The Florida legislature has decided to take a more aggressive approach to identity theft. A new law that went into effect on July 1, 2014, the Florida Information Protection Act of 2014 (“FIPA”), places more stringent notification obligations on most businesses and increases the fines and penalties for non-compliance.
FIPA is at the same time broader and simpler than the Health Information Portability and Protection Act (“HIPAA”). While HIPAA applies to businesses that deal with protected healthcare information, FIPA applies to virtually all businesses that have access to or store certain personal information of individuals in Florida.
What is that “personal information”? There are two categories:
Category A A person’s last name and first name or first initial PLUS one of the following:
- Social security number
- Driver’s license number
- Identification card number
- Passport number
- Military identification number
- Other identification number on a government document
- Financial account number AND security code, access code, or password
- Credit or debit card number AND security code, access code, or password
- Information regarding medical history
- Information regarding the mental or physical condition
- Information regarding medical treatment or diagnosis by a health care professional
- Health insurance policy number/ identification number/ or other identifier
Category B A person’s user name OR email address PLUS a password OR a security question answer that would allow access to an online account.
Because the definition of personal information is so broad, most businesses will find that FIPA applies to them. For example, a business that takes credit card payments will have a person’s credit card number, the expiration date and the access code on the back of the card. In addition, all businesses that have employees will have the employee’s name, social security number, and identification number(s), because that information is required on Form I-9.
PROTECTING THE DATA
FIPA requires a business to protect the “personal information” stored in electronic form by taking “reasonable measures.” FIPA does not define “reasonable measures” but businesses should implement certain common-sense policies and procedures.
In addition, FIPA has requirements for the disposal of records once the data is no longer needed. A business must shred, erase, or otherwise modify the personal information in the records so that it is unreadable or undecipherable through any means.
REPORTING A BREACH OF SECURITY
While FIPA does not give much guidance on how to protect personal information, it is very detailed when it comes to a breach of security. Once a breach or suspected breach occurs, certain notification requirements are triggered.
Required notices may include personal notices to affected individuals, notices to the Department of Legal Affairs, notice to law enforcement, and notice to credit reporting agencies. In some circumstances, detailed reports must be submitted in the notice. In any event, a breach or suspected breach of security will cost a business a significant amount of resources.
If your business suffers a breach or suspects a breach of security, it is prudent to address the situation immediately. There are strict time limits for reporting and issuing notices. Failure to comply with the requirements in FIPA can result in fines and penalties up to $500,000.00.
While FIPA does not authorize a private cause of action for an individual to sue, lawsuits could potentially be filed against a business for breach of security on the basis of other causes of action, including without limitation, negligence, breach of contract, and breach of fiduciary duty. Therefore, the advice of a qualified attorney is recommended.
RESPONSIBILITY FOR YOUR VENDORS AND SERVICE PROVIDERS
If you hire a vendor or service provider to maintain, store or process “personal information” on your behalf, you are still responsible for its protection. As far as FIPA is concerned, your vendor or service provider has an obligation to notify you of any breach. Then it is your responsibility to make the required notifications mentioned above. The fines and penalties would apply to you if you fail to meet FIPA’s requirements.
Therefore, it is very important that you choose your vendors and service providers carefully and make sure that you have a written contract that obligates the vendors and service providers to protect their personal information. Ideally, the contract should set out specific actions that the vendor or service provider is required to take, including meeting the notification deadlines in FIPA.
IMPORTANT TO REMEMBER
It is important to remember that the size of a business does not matter. FIPA applies to every business that collects, accesses or stores “personal information.” It does not matter whether the business is based in Florida or has a presence in Florida or has any connection to Florida. What matters is whether the business has the personal information of an individual who is in Florida.
While FIPA may seem short and sweet at a glance (see Section 501.171 of the Florida Statutes), its reach is broad and its penalties for non-compliance are steep. In time, we are sure to see how FIPA is implemented, enforced, and eventually challenged or interpreted by the courts. For now, businesses need to be aware of the requirements and implement the necessary policies and procedures to comply.