Florida Enacts New Breach Notification Law Increasing Reporting Obligations and Liability
Joining other states which have recently strengthened their data security laws, Florida has enacted a law requiring written notice to the Department of Legal Affairs if more than 500 Florida residents are affected by a breach as well as notifying the individuals affected within 30 days. Additionally, companies must offer written proof to the Department of Legal Affairs when a breach has not resulted in or isn’t likely to result in identity theft or other financial harm – though they don’t have to notify their customers.
Includes medical and healthcare info
Katie Riley, an attorney, writing on adlawaccess.com (link to article) notes the new law “revises the definition of personal information to include medical and health insurance information and an individual’s user name or email address in combination with [a] password or security question and answer.”
It also “requires that third-party agents notify a company of a breach of security within 10 days, and, although the third-party agent may provide the required notice, the company is ultimately responsible for any failure by the agent to provide proper notice.”
Penalties for violation
Violation of the law gives Florida’s attorney general the power to “bring actions for a declaratory judgment, injunction, or actual damages.
“These remedies are, in addition to the civil penalties the Department may assess, up to $500,000, for failure to comply with…notice requirements.”