Florida Information Protection Act: What consumers need to know

The Florida Information Protection Act went into effect July 1, 2014, and is intended to enhance protection of personal information of Floridians, by both businesses and government agencies. The law updates data breach and data security laws, in light of well-publicized data breaches that have impacted millions of Americans in recent years.

Here are the top five things consumers should know about the Florida Information Protection Act:

Recommended Videos



1. This law imposes data protection and breach reporting requirements on essentially any type of business with which consumers interact on a daily basis (retail, services, professionals, etc.), as well as governmental agencies, provided such business/agencies store, maintain, or use a consumer's "personal information." This term is defined as the person's first name/first initial and last name in combination with any one of the following:

A. Social Security number;
B. Driver's license number, identification card number, passport number, military ID number, or other similar number issued on a government document used to verify identity;
C. Financial account number, such as credit or debit card number, in combination with any security code or password required for access to the account;
D. Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
E. Health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;
OR
A. User name or email address in combination with a password or security question and answer that would permit access to an online account.

IMPORTANT NOTE: The term "personal information" does not include such information that is encrypted or otherwise removes identifying characteristics or renders the information unusable. To put it another way, the law only applies to "unencrypted" or otherwise personal information that identifies the consumer. This law was therefore written in part to encourage businesses and agencies in Florida to encrypt and de-identify personal information.

2. This law also applies to companies in other states (or other countries) that involve Florida residents, regardless of how many are affected in a data breach.

3. Business/agencies are now required to take "reasonable measures" to protect and secure data in electronic form that contains personal information (as defined above).

4. Consumers (no matter how small or large the number of affected consumers) must be notified within 30 days from the time the breach is discovered by the business/government agency, although law enforcement authorities may extend the notification period if they believe doing so would aid a pending investigation of the breach (i.e., not tipping off the cyber criminals too quickly). A company may also not be required to notify consumers of the breach if they reasonably determine (upon consultation with law enforcement and investigation) that no affected consumer is likely to suffer identity theft or other financial harm. However, the company must provide written support for this decision, to be filed within 30 days with the Florida Legal Affairs Department.

5. This law does NOT create a private cause of action (i.e. basis for a lawsuit by an affected consumer), but it imposes civil penalties on any business failing to provide adequate notice as follows:

A. $ 1,000.00 per day for the first 30 days;
B. $ 50,000.00 for each 30 day period thereafter, up to 180 days;
C. $ 500,000.00 as the maximum penalty for violations beyond 180 days.

Consumers may file an online complaint with the Consumer Protection Division of the Florida Office of the Attorney General or contact the office toll free at 866-966-7226.