Florida put a tough new cyber-breach notification law into effect at the start of the month, replacing its older statute with more stringent demands upon any company that so much as interacts with consumers there.
The state is hardly alone. Lacking a comprehensive federal law to guide the notification process, 47 states, the District of Columbia, Guan, Puerto Rico, and the Virgin Islands each have their own rules on what companies must do when customer data is stolen or mishandled, many of them unique.
“It seems as though states are in the vacuum of federal legislation and asking whether their laws don’t go far enough,” says Jason Weinstein, a partner with the law firm Steptoe & Johnson and a former deputy assistant attorney general of the U.S. Department of Justice’s Criminal Division.
The new Florida Information Protection Act of 2014 has a reactive component—what companies must do after a breach—and a proactive component for what companies must do to protect personally identifiable information (PII), says Alfred Saikali, a partner with the law firm Shook, Hardy, and Bacon and co-chair of its data security and privacy practice. Fines can reach up to $500,000 per breach.
Companies have 30 days to notify consumers of any unauthorized access, not just theft, of data. The definition of customer is a broad one. “As long as you have information about Florida residents you would be expected to comply with the law,” Saikali says. “It is triggered by the jurisdiction of the individual whose information has been compromised. That’s a little controversial, but we haven’t seen a challenge yet from any company saying that they don’t need to comply because they are not in Florida.”
Florida’s law applies only to PII in electronic form, though an argument can be made that its secure disposal requirement applies to PII in any form given its use of the term “shredding,” Saikali explains. Other states, and the Health Insurance Portability and Accountability Act, one of the few federal laws that cover breaches, count paper.
Along with the usual items that constitute PII—name, address, Social Security number—Florida is the second state, joining California, to include user names, passwords, and password recovery security questions under its definition.
Companies that suffer unauthorized access to data must notify Florida’s Department of Legal Affairs, the office of its Attorney General, of any breach that affects more than 500 people no later than 30 days after reason to believe a breach occurred. That notice is to include a description of the event; how many Floridians were affected; services offered to affected consumers, such as credit monitoring; and a copy of the notice sent to customers, or an explanation for why one was not provided.
“In the context of a data breach incident, 30 days to determine what the incident is and provide notice is not a lot of time,” says Cynthia Larose, chair of the law firm Mintz Levin’s privacy and security practice.
As a concession to businesses, Florida officials will provide a waiver if a law enforcement agency asks to keep the incident under wraps. And, to ease the cost of compliance, it is one of the few states to allow e-mail notifications. If the cost of direct notice would exceed $250,000, more than 500,000 individuals are affected, or the covered entity does not have a mailing or e-mail address for the affected individuals, then substitute notice can be provided in the form of a Website posting or media outreach.
The key is understanding what the entire patchwork [of legislation] is and then trying to set some standards to account for all of them.
Philip Zender, Partner, Squire Sanders
Saikali explains that the law’s “proactive component imposes obligations on covered entities regardless of whether or not they ever suffer a breach. They must take “reasonable measures” to protect and secure PII, and arrange for the secure disposal, of customer records containing PII as needed.
Patchwork of State Laws
Meeting all the various state requirements makes compliance “almost like laying whack-a-mole,” says Alisa Chestler, a shareholder with the law firm Baker Donelson. “If you compare it to the European Union, where the law is comprehensive and overarching, at least you have a one-stop shop,” she says. “While legislators are going to argue that what they have put in place is good security practice, it still presents all companies with a burden on making sure they understand it, know it, and comply with it.”
The key is understanding what the entire patchwork is and then trying to set some standards and procedures that will take into account all of them, says Philip Zender, a partner with the law firm Squire Sanders and co-leader of the firm’s global data protection and privacy practice group. He says companies should then focus efforts on complying with the tougher laws so they will meet the minimum requirement in every state and build that into policies on handling data. There are so many differences, however, that just complying with the toughest standards won’t cover them all. “You should be paying attention to all of the state laws and understand what your general requirements are under them. Most major corporations are dealing with every state,” Zender says.
