Newfound Security Breach Law in the State of Florida

Newfound Security Breach Law in the State of Florida

Fla. Stat. § 501.171 is a security breach notification law that was passed in the U.S. state of Florida in 2014. Prior to the enactment of Fla. Stat. § 501.171 in 2014, the state of Florida had yet to pass any legislation pertaining to security breaches. To this point, the law establishes the protocol that individuals, businesses, and organizations are required to follow should a security breach take place. Furthermore, the law also sets forth the punishments that can be imposed against parties that fail to comply with the provisions of the law as it relates to the handling of security breaches and related incidents.

How is a security breach defined under Fla. Stat. § 501.171?

Under Fla. Stat. § 501.171, a security breach is broadly defined as “the unauthorized access of data in electronic form containing personal information.” Conversely, the “good-faith access of PI by an employee or agent of the Entity is not a breach of the security of the system, provided the information is not used for a purpose unrelated to the business or subject to further unauthorized use.” Moreover, as it concerns the scope and applicability of the law, Fla. Stat. § 501.171 is applicable to any “sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.”

What are the security breach notification requirements under Fla. Stat. § 501.171?

Under Fla. Stat. § 501.171, a business entity that experiences a security breach is required to provide notification to all affected residents within the state, as well as the Department of Legal Affairs and the three major credit bureaus within the U.S., in instances where a security breach affects more than 500 or 1000 residents within the state, respectively. To this end, security breach notifications that are provided to residents within Florida must include the following information:

Alternatively, data breach notices that are provided to the Florida Department of Legal Affairs must also contain the following information:

What types of personal information are protected under Fla. Stat. § 501.171?

Under the provisions of Fla. Stat. § 501.171, the following data elements are legally protected in the event that a security breach takes place, in combination with a Florida resident’s first name or first initial and last name:

What are the penalties for violating Fla. Stat. § 501.171?

In terms of the enforcement of the law, the provisions laid out in Fla. Stat. § 501.171 are enforceable by the Florida attorney general. As such, the Florida attorney general has the authority to impose penalties against entities within the state that are found to be in violation of the law. Such punishments include a monetary fine of up to $500,000, including a $1,000 fine for each day in which a security breach goes unreported, as well as a fine of up to “$50,0000 for each 30-day period or portion therefore for up to 180 days.” What’s more, violations of Fla. Stat. § 501.171 are also considered to be unfair and deceptive trade practices under other applicable legislation within the state.

Despite the fact that the state of Florida was one of the last states within the U.S. to enact legislation concerning the regulation of security breaches, the provisions set forth in the law prodigy residents of the state with a substantial amount of protection as it pertains to such occurrences. As a monetary fine of up to $500,000 is extremely high, even in the context of comprehensive data protection legislation, business entities within Florida will be faced with steep penalties should they fail to comply with the law. As such, residents can have the peace of mind in knowing that they have the legal means to protect themselves should any of their personal information become compromised during the course of a security breach.

Related Reads