Florida’s new data breach notification law


Image Source: Threat Metrix

I recently blogged about how, in the absence of a federal data breach notification law, 46 of the 50 states have now followed the pioneering example of California, which introduced its Security Breach Information Act in 2002, and enacted their own legislation.

Florida has recently revised its data protection provisions.

The Sunshine State’s new data breach notification law, the Florida Information Protection Act of 2014, became effective July 1, 2014, repealing previous data protection legislation and expanding the requirements on covered entities, particularly those relating to the notification of data breaches.

Florida’s Attorney General Pam Bondi said in an April news release, “With the Senate’s approval of this bill, Florida consumers are one step closer to better protection from data breaches that can threaten the security of their identities and wreak havoc on their finances. This proposed legislation will expedite the reporting time for companies and government agencies when consumers’ personal information is compromised in order to allow them to protect themselves from fraudulent activity.”

Under the new legislation, covered entities must now report data breaches to affected parties within 30 days of their discovery rather than the 45 days stipulated by the previous statute, and if more than 500 individuals are affected by a breach, covered entities and third-party agents must notify the Florida Department of Legal Affairs (DLA) as well. Failure to comply with the new notice regulations could lead to fines of up to $500,000.

The definition of ‘personal information’ now includes personal login information that permits access to individuals’ online accounts and, in a move that will affect health care providers, has also been expanded to include information regarding individuals’ medical history, mental or physical condition, medical treatment or diagnosis, and health insurance policy number. Health care organizations that operate in Florida must comply with the new law as well as HIPAA.

If your organization collects or processes Floridians’ data, you must ‘take reasonable measures to protect and secure’ it, and must ensure its proper disposal when no longer required. You can do this with an Information Security Management System (ISMS), as described in the international best-practice Standard ISO27001.

Visit our information pages for more guidance about how ISO27001 can help your organization meet its data security obligations>>