If your business stores personal information of Florida Residents, you must be aware of a new Florida statute that has created specific reporting requirements in the case of a data breach. Failure to comply can result in significant fines up to a half a million dollars. This newly passed Florida Information Protection Act of 2014 requires that any data breach affecting 500 or more individuals must now be reported to the Florida Department of Legal Affairs. The individuals whose data was exposed must be notified as well. Shumaker’s Data Breach Team is prepared to assist in the event such data breach occurs, as well as to provide advice in avoiding such situations.
The Florida Information Protection Act of 2014 became effective July 1, 2014 (F.S. 501.171). Florida expands the definition of “personal information” to include:
- email addresses and account numbers with passwords
- first and last names with health or medical information
- social security and driver license numbers
- online account credentials.
A breach can occur in numerous ways including but not limited to hacking, lost laptops, iPads or iPhones, or theft by an employee who may be departing for a competitor. The law requires notification concerning breaches to be made to the State Attorney General and the affected individuals within 30 days. Violations of the new law’s requirements can subject businesses to fines as significant as $500,000.
The new law affects all businesses that store the personally identifiable information of Florida residents (“Covered Entities”) and is intended to force businesses to prevent data breaches and secure the personal information it handles. All Covered Entities should take immediate steps to adopt and implement an appropriate data breach plan that complies with the new statute. The probability of a data breach increases over time and failure to promptly take action in the event of a breach could have disastrous results for your business.
Recent newsworthy data breaches at Target, Home Depot and J.P. Morgan prove that even the most sophisticated businesses are not immune to data breaches. In light of the new stringent requirements of Florida law, it is clear that policies, procedures and security measures used in the recent past are not likely to meet governmental expectations and requirements going forward.
Shumaker, Loop & Kendrick, LLP’s Data Breach Team recognizes that when a data breach occurs, it is quite possibly the most serious threat a business can face and that liability for such breach could be catastrophic. Often, one of the most critical determinations is whether there was even a breach, as defined by the statute. This determination should be made with the advice of experienced counsel, as it can have serious ramifications.
Shumaker’s Data Breach Team has the experience and ability to quickly address any potential breaches and provide the following services:
- Due diligence and assessment of reasonable measures required to protect and secure personal information
- Identification and containment of potential breaches
- Legal risk assessment and strategic risk mitigation advice
- Breach response plan, including coordination of any required notifications to Attorney General, affected individuals and credit agencies
- Legal representation through investigation, enforcement and any subsequent litigation directed towards the person(s) who compromised the personal information