Understanding Florida’s New Data Breach Law
As more and more commerce starts to move online, companies are continuing to store ever greater amounts of customer and employee information in digital form. While this setup is often more convenient for everyone involved, it also creates a new potential liability for businesses who store this sort of information: data breaches. The possibility of a malicious hacker gaining access to a company’s private files is a very real one. Companies should be taking precautions to ensure that their data and their customer’s information are safe, but no security system is perfect. Even sophisticated companies are at risk for this sort of problem, as the recent Sony Pictures hack demonstrates.
While this sort of hack may open up a company to lawsuits by consumers, Florida also recently passed a data breach law this year. It mandates that companies take reasonable precautions to protect the personal information they store, and it places certain requirements on companies who have suffered a data breach. Failure to comply with those requirements can lead to serious fines.
What a Data Breach Is
The new Florida law defines data breach in a specific way, and it is important to understand because this definition differs from many similar laws. Under the law, a data breach is any “unauthorized access of data in electronic form containing personal information.” This is a broader definition than many data breach laws because it covers access of the data rather than “acquisition” of the data. This means that a data breach occurs even if the hacker did not download any of the information that they gained access to.
The law also has a definition of two categories that constitute personal information. The first is a person’s full name or their first initial and last name plus:
- a Social Security number;
- an official identification number like a driver’s license number;
- financial account numbers;
- credit card numbers; or
- health insurance numbers.
The second category of personal information is a user name or email address and a password or security question answer that would allow the hacker to access someone’s online account.
Responding to a Data Breach
In the event that a company does suffer a data breach, the law creates numerous notification requirements. For instance, if a data breach affects more than 500 people in the state of Florida, then the company must notify the Florida Department of Legal Affairs within 30 days of the breach. This notice must contain a variety of things, including a summary of what happened and the number of people affected. Similarly, the law also requires the company to notify any people whose data may have been compromised by the breach. Additionally, in order to protect the people who had their data accessed, the company must notify credit reporting agencies about the breach if there were more than 1,000 people affected by it.
No company wants to deal with a data breach and the litigation that will likely follow. However, a prompt, thorough response can help mitigate the damage. If your company has recently been the victim of a cyberattack, contact a West Palm Beach business litigation attorney at Pike & Lustig, LLP today.