Governor Scott recently signed into law the Florida Information Protection Act of 2014 (FIPA). FIPA is effective starting July 1, 2014. The following is a brief overview of FIPA as well as its key sections.
FIPA updates existing data privacy laws for the State of Florida. It requires all entities subject to the law to “take reasonable measures to protect and secure data in electronic form containing personal information.” The following three questions are discussed in this blog post: (1) What is an entity?; (2) What is personal information?; and (3) What are reasonable measures? We will also briefly discuss the consequences of failing to comply with the new law.
What Is An Entity?
Under FIPA, an entity includes any and all organizations, including businesses, trusts, estate, associations, cooperative that acquire and maintain, store, or use personal information. In other words, if you are organization that uses personal information, you are required to use reasonable care to protect that information.
An entity is basically any organization that does business in the State of Florida. FIPA also applies to government entities, and third party contractors, who are contracted to maintain, store, or process personal information on an entity’s behalf.
What is Personal Information?
There are two groups of personal information. The first classification of personal information includes items that include a person’s first name, or first initial, and last name, with combination of the following information:
- Social Security Number, Driver’s license, Personal id card, passport number, military identification number or any other number that can uniquely identify you;
- Credit Card number, debit card number, or financial account number along with a password, access code, or security code that can give anyone access to one personal financial information;
- Medical records, including past medical history; and
- Health insurance policy number or identification number.
The second classification of personal information includes all email addresses, in combination with a password or security question, that grant access to an online account. Information deemed a “public record,” (i.e. information found in courthouses, or property records) are not deemed as personal information. Also, information that is encrypted, secured, or modified that removes elements of personal information is exempted from this definition.
What is Reasonable Care and What Are the Reporting Requirements?
FIPA does not define reasonable care; rather reasonable care will be open to a case-by-case analysis. The law is triggered when a data breach impacts a minimum of 500 Floridians has occurred or is suspected to have occurred.
The breach must be notified not only to the police, or the relevant federal agency (if applicable), but also to the Florida Attorney General’s Department of Legal Affairs. Notification must occur within thirty (30) days. If the data breach occurs as a result of a third party contractor, the organization has ten (10) days to notify the Department of Legal Affairs.
If the data breach affects 1,000 Floridians or more, FIPA requires that the organization report the breach to all consumer-reporting agencies, as defined by the Fair Credit Reporting Act, without reasonable delay.
Penalties for Non-Compliance & Other Matters
Failure to obtain reasonable measures as well failures to notify will result in fines of up to $500,000 and remedies included under Florida’s unfair or deceptive trade practice as set forth in Florida Statute § 501.207.
Finally, there is no private cause of action allowed under FIPA. In other words, no individual lawsuits against companies and other entities will be allowed under state court pursuant to FIPA.
Since reasonable measures are not specified, it is imperative to contact your attorney to discuss how we can assist you in protecting data.
Our data privacy compliance attorneys and specialists can assist your company in becoming compliant under the law. We offer the following services:
- Privacy gap and risk analysis
- A privacy strategic and business plan
- Privacy advice and training
- Designing privacy policies and procedures
- Breach Management.
