Florida’s new data breach law, The Florida Information Protection Act of 2014 (“FIPA”) applies to any entity that has personal information about Floridians. The holder of this personal information is referred to as a “covered entity.” The new law also applies to “third party agents,” which are entities contracted to provide a service that allows them access to Floridians’ personal information. For example, a billing company would be a third party agent of a medical practice.
FIPA puts new, stringent notice requirements on covered entities. Upon determining that a breach has occurred, notification to the affected individuals must be made within thirty (30) days. The Florida Department of Legal Affairs or a law enforcement agency may authorize a delay in notification. Further, if the covered entity determines that the breach will not result in identity theft or financial harm (after consulting with law enforcement), notification may be delayed. Third-party agents are required to notify the applicable covered entity within 10 days of determining that a breach occurred.
In the event over 500 individuals’ personal information is affected by a breach, the covered entity must notify the Florida Attorney General’s office in writing. If a breach affected over 1,000 individuals, the covered entity must contact the consumer reporting agencies.
Failure to comply with FIPA can result in fines of up to $500,000 per breach as well as an action brought by the AG’s Office for unfair or deceptive trade practices.
How to Comply
FIPA is more stringent than Florida’s previous data breach laws, which means current security protocols should be updated to comply. Covered entities should ensure that they have written information security programs and incident response plans in place. Further, covered entities’ employees must understand their role and obligations so that they can quickly respond to a data breach. Covered entities should ensure that their third party agents also have security measures in place.
For Healthcare providers
Although FIPA applies to all entities holding personal information, health care providers are especially at risk of data breaches due to the sheer volume of sensitive personal information they hold. The FIPA requirements are very similar to the updated HIPAA laws that became effective in September 2013. In some cases, FIPA requires a quicker notification of information breach than HIPAA. In complying with both FIPA and HIPAA written security protocols and written plan for the event of a breach are key in complying with the regulations and preparing for a breach.