Florida’s New Data Privacy, Security and Breach Notification Law Effective July 1st, 2014

The “Florida Information Protection Act of 2014” (FIPA) was signed into law by Florida Governor Rick Scott on June 20, 2014 and takes effect on July 1st, 2014. With overwhelming support by the legislature, FIPA replaces Florida’s existing data breach notification law with an increased scope. The main points of the new requirements follow:

  1. Shorter time to notify Florida residents of a breach. Was 45 days and is now 30 days.
  2. The definition of “personal information” has been expanded.
  3. Covered entities go beyond healthcare providers and include any company, association, and commercial or governmental entity that acquires, maintains, stores or uses personal information of Florida residents.
  4. Mandatory notice required to the Florida Department of Legal Affairs (Attorney General) within 30 days of a breach plus evidence of proactive steps taken.
  5. Covered entities and 3rd party vendors are now required to take reasonable measures to protect and secure personal information.
  6. A covered entity may have federal regulatory exemption if they provide notification in accordance with their primary federal regulator. Do not assume that the federal regulatory exemption applies. You must still comply with FIPA.
  7. 3rd party vendors are also subject to FIPA and must notify the covered entity within 10 days of a breach.
  8. In addition to the Department of Legal Affairs, fines may also be levied by the Department of Legal Affairs who can seek a $10,000 fine for each willful violation, along with attorney’s fees and costs.

A covered entity can take proactive steps to ensure the security of personal information and comply with FIPA. It is highly recommended that a covered entity does the following:

  1. Revise or re-write your privacy and security policies and procedures.
  2. Revise or implement your Incident Response Plan.
  3. Perform periodic vulnerability and risk assessments.
  4. Perform thorough business associate and vendor due-diligence.
  5. Conduct periodic employee privacy and information security awareness training.

Being proactive means taking action now before a breach might occur. Work with an experienced, knowledgeable partner who can help you navigate the world of data privacy and security. It will be interesting to see which other states follow suit, or have already done so, to protect residents’ personal information.