Newfound Security Breach Law in the State of Florida
Fla. Stat. § 501.171 is a security breach notification law that was passed in the U.S. state of Florida in 2014. Prior to the enactment of Fla. Stat. § 501.171 in 2014, the state of Florida had yet to pass any legislation pertaining to security breaches. To this point, the law establishes the protocol that individuals, businesses, and organizations are required to follow should a security breach take place. Furthermore, the law also sets forth the punishments that can be imposed against parties that fail to comply with the provisions of the law as it relates to the handling of security breaches and related incidents.
How is a security breach defined under Fla. Stat. § 501.171?
Under Fla. Stat. § 501.171, a security breach is broadly defined as “the unauthorized access of data in electronic form containing personal information.” Conversely, the “good-faith access of PI by an employee or agent of the Entity is not a breach of the security of the system, provided the information is not used for a purpose unrelated to the business or subject to further unauthorized use.” Moreover, as it concerns the scope and applicability of the law, Fla. Stat. § 501.171 is applicable to any “sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.”
What are the security breach notification requirements under Fla. Stat. § 501.171?
Under Fla. Stat. § 501.171, a business entity that experiences a security breach is required to provide notification to all affected residents within the state, as well as the Department of Legal Affairs and the three major credit bureaus within the U.S., in instances where a security breach affects more than 500 or 1000 residents within the state, respectively. To this end, security breach notifications that are provided to residents within Florida must include the following information:
- The approximate, estimated, or estimated range of dates upon which the security breach occurred.
- A description of the types of personal information that could be or have been disclosed as a result of the breach.
- Contact information that affected individuals can use to contact the affected entity for the purpose of obtaining further information concerning the breach.
Alternatively, data breach notices that are provided to the Florida Department of Legal Affairs must also contain the following information:
- A synopsis of the events that caused the security breach.
- The number of residents within Florida that have or could potentially be affected by the security breach.
- Any services that the affected entity is offering to Florida residents concerning the security breach, as well as for instructions on how to take advantage of said services.
- The contact information that affected consumers can use to contact an employee or agent within the affected entity for the purpose of obtaining additional information concerning the breach, including their name, telephone number, physical address, and email address.
- A copy of the notice is required for affected individuals, or an explanation of the other actions taken to give notice to affected individuals.
What types of personal information are protected under Fla. Stat. § 501.171?
Under the provisions of Fla. Stat. § 501.171, the following data elements are legally protected in the event that a security breach takes place, in combination with a Florida resident’s first name or first initial and last name:
- Social security numbers.
- Driver’s license and identification card numbers, passport numbers, military identification numbers, other any other form of identification number issued in accordance with a government document used to verify identity.
- Usernames and email addresses, as well as any associated passwords, security questions, or security question answers that could be used to permit access to an individual’s online account.
- Financial account numbers and credit and debit card numbers, as well as any associated passwords, security codes, or access codes that could be used to permit entry into an individual’s financial account.
- Information concerning a Florida resident’s medical history, mental or physical conditions, or a treatment or health diagnosis made by a healthcare professional.
- Health insurance policy numbers and subscriber identification numbers, as well as any other unique identifiers that could be used by a healthcare provider to identify an individual.
What are the penalties for violating Fla. Stat. § 501.171?
In terms of the enforcement of the law, the provisions laid out in Fla. Stat. § 501.171 are enforceable by the Florida attorney general. As such, the Florida attorney general has the authority to impose penalties against entities within the state that are found to be in violation of the law. Such punishments include a monetary fine of up to $500,000, including a $1,000 fine for each day in which a security breach goes unreported, as well as a fine of up to “$50,0000 for each 30-day period or portion therefore for up to 180 days.” What’s more, violations of Fla. Stat. § 501.171 are also considered to be unfair and deceptive trade practices under other applicable legislation within the state.
Despite the fact that the state of Florida was one of the last states within the U.S. to enact legislation concerning the regulation of security breaches, the provisions set forth in the law prodigy residents of the state with a substantial amount of protection as it pertains to such occurrences. As a monetary fine of up to $500,000 is extremely high, even in the context of comprehensive data protection legislation, business entities within Florida will be faced with steep penalties should they fail to comply with the law. As such, residents can have the peace of mind in knowing that they have the legal means to protect themselves should any of their personal information become compromised during the course of a security breach.