FLORIDA’S NEW BREACH LAW
The following are selections from the Florida Information Protection Act of 2014, legislation that went into effect on July 1.
A covered entity shall give notice to the department [Attorney General] of any breach of security following discovery by the covered entity. Notice to the department must be made within 30 days after the determination of the breach or reason to believe a breach had occurred.
The written notice must include:
A synopsis of the events surrounding the breach.
A police report, incident report, or computer forensics report.
The number of individuals in this state who were or potentially have been affected by the breach.
A copy of the policies in place regarding breaches.
Any steps that have been taken to rectify the breach.
Any services being offered by the covered entity to individuals, without charge, and instructions as to how to use such services.
A copy of the notice sent to the individuals.
The name, address, telephone number, and e-mail address of the employee of the covered entity from whom additional information may be obtained about the breach and the steps taken to rectify the breach and prevent similar breaches.
Whether notice to individuals is being made pursuant to federal law or pursuant to the requirements of subsection.
NOTICE TO INDIVIDUALS OF SECURITY BREACH
A covered entity shall give notice to each individual in this state whose personal information was, or the covered entity reasonably believes to have been, accessed as a result of the breach. Notice to individuals shall be made as expeditiously as practicable and without unreasonable delay, taking into account the time necessary to allow the covered entity to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached, but no later than 30 days after the determination of a breach unless subject to an authorized delay.
If a federal or state law enforcement agency determines that notice to individuals required under this subsection would interfere with a criminal investigation, the notice shall be delayed upon the written request of the law enforcement agency for any period that the law enforcement agency determines is reasonably necessary.
A covered entity required to provide notice to an individual may provide substitute notice in lieu of direct notice if such direct notice is not feasible because the cost of providing notice would exceed $250,000, the affected individuals exceed 500,000 persons, or the covered entity does not have an e-mail address or mailing address for the affected individuals.
Source: Florida Senate.
A master list of state laws can be compiled, updated, and used as a resource once a breach occurs. She says companies might want to give Florida’s new law special consideration. “It is not just about the breach notification, it is about the further imperative for companies to understand their information security posture and compliance program fundamentally,” she says. “There is a need for a global compliance program addressing all facets of security compliance. What businesses, whether large or small need to think about is how their compliance plan works on the front end, not just for what to do after a breach in those 47 states.”
Don’t expect Congress to offer much help by providing an overarching federal law any time soon, despite ongoing efforts by several legislators to pass a breach notification law. While he was at the Department of Justice, Weinstein was frustrated that a legislative proposal to do so that he co-wrote was submitted unsuccessfully to the Senate Judiciary Committee.
“Anything that makes compliance with these laws simpler and less expensive for companies that are already dealing with the other financial and reputational consequences would be helpful,” he says. [The state laws] vary in so many ways, from the definition of personal information, to the threshold for when you have to notify consumers, to whether or not you have an obligation to notify other governmental authorities, whether or not you do a risk/harm analysis, and whether there is a safe harbor if you use encryption.”
“Your problems are only beginning, not ending, when you discover the breach,” Weinstein says. “If it does happen, put yourself in the best possible position to withstand and defend yourself against the accusations and litigation that will follow.”
The upside to increasing state scrutiny and breach requirements, security experts say, is that these laws are helping compliance officers demand board attention.
“It is always up to the compliance folks to get the attention of whoever they are reporting to,” Larose says. “Sometimes it is tough to get time, attention, and money for these kinds of projects. The more the states revise their data breach notification laws and put the onus on the company that is experiencing the breach, it gives compliance more leverage to say, ‘We need to get on this.’”
“Prepare yourself for the nightmare before it even begins,” Weinstein says. “If it does happen put yourself in the best possible position to withstand and defend yourself against the accusations and litigation that will follow. Now, more than at any time since I’ve been doing this, directors and executives at the highest levels of companies are aware that they have to be involved in these issues. The risk of not being engaged is too great and the cost of an incident could be catastrophic.”