Florida legislature unanimously passed the Florida Information Protection Act of 2014 (FIPA) on April 30, 2014. The new bill requires specified entities to take reasonable measures to protect and secure data containing personal information in electronic form and for them to notify individuals of data security breaches within 30 days of the occurrence. This bill went into effective on July 1, 2014. Understanding the changes and how it impacts your business is vital.
Due to increasing frequency of cyber security breaches, this statute became a necessity for the state legislature to address the growing concern. Last year alone, corporations experienced a 15 percent increase in average data breach costs – totaling about $3.5 million. The most common, not to mention most costly, type of data breach is a malicious insider or criminal attack.
At first glance a cyber security breach may seem like it would only financially impact a company, however according to Kris Lovejoy, General Manager, IBM Security Service Division, ‘a data breach can result in enormous damage to a business that goes way beyond the financials. At stake is customer loyalty and brand reputation.” FIPA is aimed at reducing these risks by encouraging companies to implement business continuity plans to protect their client’s private information, as well as disposing of this information in an approved manner.
Simply stated, the statute requires all Florida-based businesses, covered entities, who deal with personal information of Florida residents to take reasonable measures to secure data. The law has not defined what reasonable measures are in this case, so it is recommended that all companies follow the best practice within their industry.
FIPA defines its covered entities as any sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information. Meaning the bill covers most all business state-wide, and in some cases, non-Florida based businesses who manage personal information of Florida residents are also covered by FIPA. Personal information is also expanded upon by the law and defined as a combination of a person’s name and any of the following: credit card numbers, social security numbers, healthcare information, insurance information, email address and password, or any government-issued number.
Major FIPA changes that are impacting businesses
- Unique to Florida’s FIPA law is that all businesses are now required to have a plan put in place to handle a breach prior to it happening.
- The bill is requiring all companies and third-party agents to dispose of all data records. According to the bill, “they must take all reasonable measures to dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained. Such disposal shall involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.”
- Procedures for protecting sensitive personal information must be documented and provided to the Department of Legal Affairs (DLA) if a breach occurs.
- The amount of time to notify all individuals affected by a breach along with the DLA has been shortened from 45 days to 30 days. The only caveat is if a company fears the notification would affect the results of a data breach investigation.
- A third-party agent has 10 days to notify the covered entity in the event of a security breach.
- Violating these notification periods will result in civil penalties for the covered entity. The fine is $1,000 a day, not to exceed $500,000 total.
Read the statute in its entirety here.