The Florida Information Protection Act (FIPA)
The Florida Information Protection Act of 2014 requires certain data protection measures from entities that acquire, use, store, or maintain Florida state residents’ personal information. It also mandates that covered entities take certain steps in the event of a breach of that information.
What types of businesses are subject to FIPA?
Under FIPA, covered entities include both organizations with and without a physical footprint in Florida. All associations, cooperatives, estates, trusts, corporations, sole proprietorships, NGOs, commercial entities, and government organizations that acquire, use, store, or maintain the personally identifiable information (PII) of individuals in the state are subject to the statute.
A breach is defined as the unauthorized access of electronic data that contains PII. PII refers to the combination of first initial or first name, last name, and any of the following:
- ID card number, driver’s license, military identification number, passport number, or any such number present on a government document, which can be used to verify the identity of an individual
- Social security number
- Debit/credit card number or financial account number in combination with the password, access code, or security code that allows access to an individual’s financial account
- Information pertaining to the mental or physical condition, diagnosis, or medical treatment by a health care professional
- The medical history of an individual
- Health insurance policy numbers or subscriber identification number
- Other identification numbers or unique identifiers that can be used by health insurers to identify an individual
- Email addresses or usernames in combination with passwords (or Security Q&A) that can be used to gain access to an individual’s online account
Key requirements of FIPA
Data security requirements: “Each covered entity, governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal information.”
Notification requirements for security breaches: Once an organization has determined that a breach has occurred, it must report the breach to the Department of Legal Affairs no later than 30 days after the determination of the breach. The organization may receive 15 additional days to provide notice if good cause for delay is provided in writing to the Department within 30 days after determination of the breach occurred.
Such notice needs to include:
- Summary of events surrounding the breach
- Number of individuals in Florida who were or potentially have been affected by the breach
- Any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, and instructions as to how to use such services
- The name, address, telephone number, and email-address of the employee or agent of the covered entity from whom additional information may be obtained about the breach
For breaches affecting 500 persons or more, FIPA mandates organizations must also provide notice of particular facts. If the number of affected persons is 1,000 or more, entities should also send notices to nationwide consumer credit reporting agencies.
The organization must also notify each individual in the state whose personal information was accessed as a result of the breach.
Further, third-party firms that maintain security systems for covered entities have up to 10 days to report breaches to said entities. On receiving this notice, the affected entity becomes responsible for providing the required notices within the allotted 30-day notice period.
FIPA Enforcement and Penalties for Non-Compliance
FIPA authorizes Florida’s Legal Affairs Department to bring enforcement action against organizations committing statutory violations. Entities who fail to provide required notices under FIPA violate Florida’s Deceptive and Unfair Trade Practices Act (FDUTPA) and are subject to the following civil penalties:
- $1,000 a day for the first 30 days,
- $50,000 subsequently for any 30-day period up to 180 days, and
- $500,000 as the maximum amount of penalties for violations exceeding 180 days.