Businesses which maintain, store or use the personally identifying information of their customers may have a legal duty to notify affected individuals in the event of a breach. Florida is one of 46 states, along with the District of Columbia, Puerto Rico and the Virgin Islands that have laws requiring notification of security breaches involving personally identifying information. Specifically, Florida Statute Section 501.171 makes it an unfair and deceptive trade practice under certain circumstances for any commercial entity which maintains, stores or uses the personal information of its customers, to fail to notify the affected individuals and the Department of Legal Affairs (DLA) in the case of a breach.
While the law does not provide the individual consumers with a private right of action against the commercial entity, it does provide that such failure to inform (unless otherwise exempted) will be treated as an unfair or deceptive trade practice in any action brought by DLA under Section 501.207. Remedies under this provision of the statute can include DLA bringing an action on behalf of one or more consumers for the actual damages caused. Moreover, the law provides a civil penalty shall be imposed against any commercial entity that violates this section. Specifically, the civil penalty for which the commercial entity shall be liable for is $1,000 a day up to the first 30 days following any violation and thereafter, $50,000 for each subsequent 30-day period or portion thereof for up to 180 days. If the violation continues for more than 180 days, DLA may impose a civil penalty in an amount not to exceed $500,000. The statute clearly states that these civil penalties apply per breach and not per individual affected by the breach.
The statute defines personal information to mean an individual’s first name or first initial and last name in combination with one or more of the following:
- A social security number.
- A driver license or identification card number, passport number, military identification number or other similar number issued on a government document to verify identity.
- A financial account number or credit or debit card number in combination with any of the required information to access the account.
- Any information regarding the individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
- An individual’s health insurance policy number or any unique identifier used by a health insurer to identify the individual.
- A username or email address, in combination with a password or security question and answer that would permit access to an online account.
Importantly, the term excludes information that has been encrypted, secured or modified by any other method so that it removes the elements of personally identifying information or otherwise renders the information unusable.
The statute makes available another important exemption to requiring notice to the affected individuals. Specifically, a breach does not have to be reported to the affected individuals if, after an appropriate investigation and consultation with relevant law enforcement, the commercial entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm. Such determination must be documented in writing and be maintained for at least five years. Such determination must also be provided to DLA within 30 days after it was made.
Accordingly, commercial entities which maintain this type of personally identifying information should consider whether it makes sense to incur the costs associated with encryption to avoid the potential for costs associated with notification of its customers in the case of a breach or costly civil remedies and potential liability for actual damages. Moreover, while neither this statute nor federal statutes relating to the protection of personal information from disclosure, such as HIPPA, provide a private right of action by the individual customers, at least one court in Florida found that a bank had a duty premised on “a relation of trust and confidence” to keep plaintiff ’s account information private, confidential and from being misused by others. Gomez v. Wells Fargo Bank, N.A., 2014 U.S. Dist. LEXIS 2871. Laurie Thompson