Florida enacted the Florida Information Protection Act (FIPA) of 2014 with significant differences from its existing breach notification law. FIPA will take effect on July 1, 2014.
Some significant differences between FIPA and Florida's existing breach notification law (West's F.S.A. § 817.5681) include:
Attorney General notification. Breached entities must notify Florida's Attorney General within 30 days of a breach affecting more than 500 Florida residents.
Broader definition of personally identifiable information (PII). FIPA expands the PII definition to include the username or e-mail address combined with a password or security questions and answers allowing access to an online account.
Shortened breach notification period. Breached entities must notify affected individuals no later than 30 days after the breach. The existing law required breached entities to notify within 45 days after the breach.
E-mail notification. FIPA allows breach notification to affected individuals by e-mail.
Incident and forensic reports. If the Florida Attorney General requests, breached entities must provide incident reports, data forensic reports and company policies regarding breaches.
Proactive security requirements. FIPA requires companies maintaining PII to adopt reasonable measures to protect and secure PII.
Attorney General enforcement. Violating FIPA automatically violates Florida's Deceptive and Unfair Trade Practices Act, enforceable only by the Florida Attorney General.