Getting Up to Speed on Florida Data Breach Law, Part 2

In the previous post, we began to summarize the key amendments to Florida’s breach notification statute, all of which should be taken into consideration when creating or updating a cybersecurity incident response plan. Remember, a breach is virtually inevitable. It is your response to a data breach incident, not the breach itself, that will ultimately determine how your organization is affected.

Noteworthy amendments to the Florida law include a 30-day deadline for notifying the Florida attorney general of a breach that affects at least 500 people; a broader definition of personal information, including medical-specific criteria; and a 30-day deadline for notifying people who have been affected by a data breach. Here are several other amendments that every business owner should know.

Access to Security Policies and Reports

Organizations must be able to produce copies of their cybersecurity and data breach policies, as well as any police, incident or forensics reports related to a breach, for the Florida attorney general upon request. Also, some of these reports may be considered exempt from public records law or protected by attorney-client privilege, such as a report that includes personal or proprietary information. As a result, organizations that haven’t updated their incident response plan since the new statute went into effect in July 2014 should make it a priority to have their processes and documentation reviewed by an attorney as quickly as possible.

Expanded Definition of Breach

A breach is no longer simply the “unlawful and unauthorized acquisition” of data. Notification is now triggered by “unauthorized access” to information. Keep in mind that today’s advanced persistent threats don’t take a “quick hit” approach to cyberattacks. Once they get into a network, they sniff around, look for access to different systems, update their malware, and eventually steal the most valuable data. Organizations that quickly identify suspicious activity in their networks can dramatically reduce the damage inflicted by the attacker. It makes sense that a notification should be triggered by access, not acquisition.

More Stringent Personal Data Protection and Disposal Requirements

Organizations and government agencies must take “reasonable measures” to secure personal information and dispose of any records that contain personal information. The new statute does specify that secure disposal of electronic data “shall involve shredding, erasing, or otherwise modifying personal information in the records to make it unreadable or undecipherable through any means.”

Monetary Penalties for Noncompliance

Failure to meet breach notification requirements could result in a fine of $1,000 per day for the first 30 days, and $50,000 for each additional 30 days. The total fine will not exceed $500,000 if the infraction continues beyond 180 days. The statute states that it does not create a private right of action.

Vendor Breach Notification Requirement

If a third party is managing, storing or processing data and suffers a breach, the third party must notify the data owner within 10 days of the breach or when they believe the breach occurred. The data owner must then notify the Florida attorney general and anyone affected by the breach.

The overall takeaway from new data breach laws and regulations is that organizations need to get their cybersecurity house in order. Incident response planning is not a DIY project or an IT project. The complexity of cybersecurity rules from industry regulators and state and federal governments requires the expertise of an attorney during the planning process.