Keeping Information Private

By Joseph A. “Jay” Geary, Attorney
Clark, Campbell, Lancaster & Munson, P.A.

Q: How does the new Florida Information Privacy Act affect my business?

A: On June 20, 2014, Governor Scott signed into law the “Florida Information Privacy Act of 2014,” Florida Statutes, Section 501.171 (“Privacy Act”), which became effective on July 1, 2014. The Privacy Act repeals and significantly changes an earlier (2005) electronic data privacy law, Florida Statutes, Section 817.5681, and is in addition to existing federal laws intended to safeguard the confidentiality of personal health information and personal financial information. Businesses should immediately become acquainted with the requirements of the Privacy Act, particularly the reporting and notification requirements. The salient features of the Privacy Act are as follows:

Ÿ      If a business acquires, maintains, stores or uses “personal information”, provided by individuals in Florida in order to purchase or lease products or services, and the business records and preserves that data in electronic form as “customer records” on a computer system, data base or digital mass storage device, then the business is a “covered entity” – i.e., subject to the Privacy Act.

Ÿ      A “covered entity” includes a “sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial enterprise” that receives “personal information” from individuals “in this state”.

Ÿ      “Personal information” is defined in the Privacy Act. Generally, it is information contained in “customer records” of a “covered entity” that affords the business access to an identified individual’s financial accounts or medical information.

Ÿ      A “covered entity” must take “reasonable measures” to protect and secure electronically-stored “personal information”. (“Reasonable measures” is undefined in the Privacy Act.)

Ÿ      If there is a “breach of security” (unauthorized access to secure data) involving 500 or more individuals in this state, a “covered entity” must report the incident, in writing – “as soon as practicable”, but no later than 30 days from the date the breach is discovered – to the Florida Department of Legal Affairs, AND must directly notify “each individual in this state” whose “personal information” was or is believed to have been accessed due to the security breach. The required informational content of the report to the Department, as well as the content and permitted manner of notice to individuals, is described in detail in the Privacy Act.

Ÿ      The Department may seek and recover civil penalties of up to $500,000.00 for violations of the reporting and notice provisions of the Privacy Act by a “covered entity”. Only the Department can bring an enforcement action; however, the law expressly provides no private cause of action.

The December 4th edition of “The Law” will discuss bouncing checks in Florida. Questions may be submitted online to thelaw@clarkcampbell-law.com.

Joseph Geary

Joseph Geary

Joseph Anthony “Jay” Geary is a transplanted New Englander who moved to Lakeland in 1987 from Oregon. Jay is a 10-year cancer survivor. In his professional life, this experience translates into the commitment to “go more than the extra mile” for his clients – with zealousness, but civility – both in the office and in the courtroom. In his personal life, the experience has taught him to treasure every day as a gift from God to be used wisely.
Joseph Geary

Latest posts by Joseph Geary (see all)