Florida Imposes Strict Compliance for Data Security Breach Notification Beginning July 1, 2014

A security breach may be the result of a malicious hacker, disgruntled employee, or inadvertent loss of mobile equipment such as a tablet, laptop, or smart phone if it contains personal information. If such a breach does occur, you must be prepared with a compliant data breach incident response and written policies applicable to privacy, protection, and notification. Every attorney general in every state has authority to demand these upon notification or failure to notify of a data breach. If you have these policies and plans, but they have not been reviewed or updated in the past year, now is the time to update. Several states including California, Iowa, Kentucky, New Mexico, and now Florida have overhauled the required steps a company must take when faced with a potential or actual security breach in which it is known or likely that personal information has been disclosed. The states are also broadening their definition of “personal information” to include email addresses and the like. The latest of these overhauls has occurred in Florida, who passed The Florida Information Protection Act of 2014. This law became effective July 1, 2014. The law expanded the definition of “personal information” which triggers a notification requirement by adding health insurance, medical information, financial information, and online account information, such as security questions and answers, email addresses, and passwords. Previous law covered only an individual’s name in combination with: (i) a social security number; (ii) drivers’ license or identification card number; (iii) or account number, credit, or debit card number in combination with any required security code or password to access the account.