within 30 days of discovering a breach of personal information. Penalties for noncompliance can be severe—up to $500,000.
Personal information is defined to include the consumer’s name in connection with a social security number, government identification number (e.g., driver’s license, passport, or military ID), a financial account number or credit/debit card number, medical information, or a health insurance policy number. Personal information is also comprised of a consumer’s name or email address in conjunction with a password or security question and answer.
The Act requires specific information be included in the notification to consumers, including the date or estimated date of the breach, the type of personal information believed to have been accessed, and the notifying entity’s contact information should the consumer wish to inquire further.
Data breaches affecting 500 or more Florida consumers trigger notification to the Florida Department of Security, and breaches affecting 1,000 or more consumers require notification to credit reporting agencies.
Entities not complying with the regulations can be fined $1,000 per day for the first 30 days, then $50,000 for each subsequent 30-day period up to 180 days. The total penalty cannot exceed $500,000. Penalties are levied by the state and deposited into the state’s General Revenue Fund.
The Act is clear that it does not create a private cause of action (meaning consumers cannot file a lawsuit for violations of The Florida Information Protection Act of 2014).
As we’ve discussed previously, prevention is the best cure for a data breach. If your company finds itself in the unfortunate position of having its data compromised, you must act quickly. Consult with competent legal counsel familiar with data breach notification laws. The consequences of noncompliance could bankrupt many companies. Don’t let your company be one of them.
