What is the law in Florida regarding breaches of data involving personal information?

As of July 1, 2005, Florida requires companies to notify individuals if there has been a breach in the company's computer security which materially compromises the individual's "personal information", such as name or initial and last name and any of that person's social security number, driver's license or ID card number and/or account number, credit/debit card number along with a required security code or password, when this data is not encrypted. Public information available through government records is not considered "personal information."

To whom does this data breach law apply?

This law applies to anyone or any company doing business in Florida and keeping the unencrypted personal information of Florida residents.

What is considered a "breach" of data containing personal information?

A breach is the unlawful and unauthorized acquisition of data that materially compromises the security, confidentiality or integrity of personal information. Exactly what "materially compromises" means has not been explained by the courts, but a breach of a system that contains personal information would likely qualify.

As a company that may have had its computer system breached, what should we do?

In Florida, if a breach of data containing personal information occurs at a company, the company does not necessarily have to notify the individuals whose person information was compromised if the business undertakes an appropriate investigation or consults with the relevant federal, state and/or local law enforcement and thereafter reasonably determines that the breach has not and likely will not result in harm to the individuals whose personal information have been accessed or taken. However, in this situation, the company must document its findings and maintain those records for five years or face a fine of up to $50,000.

If a company's computer system or network has been breached, what kind of investigation is required?

The law requires a reasonable investigation to determine if the breach has or will likely lead to injury to those whose personal information has been accessed. This should include complete documentation of the investigation and results, the involvement of individuals or a firm with the appropriate expertise and thorough reporting of the findings to the appropriate government agency.

What if a company's computer system or network has been breached but the personal information was encrypted?

After a data breach, the company must investigate whether there has been, or likely will be, harm to those individuals affected by the breach. One factor in that investigation is determining whether the person who obtained the personal information will be able to truly access it. Under Florida law, if the personal information was encrypted, the company does not have to report a breach. However, there are varying levels of encryption with varying levels of effectiveness. Weak encryption may offer limited or even no real protection against access by a technically advanced thief. Therefore, a company should not assume that a data breach will not result in harm to those individuals affected just because the data was encrypted. Even if the statutory penalties are avoided, the costs associated with a harmful data breach and the accompanying publicity can be significant.

What kind of notice is required if a company's computer system or network which contains personal information has been breached?

If no investigation was done or one was done but it could not be established that no harm was likely, or is likely, to result to those whose information has been compromised, the company suffering the breach must notify the affected individuals in writing, by email or through substituted notice "without unreasonable delay" but in any case within 45 days of the date the company is notified or determines there has been a data breach. However, this notification period, including the 45 day deadline, may be delayed while the company is investigating to determine the presence, nature and scope of the breach and restore the integrity of the system. Of course, if a reasonable investigation determines that no harm came to, or will likely come to, the exposed individuals, notice is not necessary.

What penalties is my company subject to under the Florida data breach & notification statute?

If the company is required to notify exposed individuals under the law, as discussed above, but does not do so, the company is subject to a fine of $1,000 per day for 30 days, and a fine of up to $500,000 if the required notification is not provided within 180 days of the time the company is made aware of the data breach. These penalties are enforced by the Department of Legal Affairs. Obviously, notifying the customers and potential customers of a business is costly and can severely affect the operation and reputation of a business. However, the fines and penalties, along with the accompanying publicity, can damage a business to a much greater degree.

If a company suspects a data breach, should it utilize its own IT personnel to conduct the investigation or retain outside experts?

Clearly, an expert in computer and digital forensics and investigations should be used to investigate the source and effects of a data breach of personal information to determine if harm has or will likely result to people whose information was accessed. The danger with using in-house personnel is that they may be trained to understand computers and networks but not to handle and preserve evidence or conduct a proper and through investigation. If important evidence is erased or damaged, it could be costly to the company. Additionally, if a breach occurred it could have been caused or contributed to by a company employee. This may result in a conflict of interest and a lack of incentive for in-house personnel to conduct a thorough investigation or report their findings. This could also be very costly to the company, particularly when the relevant government agency will be expecting a thorough investigation that is well documented.

What can a company do to try to avoid a harmful and costly data breach?

Utilizing strong encryption software to protect a customer's personal information is a good start and also may protect a company from being required to notify the individuals affected pursuant to the current Florida law. A company should also always know where personal information is located on its system so that if there is a breach, the investigation can be narrowed to focus on the relevant areas.