When Cybersecurity Goes Wrong: Breach Notice Obligations Under the Florida Information Protection Act
Sometimes even with thorough cybersecurity policies and procedures, something goes wrong. With the rise of ransomware[1] and phishing attacks,[2] as well as the prevalence of incidents caused by human error,[3] companies (and law firms) handling personal data of Florida residents may fall victim to data breaches. When faced with signs of a security incident, companies must take steps to prevent or mitigate harm. Even in situations in which a data leak is not the fault of the organization, Florida law generally requires that commercial and government entities report data breaches to affected individuals in Florida and possibly to the Florida Office of the Attorney General and credit reporting agencies.
The Florida Information Protection Act
For a number of years, Florida has required companies experiencing data breaches to report those breaches to affected individuals. Effective July 1, 2014, Florida’s prior data breach notification law[4] was repealed and replaced by the broader and more stringent requirements enacted by the Florida Information Protection Act (FIPA), which are codified at F.S. §501.171. FIPA addresses breaches of security, defined as “unauthorized access of data in electronic form containing personal information.”[5] The term “personal information,” in turn, covers a broad range of data. It includes an individual’s first name or first initial and last name in combination with any one of a long list of financial, government, insurance, or medical identifiers.[6] Personal information also includes login information, such as a user name or email address in combination with a password or security question and answer, that would enable access to an online account.[7] However, personal information does not include information or data about an individual that has already been made public by a government entity. Also exempt from FIPA’s reach is information that is rendered unusable by unauthorized third parties, such as through encryption or removal of personal identifiers.[8]
Breach Response Obligations
For companies experiencing a data breach, FIPA requires quick action to assure compliance and to avoid potential financial penalties. Although FIPA does not provide for a private right of action for affected individuals,[9] violations are subject to civil penalties starting at $1,000 per day for certain infractions — and liability under FIPA can reach as high as $500,000 per breach when a covered entity fails to provide a required notice and the violation continues for more than 180 days.[10] Violations are also treated as unfair or deceptive trade practices in any action brought by the Florida Attorney General’s Office and are further subject to the remedies available under F.S. §501.207 of the Florida Deceptive and Unfair Trade Practices Act (FDUTPA).[11]
A third-party agent that maintains, stores, or processes personal information on behalf of a covered entity or the government[12] has only 10 days at most to notify the covered entity of the breach. The clock starts ticking when the third-party agent determines that there has been a breach or has reason to believe the breach occurred.[13] A “covered entity,” which is a commercial entity “that acquires, maintains, stores, or uses personal information,”[14] generally has only 30 days to provide notice to individuals, although there are certain limited exceptions.[15] For example, notice may be delayed if law enforcement determines it would interfere with a criminal investigation.[16] The covered entity may also receive an additional 15 days if it provides the attorney general with a written explanation of good cause for the delay.[17] Additionally, a covered entity has more time to provide notice if the covered entity is following “rules, regulations, procedures, or guidelines established by the covered entity’s primary or functional federal regulator.”[18] For example, a covered entity subject to the Federal Department of Health and Human Services’ Office for Civil Rights’ regulations, implementing HIPAA and the HITECH Act has 60 days to notify affected individuals.[19] Although some may argue that FIPA’s 30-day requirement is more stringent and should preempt the federal HIPAA rules,[20] the plain language of subsection 4(g) of FIPA indicates that following federal notice requirements complies with FIPA. Therefore, HIPAA-covered entities should have 60 days to report a breach under FIPA.
