Florida Amends Breach Notice Statute To Add Health Data, Set 30-Day Notice

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

June 23 — Florida Gov. Rick Scott (R) June 20 signed a bill ( S. 1524 ) that repealed the state's data breach notification statute and replaced it with a law that is largely the same but now includes health information on the list of protected information and drops the target for companies and government agencies to provide notice to individuals from 45 to 30 days.  

Covered entities also now are required to report to the state Department of Legal Affairs breaches involving 500 or more individuals.

In recognition of the new reporting requirement, Scott also June 20 signed a bill (S. 1526) that would exempt from public records requests information submitted to the department that included personal data, computer forensic reports or information “that would otherwise reveal weaknesses in a covered entity's data security.”

The measures, which cleared the Legislature April 29, will take effect July 1.

Risk Trigger, Damages Unchanged

In 2005, Florida became the 10th state to enact a breach notice law. In April, Kentucky became the 47th state with a breach notice law.

The 2005 risk of harm trigger in the Florida law remains in place under the new law. Notification isn't required if:

after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.

The administrative penalties provisions of the original law also remain in place. Failure to notify individuals carries an administrative fine of $1,000 for each day a breach goes unreported, for as long as 30 days. After that, liability may increase to as much as $50,000 for each 30-day period for as long as 180 days, when the liability could jump to an administrative fine of $500,000.

The penalties are per breach, not per individual who should have been notified. There is no private cause of action under the law to allow individuals to file lawsuits. The law requires covered entities to provide “reasonable data security” for personal information they retain.

S. 1524, as signed into law , is available at http://laws.flrules.org/2014/189.

S. 1526 , as signed into law, is available at http://laws.flrules.org/2014/190.

Request Bloomberg Law Privacy and Data Security