April 14, 2014

Florida statute mandates quick notification to individuals affected by a breach

Nowadays everything is done electronically.  To make things even easier large data is stored and accessed in the cloud.  Although this is considered more secure, there are no guarantees.   States are taking more precautions than ever to address personal data security which means businesses must make several times the effort toward securing customer data.

According to an article in the Miami Herald, the state of Florida has come up with a statute that mandates quick notification to individuals affected by a breach.   The Florida statute 817.5681 says that very high fines will be imposed if a breach of personal information is not reported to an individual as soon as it is found out by a business.

Personal information would be,

  • the first and last name of a person
  • Social security number
  • Driver’s license or Florida Identification Card number or
  • Account number, credit card number, or debit card number and a required security code or password that would permit access to the relevant account.

Failure to inform the individual within 45 days of an occurrence could result in:

  • $1,000 for each day the breach goes undisclosed for 30 days
  • $50,000 for each 30-day period for up to 180 days
  • A maximum of $500,000, if notification is not made within 180 days
  • These fines are  per breach, not per individual affected by the breach

However, there are few exceptions for not notifying an individual such as an investigation impediment or if an enforcement agency determines that the breach is not going to affect the individual in any way.  The determination should be writing and valid for 5 years.

Given that these statutes are just released, businesses are recommended to seek legal advice to clearly understand the statute and its implications.

 

/