When Cybersecurity Goes Wrong: Breach Notice Obligations Under the Florida Information Protection Act.

• Author: Hartsfield, Shannon B.

Sometimes even with thorough cybersecurity policies and procedures, something goes wrong. With the rise of ransomware (1) and phishing attacks, (2) as well as the prevalence of incidents caused by human error, (3) companies (and law firms) handling personal data of Florida residents may fall victim to data breaches. When faced with signs of a security incident, companies must take steps to prevent or mitigate harm. Even in situations in which a data leak is not the fault of the organization, Florida law generally requires that commercial and government entities report data breaches to affected individuals in Florida and possibly to the Florida Office of the Attorney General and credit reporting agencies.

The Florida Information Protection Act

For a number of years, Florida has required companies experiencing data breaches to report those breaches to affected individuals. Effective July 1, 2014, Florida's prior data breach notification law (4) was repealed and replaced by the broader and more stringent requirements enacted by the Florida Information Protection Act (FIPA), which are codified at F.S. [section]501.171. FIPA addresses breaches of security, defined as "unauthorized access of data in electronic form containing personal information." (5) The term "personal information," in turn, covers a broad range of data. It includes an individual's first name or first initial and last name in combination with any one of a long list of financial, government, insurance, or medical identifiers. (6) Personal information also includes login information, such as a user name or email address in combination with a password or security question and answer, that would enable access to an online account. (7) However, personal information does not include information or data about an individual that has already been made public by a government entity. Also exempt from FIPA's reach is information that is rendered unusable by unauthorized third parties, such as through encryption or removal of personal identifiers. (8)

Breach Response Obligations

For companies experiencing a data breach, FIPA requires quick action to assure compliance and to avoid potential financial penalties. Although FIPA does not provide for a private right of action for affected individuals, (9) violations are subject to civil penalties starting at $1,000 per day for certain infractions--and liability under FIPA can reach as high as $500,000 per breach when a covered entity fails to...