The increasing prevalence of cloud computing and other electronic storage methods has made storing and accessing important electronic data easier and less expensive than ever. However, the expanding number of documents and other information being stored electronically has increased the threat of cybercrimes, including data breaches.
In response, Florida enacted a statute to partially address this situation by requiring notification to aggrieved parties impacted by a breach. To ensure that they are in compliance with this statute, businesses should receive counsel from their attorneys and experts in the field about defending against data breaches, having a plan in place to respond to breaches as they occur, and notifying promptly all parties whose informational data has been breached.
Florida Statute 817.5681 imposes significant penalties for the failure to notify any Florida resident of the breach of his/her personal information. Personal information is defined as a person’s first name, first initial and last name, or any middle name and last name, in combination with unencrypted records containing a:
• Social security number;
• Driver’s license or Florida Identification Card number; or
• Account number, credit card number, or debit card number and a required security code or password that would permit access to the relevant account.
The 2005 statute further provides that any person conducting business in the state must notify the person whose unencrypted personal information was reasonably believed to have been breached within 45 days following the determination of the breach. The civil penalty for failure to notify within 45 days is:
• $1,000 for each day the breach goes undisclosed for 30 days;
• $50,000 for each 30-day period for up to 180 days;
• A maximum of $500,000, if notification is not made within 180 days.
These sanctions apply per breach, not per individual affected by the breach.
There are certain limited exceptions to the notification requirements under the statute. Required notification may be delayed upon a request by law enforcement, if a law enforcement agency determines that the notification will impede a criminal investigation. Additionally, notification is not required if, after an appropriate investigation or consultation with relevant law enforcement agencies, the person responsible for storing the information (custodian) reasonably determines that the breach has not and will not likely result in harm to the individuals whose data was unlawfully accessed.
The custodian of the data must make this determination in writing, and the documentation must be maintained for five years. Failure to make the written determination or to preserve it for five years subjects the custodian to a $50,000 administrative fine. The statute does not set forth specific guidelines for the custodian to follow in making a reasonable determination of no harm.
Since a determined hacker can breach even the most robust defenses, attorneys should advise clients to have response plans in place in the event of security breaches. There will likely not be time to develop a response plan and delegate duties after a breach. The executives of a company should develop a data breach response plan and educate employees on all levels of the company organization on the protocol to follow. Each department of an organization will have its own role in the data breach protocol.
Executives, preferably through a specific designated representative, must work with legal counsel along with experts in the electronic data field to act quickly and efficiently in investigating the cause of the breach and the circumstances surrounding its discovery. For example, an internal IT department or an outside vendor, hired by the company or organization, must secure the breached hardware or cloud and safely take it offline, identify the compromised information, and provide it to the legal and forensic team to determine whether the statute requires notification to the affected parties or law enforcement.
Those responsible for the company’s public relations should be prepared to notify the required parties and to handle any media coverage of the breach. It is advisable to prepare the human resources department, where available, to act as a hotline for affected customers and employees.
As a practical matter and in light of the stiff penalties set forth in the statute, proactive steps should be taken to avoid a breach. These include:
• Training employees on steps to take to ensure data security as part of their job duties;
• Purchasing data security software;
• Limiting employees’ access to data that each specific employee needs to complete their job requirements;
• Having a procedure in place for reporting data breaches or violations of security protocol;
• Frequently re-educating employees on any new developments in data breach security; and
• Hiring an expert to periodically review the company’s system for updates on security.
A data breach can cause severe damage to a company’s reputation and, under the statute, to its treasury without the proper notification protocol in place. To be in the best position to avoid a $500,000 per breach fine, corporate executives should seek out their attorneys’ advice about the importance of protecting data, having a response plan formulated ahead of time, and understanding the need for strict compliance with the applicable notification requirements of Florida Statute 817.5681.
John Squitero is a founder and shareholder with the South Florida law firm of Katz Barron, Squitero, Faust, Friedberg, English & Allen, P.A. Visit www.katzbarron.com, or call 305-856-2444.