By: Linda L. Goodman
A security breach may be the result of a malicious hacker, disgruntled employee, or inadvertent loss of mobile equipment such as a tablet, laptop or smart phone if it contains personal information. If such a breach does occur, you must be prepared with a compliant data breach incident response and written policies applicable to privacy, protection and notification. Every attorney general in every state has authority to demand these upon notification or failure to notify of a data breach. If you have these policies and plans, but they have not been reviewed or updated in the past year, now is the time to update. Several states including California, Iowa, Kentucky, New Mexico and now Florida have overhauled the required steps a company must take when faced with a potential or actual security breach in which it is known or likely that personal information has been disclosed. The states are also broadening their definition of “personal information” to include e-mail addresses and the like.
The latest of these overhauls has occurred in Florida, who passed The Florida Information Protection Act of 2014. This law became effective July 1, 2014. The law expanded the definition of “personal information” which triggers a notification requirement by adding health insurance, medical information, financial information and online account information, such as security questions and answers, e-mail addresses, and passwords. Previous law covered only an individual’s name in combination with: (i) a social security number; (ii) drivers’ license or identification card number; (iii) or account number, credit or debit card number in combination with any required security code or password to access the account.
In addition, Florida shortened the time period in which businesses have to notify the affected consumers from 45 days to 30 days after discovery of or reasonable belief that a data breach had occurred. In the event of a data breach affecting 500 or more residents, the company must submit a written notice to the Attorney General no later than 30 days after discovery of the breach or 30 days after the company had a reasonable belief that a data breach had occurred. If requested by the Attorney General, the company must provide a copy of its policies in place regarding breaches, steps taken to rectify the breach, any a police or other investigating government entity report, or the company’s computer forensics report to the Attorney General. In addition, if the breach involves over 1,000 individuals, the company must also notify the three major credit reporting agencies (Experian, TransUnion and Equifax).
The only exception to the required notice is if, after the organization conducts a thorough investigation which includes consultation with the relevant law enforcement agencies, it reasonably determines that the breach has not and is not likely to result in identity theft or financial harm to the affected consumers. That determination itself must be in writing, sent to the Florida Attorney General within 30 days of such determination by the business and include thorough documentation supporting the determination and subsequently the determination and all evidence supporting it must be maintained for at least 5 years.
Lastly, the law requires businesses to establish, in writing, reasonable measures to protect and secure personal information stored in electronic format. Notably, the law does not identify any details on what “reasonable measures” are, but in the event of a security breach, the company will need to convince the Attorney General of Florida that at a minimum that it used commercially reasonable safeguards to protect personal information consistent with industry standards.
As for penalties, the law authorizes enforcement actions by the Attorney General under Florida’s Unfair and Deceptive Trade Practices Act. This allows for civil penalties up to $500,000 at $1,000 per day for the first 30 days of violation, and $50,000 for each subsequent 30-day period for up to 180 days. It caps the penalties if the violation continues for more than 180 days to $500,000.
ComplianceRecommendations:
All states impose stringent requirements for businesses to secure consumer data with current industry best practices. Those that suffer a security breach, which exposes personal information whether it is customer, employees or other individuals, will be required to demonstrate that they took appropriate steps to secure the data and legally required steps once the data was exposed. This is true irrespective of whether breach resulted from a malicious hacker, disgruntled employee or inadvertent loss. Businesses should establish their security and destruction policies now, put them in writing and ensure that such policies are implemented. In addition, businesses need to establish a data breach incident response plans and ensure they comply with the new requirements.
______________________________________________________________________
This article is a publication of The Goodman Law Firm and is intended to provide information on recent legal developments. This article does not create an attorney-client relationship, nor should it be construed as legal advice or an opinion on specific situations. This may constitute “Attorney Advertising” under the Rules of Professional Conduct and under the law of other jurisdictions.
Linda L. Goodman is the founder of The Goodman Law Firm, concentrating its practice in internet business and law. Her firm’s clients include Advertisers, Affiliates, Affiliate Networks, and ISP’s.
© 2014 TGLF, A.P.C.