“Business Owners Beware”
Identity theft has skyrocketed to record levels. The breach at Home Depot is only the most recent in a wave of high-profile data compromises. Customers at Target, Michael’s, and Neiman Marcus are just a few of those victimized. Even NASDAQ’s computer network was infiltrated, resulting in 160 million stolen credit and debit card numbers, 800,000 bank accounts targeted, and $300 million in losses for victims.
The potential catastrophic impact of these data breaches has many business owners screaming for solutions. But a new state law aimed at better protecting consumers should come with a warning label: “Business owners beware.”
Governor Rick Scott recently signed the Florida Information Protection Act (FIPA), aimed at protecting consumers’ personal information, and is considered by Data Breach Watch to be one of the strictest in the nation.1 It has far-reaching implications for all businesses, both large and small.
New Law, New Issues
Florida Statute 501.171 provides that any “covered entity, governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal information.” The reason this statute is so important to businesses is that a “covered entity” is defined as any “sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.” In short, if you are a business and maintain personal information about an individual in electronic form, you are considered a covered entity. Since this is almost any business today, it is important for business owners to be aware of the law’s requirements, and the consequences of failing to abide by it.
“Personal information” is a very broad term under this new Florida law. It includes the individual’s first and last name, or even only their first initial and last name, in combination with a myriad of other information. The other information can be a Social Security number, driver’s license number, or financial account information such as a credit card or debit card number in conjunction with any security code, access code, or password that would allow the business to access the financial account.
Think about how easy it is for a business to be ensnared by this law. If you run a gym, daycare, or any business where you keep a bank account or credit card on file in electronic form for automatic payments for fees or dues, the law applies to you. If you maintain someone’s username or email address, along with a password or security question that would allow access to an online account, the law applies to you.2 The law also applies to an individual’s medical history and treatments, as well as health insurance information. So if you are a big hospital or an individual healthcare provider, not only do you have to worry about complying with HIPAA, you also have to worry about FIPA.
Consider the Consequences
The fines and duties created by FIPA can be very costly for your business. If you suspect a data breach, you are required to notify the affected individuals within 30 days. If the breach affects 500 or more individuals, you are required to notify the Florida Department of Legal Affairs. If 1,000 or more individuals are affected, you are required to notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in the Fair Credit Reporting Act. Failure to comply with these requirements can result in fines of $1,000 for each day up to the first 30 days following the violation, with the fine jumping to $50,000 for each additional 30-day period. If the violation exceeds 180 days, the fine is capped at $500,000. These penalties apply per data breach, not per individual affected by the data breach.
It is important to make sure your business takes the necessary measures to prevent a data breach and to protect yourself if one occurs. Have your attorney review your contracts with your Information Technology providers to ensure they are providing you with adequate security. Consider including an indemnification clause by which the provider agrees to cover any loss that results from its failure to provide sufficient protection. Review your Commercial General Liability policy to see if it covers data breaches, and purchase separate coverage if it does not.
While the new law is broad and affects many businesses, if you take the necessary steps to protect your business you can avoid the headaches and expenses it can cause for you. u
Steven D. Kramer is the founder of Kramer Law Firm. He is listed in Florida’s Best Lawyers (2013-2014) and Best Lawyers in America (Woodward/White 2012-2014).