Government Security Breach Law in the State of Florida

Florida’s Information Protection Act of 2014 or FIPA is a data protection and cyber security law that was passed in the U.S. state of Florida in 2014. While Florida’s primary data breach notification law, Fla. Stat. § 501.171, applies to all such incidents that occur within the state, the FIPA applies to specific covered entities within Florida, including government agencies and their third-party agents and affiliates. With this being said, the FIPA outlines the legal framework that these covered entities are responsible for adhering to in the event that a data breach occurs. Moreover, the law also sets forth the steps that these covered entities must take to ensure that such events do not occur.

How are covered entities defined under the law?

Under Florida’s Information Protection Act of 2014, a covered entity is defined as “a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information. For purposes of the notice requirements in subsections (3)-(6), the term includes a governmental entity.” Alternatively, the law defines a data breach as the “unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of the covered entity does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.”

What are the data breach notification requirements under the law?

Under Florida’s Information Protection Act of 2014, covered entities that experience a data breach are required to provide notification to all affected parties. Additionally, covered entities that experience a data breach must also provide notification to the Florida Department of Legal Affairs. These notifications must provide affected individuals and parties with the following information:

• A synopsis of the events that caused the data breach.
• A description of the categories of personal information that were accessed, or could be reasonably believed to have been accessed as a result of the breach.
• The actual date, estimated date, or range of data on which the breach occurred.
• The number of individuals within the state that were or could have been affected by the breach.
• Any services related to the breach that are being offered to the affected individuals or parties, free of charge, as well as instructions on how to utilize such services.
• The contact information of an employee or agent working on behalf of the affected entity that can be used to obtain further information concerning the breach, including this employee or agent’s name, physical address, email address, and telephone number.

What categories of personal information are covered under the law?

Under Florida’s Information Protection Act of 2014, the following categories of personal information are legally protected in the event that a data breach occurs, in combination with an individual’s first name or first initial and last name:

• Social security numbers.
• Drivers license and state identification card numbers.
• Financial account numbers and credit and debit card numbers, as well as any required security codes, access codes, or passwords that could be used to grant access to an individual’s financial account.
• Information regarding an individual’s medical history, physical or mental condition, or medical condition or diagnosis.
• An individual’s health insurance policy number or subscriber identification number, as well as any unique identifier used by a health insurer to identify an individual.
• Online user names and email addresses, as well as any passwords or security questions that could be used to grant access to an individual’s online account.

In terms of the enforcement of the law, covered entities that fail to comply with Florida’s Information Protection Act of 2014 are subject to the following penalties:

• A monetary fine of up to $1,000 for the first 30 days after the initial violation.
• A monetary fine of up to $50,000 for each subsequent 30-day period or portion thereof for up to 180 days.
• A monetary fine of up to $500,000 in instances where a violation occurs for more than 180 days.

How can covered entities achieve compliance with the law?

As government entities must ensure that they maintain the confidentiality and integrity of all personal information they use during the course of their respective job functions, a primary means by which said entities can achieve compliance with legislation such as the FIPA is through the use of automatic redaction software. Using such software offerings, employees and agents of government entities can redact personal information from PDFs, emails, videos, audio images, and audio content, ensuring that the personal privacy of everyone involved is protected at all times. Furthermore, as these programs function automatically, users can also cut down on the human errors that can often lead to non-compliance.

In contrast to many other U.S. states, the provisions of Florida’s Information Protection Act of 2014 and Fla. Stat. § 501.171 provides residents of the state with two layers of protection as it relates to the adverse consequences of being involved in a data or security breach. Through the enactment of such legislation, these residents can have the peace of mind that their personal information is being protected at every level of society. To this point, many other U.S. states will surely pass data breach legislation that pertains to certain businesses and industries, as the looming threat of cybercrime continues to grow by the day.