FIPA: Florida Information Protection Act

Fuerst Ittleman David & Joseph can assist your covered entity in ensuring that your business maintains the appropriate operations, policies, procedures, and systems to comply with the Florida Information Privacy Act (FIPA).

On July 1, 2014, FIPA became effective replacing Florida’s previous data breach notification requirements. FIPA is comprehensive in nature, and addresses what “covered entities” and their “third-party agents” must do to protect “personal information,” and also sets forth what is required of such entities in the event of a breach. While the ideas behind FIPA and HIPAA are similar, the entities and data covered by the two laws are different. Unlike HIPAA, which only applies to health information, FIPA applies to all personal information regardless of what kind, or the nature of the company storing it. Thus, even though an entity may not fall within the federal HIPAA statute, it may nevertheless be governed by FIPA, and be subject to the full scope of the new state statutory scheme designed to protect personal information.

1. Covered Entities, Third-Party Agents and Personal Information

FIPA governs a far more expansive list of “covered entities” than HIPAA. FIPA defines a “covered entity” as a “sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses ‘personal information,’” as per Fla. Stat. § 501.171(1)(b). A “third-party agent” is “an entity that has been contracted to maintain, store, or process personal information on behalf of a covered entity or governmental entity,” according to Fla. Stat. § 501.171(1)(h).

“Personal Information,” states Fla. Stat. § 501.171(1)(g)(1)(a), is defined as an individual’s first name, or first initial, and last name in combination with any one or more of the following data elements for that individual:

• A Social Security number
• A driver’s license or identification card number, passport number, or military identification
• A financial account number or credit or debit card number with security codes or passwords
• Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
• An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.

“Personal information” also includes a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account, according to Fla. Stat. § 501.171(1)(g)(1(b). However, FIPA does not apply to personal information that is encrypted, secured, or modified so that the information is unusable in the event of a breach.

2. Data Security Measures

FIPA requires that each covered entity, governmental entity, or third-party agent take reasonable measures to protect and secure data in electronic form containing personal information, as per Fla. Stat. § 501.171(2). Examples of reasonable measures would be encryption of data or de-identifying the data. In addition, FIPA requires covered entities and third-party agents to take all reasonable measures to dispose, or arrange for the disposal, of customer records containing such personal information. As explained in Fla. Stat. § 501.171(8), “such disposal shall involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.”

3. Breach Notification Requirements

FIPA establishes a series of people and authorities which must be contacted in the event of a breach as well as timeframes under which a covered entity or third-party agent must make such notifications. The notification requirements vary based on the size of the breach.

In all cases of a breach, cover entities must notify each individual whose personal information was accessed, or believed to be accessed, within 30 days after the discovery of a breach, states Fla. Stat. § 501.171(4)(a). However, an exemption exists in cases where “after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not, and will not likely, result in identity theft or any other financial harm to the individuals whose personal information has been accessed” (Fla. Stat. § 501.171(4)(c). An exemption also exists if law enforcement determines that notice would interfere with a criminal investigation, according to Fla. Stat. § 501.171(4)(b).

When a breach affects 500 or more individuals in the state, covered entities must notify the Florida Department of Legal Affairs within 30 days of discovery of the breach. In such instances, a covered entity may receive an additional 15 days to provide the personal notification required under the statute should good cause exist. Such a requirement exists regardless of whether the covered entity determines that the breach is not likely to result in identity theft or other financial harm to the affected individuals states Fla. Stat. § 501.171(3).

In addition, according to Fla. Stat. § 501.171(5), in cases where the breach affects more than 1,000 individuals, the covered entity shall also notify, “without unreasonable delay,” all consumer credit reporting agencies that compile and maintain files on consumers under the Fair Credit Reporting Act.

In cases where data breaches occur at a third-party agent, the third-party agent shall notify the covered entity of the breach “as expeditiously as practicable, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred,” explains Fla. Stat. § 501.171(6). Once the third-party agent informs the covered entity, the covered entity shall proceed in providing the statutorily required notice.

It is important for companies who may also be considered covered entities under HIPAA to understand that the timeframes for reporting breaches are different under FIPA and HIPAA. Therefore, entities subject to both statutes must ensure adequate compliance with both in the event of a breach.

4. Penalties

Violations of FIPA are treated as unfair and deceptive trade practices and allows the Florida Department of Legal Affairs to use any, and all, remedies available under Fla. Stat. § 501.207 of the Florida Deceptive and Unfair Trade Practices Act. Fla. Stat. § 501.171(9)(a).

In addition, covered entities face fines under FIPA for failing to provide the statutorily required notice. Here, rather than a per record basis fine structure, such as the one in place for HIPAA, FIPA civil penalties are based on the length of time an entity is not in compliance after a breach. Covered entities face civil penalties of up to $500,000 per breach calculated as follows: 1) $1,000 per day up to the first 30 days following any violation; 2) thereafter, $50,000 for each subsequent 30-day period or portion thereof for up to 180 days (Fla. Stat. § 501.171(9)(b)).

FIPA expressly states that no private cause of action is established by the act. However, this does not mean that covered entities do not face a risk of private litigation in the event of a breach as common law causes of action, such as negligence, breach of contract, and breach of fiduciary duties, may still exist for damages caused by data breaches.

For more information, please contact us at contact@fuerstlaw.com or call us directly at 305-350-5690.