A Three Step Guide to Complying with Applicable Law When Your Data Has Been Breached
Reading Time: 7 minutes
Regulatory Compliance causes many companies to proactively deal with information security. There are multiple federal laws that impact and regulate the protection of Personally Identifiable Information (“PII”)[1], some of the most well-known being GLBA[2] (regulating financial institutions), HIPAA[3] (regulating the healthcare industry), SOX[4] (regulating US public company boards, management and public accounting firms), and FERPA[5] (regulating educational institutions). Further, the Payment Card Industry has the PCI DSS,[6] its proprietary information security standard, which, while not law puts into place industry requirements that unmet can put an organization out of business. This article will not attempt to tackle the myriad of data security and privacy requirements that are compulsory for entities covered by the above regulations, rather the narrow focus of this article is how a company complies with applicable law in the event a data breach occurs.
Many companies, who are not covered entities under the above federal laws, do however acquire, maintain, store or use PII of their customers, clients, and employees, and therefore are subject to U.S. state-level privacy breach disclosure laws.[7] For any company that houses or transfers PII of any individual, being proactive rather than reactive is the most prudent tactic when dealing with data breaches. This includes putting in place an Information Security Plan, a necessary element of which is the protocol to follow in the case of a data breach. Whether you are planning ahead or have found yourself in the middle of a crisis, a guide for complying with state-level data breach notice laws follows.
“Forty-seven states… have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information,” and in general these state laws follow the same pattern.[8] As an analysis is best conducted with a specific law in mind, this article will discuss the Florida Information Protection Act of 2014 (FIPA).[9]
COMPLYING WITH FIPA: A THREE STEP GUIDE
STEP 1: CONDUCT YOUR ANALYSIS
Before you conduct the analysis as to whether a reportable security breach occurred, determine what type of personal information is protected and whether the organization is a covered entity.
What type of Personal Information is protected under FIPA?
Like other state-level data breach disclosure laws, FIPA defines Personal Information that is protected under the law. Protected Personal Information under FIPA includes a Floridian’s first name or first initial with the individual’s last name, in combination with social security number, driver’s license number (or government issued ID), or a financial account number or credit or debit card number with security code. Also, medical history or health insurance policy number are protected, as well as, personal login information permitting access to an individual’s on-line account (including social media sites).
Encryption is a safe harbor under FIPA, and “information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable” is specifically excluded from the definition of Personal Information under FIPA, and no notice is required.
What is a covered entity under FIPA?
Any entity, commercial or governmental, that “acquires, maintains, stores, or uses personal information”[10] is covered under FIPA. This includes companies outside of Florida if they are exposed to a data breach where a Floridian’s personal information is affected.
STEP 2: COORDINATE WITH LAW ENFORCEMENT
FIPA states that notice to individuals is not required, if after conferring with law enforcement, the covered entity “reasonably determines that the breach has not and will not likely result in identify theft or any other financial harm to the individuals whose personal information has been accessed.” If this is the case, the entity must document this determination and maintain a record for at least five years, plus provide written determination to the Department of Legal Affairs within 30 days.[11]
STEP 3: COMPLY WITH NOTICE REQUIREMENTS
If data was not encrypted and a determination is made that the breach may result in identify theft or financial harm, then notice to the Department of Legal Affairs and notice to individuals is required.
Notice to the Department of Legal Affairs
If a breach of security affects 500 or more Floridians, a covered entity must provide written notice to the Department of Legal Affairs “as expeditiously as practicable” but no later than 30 days after the breach is determined. Entities need to be cautious about the time frame and report as soon as possible, preferably well within 30 days.
Notice to Individuals
If a Floridian’s personal information was accessed as a result of a data security breach, the covered entity must give notice to the individuals affected no later than 30 days after the determination of the breach, but sooner, if possible, taking into account time for the entity to ascertain the scope of the breach and which individuals were affected as well as restore the integrity of the breached data system.
The notice must be in writing by either U.S. Mail or e-mail, and include the estimated date or date range of the breach, a description of the Personal Information accessed, and contact information the individual can use to contact the covered entity about the breach. If the cost to comply is more than $250,000, more than 500,000 individuals are affected, or the entity does not have the mailing or e-mail addresses for the individuals, then the entity may comply by posting notice on their website and using print and broadcast media. On the other hand, if a covered entity provides notice pursuant to the rules and procedures of the covered entity’s primary federal regulator then it is deemed to be in compliance with FIPA. Last, if more than 1,000 Floridian’s Personal Information is accessed as described above, then the covered entity must also notify Credit Reporting Agencies.
PENALTIES AND FINES
While FIPA has onerous notice requirements, the penalty for noncompliance are high fines of $1,000 per day for the first 30 days, $50,000 thereafter for each 30 day period or portion thereof for up to 180 days, with $500,000 as the maximum amount of total penalties for violations continuing more than 180 days. FIPA does not create a private cause of action for consumers, but fifteen states have data breach disclosure laws that do,[12] and therefore it is important to know which states’ laws cover your entity.
[1] “Personally identifiable information (PII) is any data that could potentially identify a specific individual… Sensitive PII is information which, when disclosed, could result in harm to the individual whose privacy has been breached. … Such information includes biometrics information, medical information, personally identifiable financial information (PIFI)) and unique identifier such as passport or Social Security numbers.”
See http://searchfinancialsecurity.techtarget.com/definition/personally-identifiable-information
[2] The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999
[3] The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
[4] The Sarbanes–Oxley Act of 2002 (SOX)
[5] The Family Educational Rights and Privacy Act (FERPA) of 1974
[6] Payment Card Industry Data Security Standard (PCI DSS)
[7] Canada, Australia, and the European Union have privacy laws and the OECD has privacy guidelines that impact companies doing business on an international level. Those laws and guidelines are beyond the scope of this article.
[8] As of February 24, 2017; See http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
[9] §501.171, Florida Statutes
[10] §501.171(1)(b)
[11] §501.171(4)(c)
[12] See http://www.americanbar.org/publications/youraba/2016/may-2016/state-data-breach-notification-laws-just-got-crazier.html