Attorney R. Christopher Dix shares insight regarding Florida’s revamped data privacy law. News reports of massive security breaches involving electronic data are becoming more and more common. Target, UPS, and JP Morgan are just a few examples of companies that have recently revealed breaches related to their customers’ personal information.
In response to the increasing trend of security breaches, Florida recently expanded and strengthened its data privacy law to apply to more types of data and to require faster notification after a breach occurs.
Below are some suggestions for businesses desiring to comply with Florida’s revamped statute and avoid possible penalties of up to $500,000 per incident:
1. Establish a Data Breach Protocol for your IT Department
The IT Department is often the first place that a data breach is detected within a business, but IT professionals may not be aware of the notification and investigation requirements under the revamped Florida law. Companies should instruct IT professionals to promptly report potential data breach incidents to in-house counsel or the company?s management so that a determination can be made regarding the company?s obligations under the Florida data privacy statute.
2. Establish a Data Breach Protocol for your HR Department
Data breaches frequently occur in connection with employees that have been terminated or are otherwise leaving the company. HR employees may be the first to discover a potential data breach, and should be instructed to promptly notify in-house counsel or the company?s management of any potential data breach incidents so that the company can provide a timely response that complies with the company?s obligations under the Florida data privacy statute.
3. Verify Compliance by Third Party Vendors
Many businesses outsource or retain third party vendors to assist with managing and storing electronic data related to the business. Use of third party vendors, however, does not exempt a company from the Florida?s data privacy law. Failure of a company?s third party vendor to timely report a breach to the company is deemed to be a violation by the company for failing to report the data breach incident to affected parties and state agencies.
Companies using third party vendors to manage and store electronic data need to obtain confirmation from those vendors that the vendors (i) are aware of their obligations under Florida?s data privacy statute and (ii) agree to immediately notify the company of any potential data breach incidents affecting the company?s data. Companies should also consider obtaining agreements from vendors that the vendors will indemnify any losses to the company resulting from the vendor’s failure to comply with Florida’s data privacy statute.
4. When in doubt, consult with law enforcement
A company that is uncertain about whether a breach has occurred should consider contacting a federal, state or local law enforcement agency. The law enforcement agency may be better equipped than the business to assess the breach and identify any potential criminal activity. Also, if after investigation and consultation with the law enforcement agency, a business determines that a breach ?has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed,? then notice to affected individuals is not required under the statute. A written determination is required, however, to be sent to the Florida Department of Legal Affairs within 30 days after the determination is made, and companies must also retain the written record of the determination for at least 5 years.
5. Implement/Update Mobile Device Policies
Companies are increasingly permitting employees to access company information on mobile devices (e.g., iPhones, iPads, and laptop computers). Companies that permit employees to access customer information or other ?personal information? that could be subject to the Florida data privacy law should implement or update their policies and procedures to minimize the risk of a data breach if a mobile device is lost or stolen.
Also, since Florida?s data privacy law specifically does not apply to any encrypted data, companies should consider encrypting mobile devices and portable storage devices before allowing employees to store company information on those devices.
Follow us on for more content updates