Florida raises the bar on data privacy

On June 20, 2014, the “Florida Information Protection Act of 2014” (FIPA) was signed into law by Florida Governor Rick Scott, after it received unanimous support by the legislature. FIPA will take effect on July 1, 2014 and will replace Florida’s existing data breach notification law. FIPA dramatically increases the breadth of Florida’s data breach notification law. This Alert highlights these new requirements.

Shorter timeline to notify With the passage of FIPA comes a shorter timeline to notify affected Florida residents. Florida’s prior breach notification law allowed notice within 45 days. Now, FIPA requires that Florida residents be notified within 30 days after the determination of a breach (or reason to believe a breach occurred). In addition, FIPA contains certain content requirements for written breach notification letters to Florida residents.

Expanded definition of “Personal Information” FIPA expands the definition of “Personal Information” to also include an individual’s first name or first initial and last name in combination with any of the following:

• Passport number
• Medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
• An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual

FIPA also includes in its definition of “Personal Information” a user name or email address coupled with a password or a security question and answer that would permit access to an online account. This addition, which was first added by California, makes vulnerable any entity that stores login information for individuals. Thus, a breach can occur even though traditionally thought of sensitive information has not been compromised. This expanded definition will pull in far more entities than previously subject to Florida’s data breach law.

Social Security number, driver license number, account number, and credit or debit card number remain in the definition of Personal Information.

FIPA applies to “covered entities” – healthcare or not Although confusing at first, FIPA borrowed the term “covered entity” from HIPAA and obligates any company, association or commercial (or governmental) entity that acquires, maintains, stores or uses personal information of Florida residents to comply with Florida’s new law. In addition, FIPA’s expanded definition of “Personal Information” affects not only commercial businesses, but healthcare providers and health plans (i.e., the more well-known “covered entities”). Specifically, HIPAA covered entities may now have to comply with Florida’s state breach notification law in addition to HIPAA’s notification requirements. Although FIPA includes a provision that exempts a HIPAA covered entity if it complies with federal regulatory notification requirements, there are some circumstances in which a HIPAA covered entity may fall inside the scope of FIPA but outside the scope of the HIPAA breach notification rule (see explanation regarding the Federal Regulatory Exemption below). Consequently, a HIPAA covered entity that is under the presumption that it has 60 days to notify may be shocked to find that it may have just 30 days to notify under FIPA.

Mandatory notice to Florida Attorney General and production of proactive measures FIPA has also added a requirement that if a covered entity experiences a breach affecting 500 or more individuals in Florida, written notice of the breach is required to the Florida Department of Legal Affairs, within 30 days (with an additional 15 days upon a showing of good cause). In addition, upon request by the Attorney General, the entity must provide:

• A police report, incident report, or computer forensics report;
• A copy of the policies in place regarding breaches; and/or
• Steps that have been taken to rectify the breach.

If the covered entity fails to comply with the AG’s request, the same penalties for failure to notify individuals and the Department of the breach can be imposed against the covered entity. Specifically, in the first 30 days of non-compliance, a covered entity can be fined $1,000 per day for the first 30 days, and then $50,000 for each subsequent 30-day period for up to six (6) months (with a cap of $500,000).

Even if the covered entity determines that the breach has not and will not likely result in identity theft or financial harm to the individuals whose personal information has been accessed, the Florida Attorney General still wants written notice of this determination within 30 days.

Proactive measures are now required FIPA now explicitly requires covered entities to take reasonable measures to protect and secure personal information. Covered entities (and third-party vendors) must take reasonable measures to protect and secure electronic personal information. Florida’s prior breach notification law did not impose this requirement. Florida’s legislature is now making it clear that it expects covered entities to take proactive measures to protect its residents’ personal information. Moreover, organizations are required to take all reasonable measures to dispose of customer records containing personal information (regardless of the physical form – electronic or hardcopy).

Even though FIPA does not specifically designate a penalty for failure to implement proactive measures, the Department can utilize the Unfair and Deceptive Trade Practices statute to punish dilatory entities (see below).

Federal regulatory exemption

FIPA provides that a covered entity is not required to provide notification to individuals if the covered entity provides notification in accordance with the rules, regulation, procedures, or guidelines established by the covered entity’s primary or functional federal regulator. Under this exemption, HIPAA covered entities appear to be exempt from FIPA if they comply with HIPAA. A closer reading, however, demonstrates that this exemption is not always applicable.

FIPA’s exemption to notifying individuals if a HIPAA covered entity complies with federal regulatory notification requirements applies only if the covered entity actually notifies the individuals. Thus, if a covered entity does not notify an individual in accordance with HIPAA, then FIPA’s exemption does not apply. This may occur when a covered entity determines that notification under HIPAA is unnecessary, yet notification under FIPA is still required. Loophole closed!

If a HIPAA covered entity does notify under the HIPAA breach notification rule, the Florida Attorney General still must receive notice of the breach.

Third-party vendor notification

Under FIPA, third-party vendors that experience a breach must now notify the covered entity of the breach within 10 days following determination of the breach or reason to believe the breach occurred. Vendors are statutorily obligated to provide the covered entities with all information it has regarding the breach so that the covered entity can comply with its notice requirements.

The vendor may provide notice to the Florida residents on behalf of the covered entity. However, if the vendor violates any part of FIPA’s notice requirements, the covered entity is still held responsible.

Unfair and deceptive trade practices Florida’s prior breach notification law only permitted the Department of Legal Affairs to levy fines against covered entities as set forth in the statute. Now, the Department has another arrow in its quiver – Florida’s Unfair and Deceptive Trade Practices statute. As briefly mentioned above, FIPA now authorizes the Department of Legal Affairs to bring an action under Fla. Stat. § 501.207 for unfair and deceptive trade practices against covered entities and third-party vendors when such entities experience a data breach. Indeed, FIPA provides that a violation of FIPA “shall be treated as an unfair or deceptive trade practice.”

Under Florida’s Unfair and Deceptive Trade Practices statute, the Department of Legal Affairs can seek a $10,000 fine for each willful violation, along with attorney’s fees and costs in connection with the litigation. Importantly, although FIPA provides that it does not create a private cause of action, Florida’s Unfair and Deceptive Trade Practices statute states that any aggrieved person may bring an action for appropriate relief. That relief can come in the form of actual damages, attorney’s fees, and costs. Consequently, even though a private cause of action cannot be maintained under FIPA, Florida’s Unfair and Deceptive Trade Practices statute explicitly permits such a lawsuit. And, because FIPA identifies a FIPA violation as an unfair and deceptive trade practice, plaintiffs will likely latch onto that language to bring a cause of action under the Unfair and Deceptive Trade Practices statute. In sum, this provision may result in increased fines levied by the Department of Legal Affairs and lawsuits filed by individual plaintiffs.

Takeaways The following are just a few recommended proactive steps you should take today:

• Perform risk analysis to assess potential risks and vulnerabilities to the confidentiality, integrity and availability of all personal information
• Implement/update privacy and security policies and procedures
• Implement policies and procedures to identify and respond to data privacy incidents, including your Incident Response Plan
• Identify and review all vendor and business associate relationships and ensure that appropriate vendor or business associate agreements are in place
• Train members of the workforce
• Encrypt personal information
• Avoid unnecessary disclosures of personal information
• Obtain (or at least determine the feasibility of) cyber insurance

These points were adapted from a McDonlad Hopkins alert.