On the heels of recent nationwide data breaches of consumer personal information, the Florida State Senate has proposed SB 1524, which if adopted will become effective on July 1, 2014, to revamp and replace existing state data security law and, in particular, impose a statutory requirement to safeguard personal information, reporting a breach to the attorney general, and other affirmative obligations. In doing so, Florida follows recent similar legislative developments made in California, New Mexico, Iowa, and Kentucky.
Existing law provides that any person who conducts business in the state of Florida and maintains computerized data in a system which includes personal information (an individual’s first name or initial and last name, in combination with: (i) a social security number; (ii) drivers’ license or identification card number; (iii) or account number, credit or debit card number in combination with any required security code or password to access the account) shall provide notice of a security breach of the system to all affected individuals without unreasonable delay but not later than forty-five (45) days following determination of the breach. Notification is not required if after an appropriate investigation or after consulting with relevant law enforcement, the person conducting business in the state reasonably determines that the breach has not and will not likely result in harm to the individuals whose persona information has been acquired and accessed. This determination must be documented in writing and maintained for five (5) years.
The bill proposes the following significant changes to existing law:
- Borrowing from a recent change to the law in California, the term personal information would also include an individual’s user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
- Clarification that a covered entity means a sole proprietor, partnership, corporation, estate, cooperative association or any other commercial entity that acquires, maintains, stores, or uses personal information.
- In the event of a data breach affecting 500 or more Floridians, written notice to the Attorney General would be required no later than thirty (30) days after the determination that a breach has occurred or reason to believe one occurred. Additionally, upon request, a covered entity would be required to provide to the Attorney General a copy of its policies in place regarding breaches, steps taken to rectify the breach, and a police report, incident report, or computer forensics report.
- Notice of individuals would be required as expeditiously as possible, but no later than thirty (30) days from discovery of the breach when the individual’s personal information was or the covered entity reasonably believes it was accessed as a result of a breach.
- Notice is not required if, after the covered entity conducts an appropriate investigation and consults with relevant law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other final harm to affected individuals. This determination must be documented in writing, maintained for at least five (5) years, and provided to the Attorney General within thirty (30) days after the determination has been made.
All businesses maintain personal information in some form on the individuals they employ and those with whom they conduct business. Because data breaches are becoming more prevalent and continue to raise risks of identity theft and other issues for individuals, states like Florida are stepping up their enforcement efforts on behalf of their state residents. Businesses should take the time to be sure they appropriately safeguard personal information of customers, employees and other individuals, as well as to be prepared to respond to a breach should they experience one.