The Florida Information Protection Act went into effect on July 1. The law imposes notification requirements on any business that acquires, maintains, stores or uses personal information when that business suffers a breach of security, i.e., unauthorized access of data in electronic form containing personal information. The statute’s definition of personal information includes the usual suspects – social security number, driver’s license number, passport number, financial or credit card number, and username or email address in combination with a password or security question that would permit access to an online account.
The definition of personal information also includes any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis, as well as an individual’s health insurance policy number or other unique identifier used by a health insurer. Much of this data is probably in your HR software program or in your paper HR forms that are converted to a digital format. While the Florida Information Protection Act does not specifically cover “employers,” its definitions are broad enough to capture most employers in Florida.
The law requires businesses to take reasonable measures to protect and secure data in electronic form that contains personal data. If a breach impacts 500 or more Floridians, the business must notify the Department of Legal Affairs. The statute also requires the business to provide notice to each Floridian whose personal information was or may have been accessed in the breach. These notices are required as soon as possible and no later than thirty days after the breach is discovered, barring some exceptions. Notice to impacted individuals can be by email.
Although the primary focus of the statute is on electronic data, it also requires businesses to take all reasonable measures to protect and dispose of customer records containing personal information, such as shredding, erasing or modifying the personal information to make it undecipherable. The statute does not mention employee or personnel records, but prudent employers should follow the same standards for their employees’ personal information in paper format.
The law is clear that individuals cannot sue to enforce this law. However, Florida can levy civil penalties up to $500,000 for violations of this law.