Getting Up to Speed on Florida Data Breach Law, Part 1

In recent posts, we’ve been discussing the growing importance of incident response planning, why cybersecurity incident response is as much a legal issue as an IT issue, and what your organization can do to ensure that your incident response plan is effective. Companies should operate under the assumption that a security breach will happen and develop an incident response plan with the assistance of an attorney who understands how to navigate the complex framework of state and federal statutes and regulations. Once the plan is developed, an incident response readiness assessment and testing that simulates an actual breach will tell you if your plan is ready for prime time.

It is important to understand recent changes to the Florida data breach law as they relate to compliance and disclosure and update your incident response plan accordingly, or create a new plan with these changes in mind. Last summer, the Florida Information Protection Act of 2014 went into effect. This law amends Florida’s breach notification statute. Here is a summary of the key amendments.

Attorney General Notification

When a data breach or suspected breach affects more than 500 Florida residents, the Florida attorney general must be notified within 30 days. This notification must include a description of “any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, and instructions as to how to use such services.” An example of such services might be a free credit reporting service.

There is a “no risk of harm” exception, which states that notification to affected individuals is not required if an organization consults with law enforcement and it is determined that the breach “has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.” Documentation for this determination must be provided to the attorney general within 30 days and maintained for at least five years.

A Broader Definition of Personal Information

The definition of personal information now includes login information – “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.” The other expansion of the personal information definition is medical-related. It includes a person’s first name, or their first initial and last name, combined with their medical history, condition, treatment or diagnosis, or any identifier used by a health insurance provider, such as a policy number. Health Insurance Portability and Accountability Act (HIPAA) breach notification rules appear to cover this requirement as long as the Florida attorney general is provided with a copy of HIPAA notifications.

Smaller Windows for Notifying Affected Parties

Once a breach has been discovered, organizations now have 30 days to notify affected parties, a fairly substantial change from the previous 45-day window. The attorney general may allow an additional 15 days if there is good cause for the delay caused by law enforcement or “risk of harm” consultation. However, it is important to keep in mind that certain industries have tighter deadlines that must also be followed.

In the next post, we’ll continue to explain the updates to Florida’s data breach law so you can update your incident response plan and cybersecurity and data breach notification policies accordingly.