The internet has forever changed the way people shop for goods and services. Websites are the new shop windows, and we can order anything from pizza to tickets for a play from the comfort of our sofas. This means that every day millions of dollars are being sent electronically around the nation, and information such as credit card numbers, their expiry dates and a vast amount of personal data is stored on servers all over the world. Doctors and clinics even store patients’ health records electronically, and it is vital that customers feel confident this data is being protected.
After all, this information is worth a great deal of money to criminals and malicious hackers. With your social security details or driver’s license number, a criminal can steal your identity, clear out your bank account, and cause a great deal of damage to your identity. Intel estimates the likely annual cost to the global economy from cybercrime is more than $400 billion and growing.
Your customers need to be able to trust you with their vital data, and you need to do everything you can to keep it safe. Many states are bringing in legislation to ensure that the protection of customer data. One of the most important stipulations of such laws is that businesses must notify customers when data has been breached, so that they can take appropriate action to protect themselves.
Few would deny that consumers have a right to be informed when data is lost or stolen. Mandatory notification ensures customers discover which organizations have poor data breach records. Such laws also encourage businesses to improve their data handling practices at all levels and to protect themselves from cybercrime.
The Florida Information Protection Act of 2014 (“FIPA”) became effective on July 1, 2014. This obligates businesses and government entities that keep and use the data of individuals to take measures to protect it, and to provide notice of any IT breaches.
This law means that Florida now has some of the strictest breach notification statutes in the nation.
How does it affect you as a business owner?
What FIPA requires:
- Personal information is defined as customers’ names in combination with health insurance, medical or financial information, and includes online account information.
- A business has a 30-day notice period in which it must warn affected customers of a data breach.
- Third-party agents of covered entities that have a breach must notify the covered entity no later than ten days after the discovery of the breach.
- A business must notify the Florida Department of Legal Affairs within 30 days if more than 500 Florida residents are affected by the breach.
- Businesses and state agencies have to take measures (encryption for example) to protect data and ensure records are disposed of via shredding, erasing or modification so that they are undecipherable.
- Any failure to provide customers with notice of a breach is liable for a civil penalty for each breach of up to $1,000 per day for the first 30 days, and $50,000 for each subsequent 30-day period for up to 180 days. State governmental entities are subject to notification requirements rather than civil penalties.
- Any violations of FIPA are treated as deceptive trade practices.
Failure to follow these FIPA regulations, you could end up in legal hot water for negligence, breach of contract, unjust enrichment, and restitution, and breach of fiduciary duty to sue for damages caused by data breaches.
FIPA for health care agencies
Due to the very personal nature of information healthcare providers and clinics hold about their patients, data breaches are treated very seriously. As such there are already relevant federal laws in place, such as the Health Insurance Portability and Accountability Act (HIPAA). HIPAA-covered businesses such as doctors and dentists are already familiar with the concepts of appropriately encrypting personal information and de-identifying personal information. However, under FIPA, if you want to avoid sending notice of a potential breach, you are required to consult with a law enforcement agency to determine whether information has been compromised.
Securing a business does involve costs, of course, but not protecting your organization appropriately could cost you your clients, your reputation and maybe even your entire business. You need to put in place a breach response plan and assess your internal compliance, to ensure you are capable of meeting the new, shortened response times required by FIPA.
How to comply with FIPA
If you have not already, you need to update all of your policies and procedures to address areas where FIPA requires you to meet additional requirements regarding breach notification and investigation. You also need to revise any agreements and staff policies to reflect new requirements such as 30- or 10-day reporting. It is also a good idea to update your policies for identifying data breaches and notifying customers and check that only proper methods are being used for the destruction of data.
Finally, review your liability policies to find out to what extent you are covered in the case of a data breach. As costs of data breaches rise, some insurers will not cover them anymore. You may need to get a separate cyber-liability policy on your insurance.
If you have any questions about the new FIPA law or about how you can improve your IT security and prevent data breaches, get in touch with the experts at IT Authorities and we can tell you more.