Any healthcare organization with a presence in Florida will be affected by the Florida Information Protection Act of 2014 (FIPA), which expands the requirements on covered entities that acquire, maintain, store, or use personal information of Floridians.
As part of a growing trend in state legislatures, Florida’s new data breach and security law expands notification requirements on covered entities that experience a breach of security, according to McGuireWoods.
The new law repealed Florida’s prior data breach notification statute and made significant modifications to Florida law that can reach entities far beyond the state’s borders, the firm explains. Providers need not be based in Florida for the law to apply; any business presence in the state will trigger the law.
William J. Cook, JD, partner with McGuireWoods in Chicago, offers these explanations of the new Florida law:
-
Any commercial or governmental entity that acquires, maintains, stores, or uses personal information of individuals in the state is subject to this law. Although this is a Florida statute, companies in other jurisdictions should assume this statute will apply in the event they experience a breach of security affecting any individuals in Florida,
Under FIPA, like its predecessor statute, personal information includes an individual’s first name or first initial combined with the individual’s last name, in combination with social security number, driver’s license number, or other similar number of a government-issued ID, or a financial account number or credit or debit card number combined with the required security code. New under FIPA, personal information also will include any information about an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional; or an individual’s health insurance policy number or subscriber identification number, plus any unique identifier used by a health insurer to identify the individual.
-
FIPA also expands the definition of personal information to include any personal login information that would permit access to a person’s online account. Notably, this expansion, which might be the first of its kind in any state data breach notification law, would include login information to social media sites or applications, regardless of whether such sites include more traditional forms of personal information.
Personal information excludes information already made public or information that is encrypted.
FIPA reduced the time period for report of breaches to 30 days from the time the breach is discovered, compared to 45 days under the previous Florida statute. FIPA authorizes the Department of Legal Affairs to grant up to 15 additional days to provide notice if good cause is provided in writing to the department within 30 days of the determination of a breach.
