The Florida Information Protection Act of 2014 (FIPA) expanded notification requirements on covered entities that acquire, use, store, or maintain state residents’ the personal information.

The statute, which came into effect on July 1, 2014, made several modifications to Florida law. These modifications apply to commercial and government entities, especially those that experience a data breach.

Who is Covered Under FIPA

Under FIPA, covered entities are no longer limited to organizations with a physical footprint in Florida. All associations, cooperatives, estates, trusts, corporations, partnerships, sole proprietorships, NGOs, and other commercial entities, as well as government organizations that acquire, use, store, or maintain the PII (personally identifiable information) of individuals in the state, are subject to the statute.

This means that in the event of a breach, FIPA applies to all organizations and international entities (whether they operate within the state or not) if they hold or use the personal information of individuals in Florida, regardless of the number of individuals or the volume of data.

Types of Personal Information Protected Under FIPA

FIPA contains a proactive component (which specifies what organizations must do to protect all personally identifiable information they control) and a reactive component (which specifies what must be done after an organization experiences a successful breach).

Breach, in this instance, describes the unauthorized access of electronic data that contains PII. PII refers to the combination of first initial (or first name), last name, and any of the following:

• ID card number, driver’s license, military identification number, passport number, or any such number present on a government document, which can be used to verify the identity of an individual,
• Social security number, or
• Debit/credit card number or financial account number in combination with the password, access code, or security code that allows access to an individual’s financial account.

FIPA expands the definition of PII to also include the following:

• Information pertaining to the mental or physical condition, diagnosis or medical treatment by a health care professional,
• The medical history of an individual,
• Health insurance policy numbers or subscriber identification number, and
• Other identification numbers or unique identifiers that can be used by health insurers to identify an individual.

PII also includes email addresses or usernames in combination with passwords (or Security Q&A) that can be used to gain access to an individual’s online account.

However, FIPA does not apply if the PII has been already made public, secured, encrypted, or modified in any way that renders it unusable.

FIPA Notice Requirements

FIPA reduces the time period allowed for reporting a breach from 45 days to 30 days. However, if good cause is sent in writing to the Department of Legal Affairs within 30 days of determining a breach, FIPA authorizes the department to grant an additional 15 days to provide notice.

For breaches affecting 500 persons or more, FIPA mandates entities to also provide notice of the particulars to Florida’s Department of Legal Affairs. If the number of affected persons is 1,000 or more, entities should also send notices to nationwide consumer credit reporting agencies.

Covered entities that are subject to federal regulation may defer to those applicable notice requirements provided they send the requisite notice to the Department of Legal Affairs.

To properly navigate FIPA’s notice requirements, prompt coordination with law enforcement agencies is essential. In the event of a breach, covered entities are not required to provide notice to affected individuals if it is discovered that they are unlikely to suffer financial harm or identity theft. However, such entities are still required to provide written determination to the state Legal Affairs Department within 30 days of the entity’s decision that notice to individuals isn’t required.

In some instances, law enforcement could delay the provision of required notices if they find that the notification will interfere with an ongoing criminal investigation.

FIPA Requirements for Third-Party Agents

Under FIPA, third-party agents that maintain security systems for covered entities have up to 10 days to report breaches to said entities. On receiving this notice, the affected entity becomes responsible for providing the required notices within the stipulated 30-day notice period.

Potential Penalties for Non-Compliance with FIPA

While FIPA states that it doesn’t create a private cause of action, it does contain provisions that authorize Florida’s Legal Affairs Department to bring enforcement action against entities committing statutory violations. Entities who fail to provide required notices under FIPA violate Florida’s Deceptive and Unfair Trade Practices Act (FDUTPA) and are subject to the following civil penalties:

• $1,000 a day for the first 30 days,
• $50,000 subsequently for any 30-day period up to 180 days, and
• $500,000 as the maximum amount of penalties for violations exceeding 180 days.

These penalties can be enforced for failure to comply with any of the notice requirements under FIPA, including late notice and insufficient/incomplete notice. Also, these penalties are assigned regardless of the number of persons affected by a breach.

Not only should organizations be knowledgeable about FIPA, but they should also have a general understanding of each state’s data breach laws. Since state data breach laws vary in strictness, organizations may find them confusing. Resources, such as our U.S. state data breach law guide and infographic, can help organizations to navigate these laws.

Due to the ever-evolving landscape of data breach notification statutes and laws, it is essential that organizations take proactive measures to determine what they must do in the event of a breach.