On Dec. 16, 2014, a group of former Sony employees filed a class action lawsuit in Federal Court in Los Angeles against Sony for negligently failing to protect its computer systems from hackers, resulting in the employees’ personal information being leaked to the public, and potentially ending up in the hands of criminals. In addition, the former employees allege that Sony failed to adequately notify the employees that their confidential, personal information was breached. The Sony breach is the latest in a string of recent high-profile data thefts in the news. However, data theft is not only a threat to large multinational corporations such as Sony. Florida companies of all sizes are at risk, and face stiff penalties under the Florida Information Protection Act of 2014 (FIPA) for the failure to notify any Florida resident of the breach of his/her personal information. To assist in complying with this statute, Florida attorneys should counsel their clients to invest in data security, especially those who own or manage a business, to have a plan in place to respond to breaches as they occur, and to promptly notify all “persons” whose data has been breached.
Passed during 2014’s Legislative session, FIPA represents the first expansion of the State’s data breach notification laws in nine years. Its goal is to require the State’s private sector as well as State government entities to promptly inform aggrieved parties when cyber thieves appear to have stolen their unencrypted personal information from computer records. FIPA defines personal information as a person’s first name, middle initial, or any middle name and last name in combination with unencrypted records containing:
A driver’s license, passport, military identification or Florida Identification Card number;
A Social Security number;
Sign Up and Save
Get six months of free digital access to the Miami Herald
A financial account number, credit card number or debit card number, and a required security code or password that would permit access to the relevant account;
Any information regarding the individual’s mental or physical condition, medical history or medical treatment; or
A health insurance policy or subscriber identification number and any unique identifier used by a health insurer.
Additionally, the FIPA statute requires notification whenever a user name or email address may have been breached in combination with a password or security question and answer that would permit access to an online account.
The updated FIPA statute provides that any person conducting business in the State (company) must notify the person whose unencrypted personal information is reasonably believed to have been stolen within 30 days of the determination of the breach.
In addition, the Florida Department of Legal Affairs must be notified of any breach affecting more than 500 individuals in Florida within 30 days of a determination of the breach. A 15-day extension to notify the department may be granted, if good cause for delay is provided in writing within 30 days after determination of a breach.
A company that discovers a breach affecting more than 1,000 individuals at a single time must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices. Failure to notify individuals affected by the breach is treated as an unfair or deceptive trade practice, and subjects the company to a civil penalty, as follows:
$1,000 for each day the breach goes undisclosed for 30 days;
$50,000 for each 30-day period for up to 180 days;
A maximum of $500,000, if notification is not made within 180 days.
These sanctions apply per breach, not per individual affected by the breach. Substitute notice, in the form of a conspicuous announcement on the company’s website or in print and/or broadcast media where the affected individuals reside, may be provided in lieu of direct notice if:
The cost of providing notice would exceed $250,000;
The affected individuals exceed 500,000 persons; or
The company does not have email addresses or mailing addresses for the affected individuals.
There are certain limited exceptions to the notification requirements under the FIPA statute. Required notification may be delayed upon a request by a law enforcement agency if it is determined that the notification will impede a criminal investigation.
It should be noted that the FIPA Statute expressly does not provide for a private right of action to recover damages.
Additionally, notification is not required if, after an appropriate investigation and consultation with relevant law enforcement agencies, the company responsible for storing the information reasonably determines that the breach has not and is not likely to result in harm to the individuals whose data was unlawfully accessed.
The person at the company responsible for data storage must make this determination in writing, and the documentation must be maintained for five years. Failure to make the written determination or to preserve it for five years subjects the responsible persons to a $50,000 administrative fine. A copy of the written determination must be provided to the Florida Department Legal Affairs within 30 days of the determination. The statute does not set specific guidelines to follow in making a reasonable determination of no harm.
As seen by recent occurrences at Sony, Target, and VeriSign, among others, sophisticated hackers can breach even the strongest defense systems. Companies should develop a broad data breach response plan and educate employees on all levels of the organization on the protocol to follow. Preferably through a specific designated representative, companies should work with their legal counsel to act quickly and efficiently in investigating the cause of a breach and the circumstances surrounding its discovery. The IT department, if the company has one, should secure the breached equipment or cloud and safely take it offline, identify the compromised information, and provide it to the legal team to determine whether the occurrence falls under the provision of the statute and requires notification to the affected parties or law enforcement. The company should also have a plan in place to notify the affected parties and deal with any media coverage of the breach. Human resources personnel should be trained to act as a hotline for affected customers and employees. It may also be necessary to hire an expert in electronic data security to advise the company on the source of the breach and the remedy to avoid future occurrences.
Additional proactive steps should include: (1) training employees on steps to take to ensure data security as part of their job duties; (2) purchasing data security software; (3) limiting employees’ access to data that each specific employee needs to complete their job requirements; (4) having a procedure in place for reporting data breaches or violations of security protocol; (5) frequently re-educating employees on any new developments in data breach security; (6) hiring an expert to periodically review the company’s system.
By seeking the advice of their attorneys regarding compliance with FIPA guidelines before data breaches occur, companies can alert their clients, customers and employees to potential threats of data theft, thus avoiding liability, as well as preserving the company’s public reputation. In this day and age, a computer security breach not only subjects the company to severe fines and penalties, as well as civil liability, but can also damage the reputation of the company. These breaches simply can no longer be ignored.
John R. Squitero, Esq. is a founding partner and Matan A. Scheier is an associate with the law firm of Katz Barron Squitero Faust.
Have a ‘My View’ topic?
If you have a point of view on a business topic you would like to share, consider writing about it for Business Monday. Pitch your idea to rclarke@MiamiHerald.com. Preference will be given to submissions of 600-700 words that state a topic clearly, with supporting examples and references drawn from South Florida. They should also be accompanied by a photo of the writer, emailed as a jpeg. ‘My View’ pieces that are accepted are published as space allows.