Florida Governor Rick Scott signed into a law what may be the nation’s broadest and stringent data breach law.
The Florida Information Protection of 2014, which was signed last week, requires companies to take “reasonable measures” to protect and secure personally identifying information in electronic form.
The new law also increases companies’ reporting and disclosure obligations in the case of a data breach. The new law goes into effect July 1.
The law expands the definition of personal information to include medical and health insurance data, usernames, email addresses, security question and answer pairs, and passwords.
The Information Protection Act “will be one of the nation’s most stringent breach notification laws,” Stephen Satterfield, an associate with the Washington, DC-based law firm Covington & Burling LLP, wrote on the National Law Review.
One requirement that has become more stringent has to do with the timeframe for reporting the breach. Under the new law, companies will need to notify the state’s regulators, the Department of Legal Affairs, if more than 500 Florida residents are affected by a data breach within 30 days of the breach’s discovery. Third-party agents have to notify the partner company of a breach within 10 days, and the company is ultimately responsible if the agent fails to follow the new notification requirements.
The original law gave companies 45 days within discovering the breach.
Companies must “consult with relevant federal, state, or local law enforcement agencies” before deciding whether or not the breach is serious enough to disclose, Satterfield said. If the company decides against reporting the incident, it still has to report the decision not to notify to the attorney general within 30 days of making that decision.
The law also spells out contents that must be included in the notification letters sent to the victims, such as credit monitoring services. Companies must also furnish, upon request, the Florida attorney general with additional information, including the police, incident, or forensic report, a copy of all the company policies and procedures in place at the time of the breach, a list of all the steps taken to rectify the incident.
Because the new law strengthens the existing law, “it is important for companies to monitor these developments and assess and revise information security policies, as necessary,” wrote Katie Riley, an associate with Washington, D.C.-based law firm Kelley Drye & Warren LLP.
The Information Protection Act is also codified within the Deceptive and Unfair Trade Practices Act. Violating notification rules would be “an unfair or deceptive trade practice” and would result in civil penalties of up to $500,000, Riley said.
There is still no federal data breach notification law; currently there is a patchwork of state laws defining what actions companies must take. Alabama, New Mexico and South Dakota have yet to pass any cyber breach legislation.
Fahmida Y. Rashid is an accomplished security journalist and technologist. She is a regular contributor for several publications including iPCMag.com where she is a networking and security analyst. She also was a senior writer at eWeek where she covered security, core Internet infrastructure and open source. As well, she was a senior technical editor at CRN Test Center reviewing open source, storage, and networking products.