Covered entities may avoid notice altogether if it is reasonable to conclude that the breach has not and will not result in financial harm to the individuals, such as identity theft. FIPA states that this determination may be made “after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies.”[21] For some breaches, however, there may not be a “relevant” law enforcement agency. For example, if a covered entity inadvertently sends personal information to the wrong third party, but that third party is trustworthy and provides assurances that the information was not improperly used or further disclosed, it may be reasonable to determine that there is no risk of financial harm — and it is unlikely a law enforcement agency would be involved or available for a “consultation” as there has been no criminal act. Regardless, if the covered entity determines no notice is required under the circumstances, the determination must be documented in writing and maintained for at least five years. Further, there is still at least one required notice that must be provided, as the covered entity must notify the Department of Legal Affairs within 30 days of the determination that identity theft or any other financial harm from the breach is unlikely.[22]
In addition to notifying affected individuals, FIPA requires additional notices for certain breaches. If a breach affects 500 or more Floridians, the Department of Legal Affairs must receive notice within 30 days after the determination of the breach or reason to believe a breach occurred.[23] If more than 1,000 individuals must receive notice at a single time, national consumer reporting agencies also must be notified regarding the timing, distribution, and content of the notices.[24]
Security Obligations
Even if a company has not yet experienced a data breach, or does not maintain electronic records, it may still be subject to certain obligations under FIPA. Specifically, all covered entities and third-party agents must use precautions when disposing of “customer records.” While FIPA’s breach-reporting obligations only apply to electronic data, “customer records” include any material, regardless of physical form, that has been used to record or preserve personal information that an individual in Florida gives to a covered entity “for the purpose of purchasing or leasing a product or obtaining a service.”[25] FIPA requires proper disposal of personal information through means of shredding, erasing, or taking other steps to make the data unreadable or undecipherable.[26]
Other Important Steps
Covered entities, and their third-party agents, that are faced with a breach should consider taking a number of other measures beyond merely providing notices required under FIPA. Depending on the nature of the personal information involved and surrounding circumstances, other mitigation steps may be required to minimize harm to affected individuals. Some examples include offering identity theft protection or credit monitoring. Companies should also assess potential risks and threats to personal information in their possession on a regular basis to attempt to determine how breaches can be avoided in the future as part of continually analyzing and updating their relevant practices, policies, and procedures. Attempting to prevent future breaches and taking mitigation steps beyond FIPA’s requirements can reduce the likelihood of class action lawsuits and reputational damage to organizations that maintain sensitive data.
[1] See Cybersecurity & Infrastructure Security Agency Alert (AA22-040A), 2021 Trends Show Increased Globalized Threat of Ransomware (Feb. 10, 2022), available at www.cisa.gov/uscert/ncas/alerts/aa22-040a; John Sakellariadis, Behind The Rise of Ransomware, Atlantic Council (Aug. 2, 2022), available at www.atlanticcouncil.org/in-depth-research-reports/issue-brief/behind-the-rise-of-ransomware/.
[2] See Charlotte Tureman, Phishing Attacks Increase By Over 31% In Third Quarter: Report, CSO (Oct. 28, 2022), available at www.csoonline.com/article/3678311/phishing-attacks-increase-by-over-31-in-third-quarter-report.html.
[3] Scott Ikeda, Verizon 2022 DBIR: 4 of 5 Data Breaches Caused by “Human Element,” Business Partners Involved in 3 of 5, CPO Magazine (May 27, 2022), available at www.cpomagazine.com/cyber-security/verizon-2022-dbir-4-of-5-data-breaches-caused-by-human-element-business-partners-involved-in-3-of-5/.
[4] Fla. Stat. §817.5681 (2013); see also Laws of Fla. Ch. 2014-89 §2 (2014), available at http://laws.flrules.org/2014/189.
[5] Fla. Stat. §501.171(1)(a) (2022).
[6] Fla. Stat. §501.171(1)(g)1.a (2022).
[7] Fla. Stat. §501.171(1)(g)1.b (2022).
[8] Fla. Stat. §501.171(1)(g)2 (2022).
[9] Fla. Stat. §501.171(10) (2022).
[10] Fla. Stat. §501.171(9)(b) (2022).
[11] Fla. Stat. §501.171(9)(a) (2022).
[12] Fla. Stat. §501.171(1)(h) (2022).
[13] Fla. Stat. §501.171(6)(a) (2022).
[14] Fla. Stat. §501.171(1)(b) (2022).
[15] Fla. Stat. §501.171(4)(a) (2022).
[16] Fla. Stat. §501.171(4)(b) (2022).
[17] Fla. Stat. §501.171(3)(a) (2022).
[18] Fla. Stat. §501.171(4)(g) (2022).
[19] 45 C.F.R. §164.404(b).
[20] See 45 C.F.R. §160.203(b) (indicating that state law preempts HIPAA if state law is more stringent with respect to protecting the individual’s privacy); see also 45 C.F.R. §160.202 (defining “more stringent”).
[21] Fla. Stat. §501.171(4)(c) (2022).
[22] Id.
[23] Fla. Stat. §501.171(3)(a) (2022).
[24] Fla. Stat. §501.171(5) (2022).
[25] Fla. Stat. §501.171(1)(c) (2022).
[26] Fla. Stat. §501.171(8) (2022).