By Joseph A. “Jay” Geary, Attorney
Clark, Campbell, Lancaster & Munson, P.A.
Q: How does the new Florida Information Privacy Act affect my business?
A: On June 20, 2014, Governor Scott signed into law the “Florida Information Privacy Act of 2014,” Florida Statutes, Section 501.171 (“Privacy Act”), which became effective on July 1, 2014. The Privacy Act repeals and significantly changes an earlier (2005) electronic data privacy law, Florida Statutes, Section 817.5681, and is in addition to existing federal laws intended to safeguard the confidentiality of personal health information and personal financial information. Businesses should immediately become acquainted with the requirements of the Privacy Act, particularly the reporting and notification requirements. The salient features of the Privacy Act are as follows:
If a business acquires, maintains, stores or uses “personal information”, provided by individuals in Florida in order to purchase or lease products or services, and the business records and preserves that data in electronic form as “customer records” on a computer system, data base or digital mass storage device, then the business is a “covered entity” – i.e., subject to the Privacy Act.
A “covered entity” includes a “sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial enterprise” that receives “personal information” from individuals “in this state”.
“Personal information” is defined in the Privacy Act. Generally, it is information contained in “customer records” of a “covered entity” that affords the business access to an identified individual’s financial accounts or medical information.
A “covered entity” must take “reasonable measures” to protect and secure electronically-stored “personal information”. (“Reasonable measures” is undefined in the Privacy Act.)
If there is a “breach of security” (unauthorized access to secure data) involving 500 or more individuals in this state, a “covered entity” must report the incident, in writing – “as soon as practicable”, but no later than 30 days from the date the breach is discovered – to the Florida Department of Legal Affairs, AND must directly notify “each individual in this state” whose “personal information” was or is believed to have been accessed due to the security breach. The required informational content of the report to the Department, as well as the content and permitted manner of notice to individuals, is described in detail in the Privacy Act.
The Department may seek and recover civil penalties of up to $500,000.00 for violations of the reporting and notice provisions of the Privacy Act by a “covered entity”. Only the Department can bring an enforcement action; however, the law expressly provides no private cause of action.
The December 4th edition of “The Law” will discuss bouncing checks in Florida. Questions may be submitted online to firstname.lastname@example.org.