Effective July 1, 2014, Florida enacted what some have described as one of the country’s most detailed and comprehensive statutes governing the duties of commercial entities that acquire, maintain, store, or use personal information and potential penalties related to the loss of such data. Rather than simply amending the previous provision, Florida Statute 817.5681, the Florida Legislature repealed the previous statute and replaced it with Florida Statute 501.171, titled the “Florida Information Protection Act of 2014.” The new statute governs the storage and disposal of private information and sets out specific requirements in the event of the loss of such data, whether through inadvertence or through a “breach” of data storage systems.
Florida’s new statute begins with definitions clearly defining a “breach”, “customer records”, and “personal information.” These definitions are very specific, and will leave little room for argument as to who and what information is protected by this statute. These requirements for securing confidential personal information apply to all “covered” entities which have now been defined as any “sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.”
While the definitions within the statute are precise, the new Florida statute’s standard for data storage and usage is vague. Section (2) of the statute merely states that “each covered entity, governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal information.” The “definition” creates a sliding standard of care that will put pressure on commercial entities to ensure their methods for acquisition, storage and use of such data keep pace with technological developments. When a commercial entity is sued over a data breach, the litigation will be expert intensive and it will be for the jury of laypersons to decide whether the measures employed to protect the data were “reasonable.”
Also important is the statute’s extension of statutory requirements to the actions of third-party agents. Such an agent is defined as “an entity that has been contracted to maintain, store, or process personal information on behalf of a covered entity or governmental entity.” As a consequence, entities assessing their potential liability for data breaches need to include an assessment of the technology and methods of such vendors as well.
As in the previous statute, the entity holding personal information must notify all those potentially affected by a potential breach. However, under the new statute, if the breach affects more than 500 individuals, the “covered entity” must also notify the Department of Legal Affairs. The statute provides precise time period within which a “covered entity” must notify parties of a potential breach, how the notification is to be made, and what information must be contained in the notification. As in the prior statute, the new provision lists the penalties to a “covered entity” for failing to comply with statutory requirements.