As of July 1, any commercial or governmental entity in Florida that acquires, maintains or stores personal information of individuals is subject to a new law that expands the requirements of data breach notification.
The Florida Information Protection Act of 2014 lessens the time period for reporting data breaches from 45 days from when the breach is discovered to 30 days. For breaches affecting at least 500 people, the organization is required to notify the Florida Department of Legal Affairs. If the breach affects at least 1,000 people, the organization must notify all nationwide consumer credit reporting agencies.
Additionally, third-party agents maintaining a security system for covered entities must report the breach to the covered entities within 10 days of learning of the breach. At that point, the entity becomes responsible for notifying any appropriate parties within the 30 day limit.
Entities that fail to adhere to FIPA and provide proper notice are subject to the following fines: $1,000 per day for the first 30 days, $50,000 thereafter for each 30-day period, or a $500,000 in maximum penalties for violations exceeding 180 days.
The FIPA rules do not alter HIPAA's breach requirements, and a single notice will often satisfy both HIPAA and FIPA requirements, as the FIPA reporting timeline is shorter than HIPAA's.
The bill was unanimously passed and signed into law by Gov. Rick Scott (R-Fla.) on June 20.
More Articles on Data Breaches:
DCH Regional Medical Center Employee Allegedly Stole Data From Computers
Stolen Laptop at San Antonio Metropolitan Health District Leads to Data Breach
Alabama Department of Public Health Notifying Patients of Potential Data Breach