New state law is unique, broader and stricter than similar data breach laws
First there was HIPAA. Now there’s an added layer with FIPA, the Florida Information Protection Act of 2014 that Gov. Rick Scott signed into law June 20. Unanimously passed by Florida lawmakers on April 30, the new legislation took effect July 1.
Legal analysts have described FIPA as the nation’s broadest and most encompassing data protection law. It requires companies to take reasonable measures to protect the covered electronic data of Floridians, while also mandating notifications to individuals of even the smallest security breaches involving their personal information.
“The law is rather unique among the various states and, arguably, is stricter than similar data breach laws in other states,” said Tatiana Melnik, a Tampa healthcare attorney, focusing on healthcare information technology (HIT), and licensed to practice law in Florida and Michigan. “Additionally, the law is broad in application, covering almost all businesses that have customers in Florida or that maintain ‘personal information’ about Florida residents. The law also requires that companies use ‘reasonable measures’ to secure data, without defining ‘reasonable measures.’”
Even though statute provisions are similar to data breach laws in other states, FIPA defines covered personal information differently. If a breach occurs, the organization has 30 days to notify affected individuals – once the breach has been discovered.
“Those in the healthcare space will be familiar with the term ‘covered entity’ but note that this provision covers every organization—beyond just healthcare—that acquires, maintains, stores, or uses personal information,” said Melnik. “The definition of personal information is quite broad and includes social security numbers, healthcare information, health insurance policy number, credit card numbers, and a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.”
Community Health Systems (NYSE: CYH), the nation’s largest hospital group by number of beds, received sharp criticism for not disclosing its massive data breach sooner. According to its filing with the SEC, the breach, which affected nearly 5 million patients, reportedly occurred in April or May, yet wasn’t made public until August. Exactly when the security breach was detected remains unclear. At least one proposed class action suit, in Alabama, has already been filed against CHS based on this breach.
“Under Florida's previous law, organizations were required to notify within 45 days,” Melnik pointed out. “Now, it’s ‘no later than 30 days after the determination of a breach or reason to believe a breach occurred’ unless there’s a law enforcement delay or ‘if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.’”
Under FIPA, any breach involving 500 or more individuals requires notifying the Florida Department of Legal Affairs, who will require a full breach investigation report and evidence, along with copies of applicable policies and procedures.
“This statute is a relatively sweeping change for Florida and raises the bar for other states,” said Melnik. “It applies to every business that handles ‘personal information’ of Florida residents and requires these businesses to take proactive ‘reasonable measures’ to secure data.
“But, like many other data breach and data security statutes, FIPA fails to define what it means to take ‘reasonable measures.’ In general, this means that companies need to follow industry best practices. As a starting point, businesses should conduct a risk analysis to better gauge their risks.” (See sidebar.)
FIPA also implements a records disposal requirement, said Melnik.
“The law requires that each covered entity or third-party agent take all reasonable measures to dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained,” explained Melnik. “Such disposal shall involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.” This also means that “organizations need to understand the type of data they have on hand and implement a data disposal policy.”
Given the increased liability brought about by this statute, Florida-based businesses that share data with other entities should review their contracts to ensure that data breach notification requirements are included together with appropriate cyberliability (data breach) insurance requirements, damages caps, and indemnification language, encouraged Melnik.
“Non-Florida based businesses that handle ‘personal information’ of Florida residents should be aware that they too may be subject to the requirements and pulled into court under the Florida Long-Arm Statute,” she said.
Interestingly, Melnik pointed out, the Florida legislature addressed this possibility in the “Bill Analysis and Fiscal Impact Statement” as follows: “Although the bill doesn’t specifically provide that the covered entity must be conducting business in this state, the Florida Long-Arm statute may provide courts with the authority to assert personal jurisdiction over a non-resident covered entity. The statute enumerates a number of actions that a person or … representative may take that would submit that person to the jurisdiction of Florida courts. Those actions include, among other things, operating, conducting, engaging in, or carrying on a business venture in this state or having an office or agency in this state; committing a tortious act within this state; or breaching a contract in this state by failing to perform acts required by the contract to be performed in this state. A person may also become subject to the jurisdiction of a Florida court if the person is engaged in substantial and not isolated activity within Florida.”
Steps Healthcare Companies Should Take Now for FIPA Compliance
Companies should consider taking a few proactive steps to gauge their risks and liabilities of FIPA, the Florida Information Protection Act of 2014, in light of the proactive requirement to take security measures, shortened deadline to provide data breach notification, and notification requirements for downstream entities, such as business associates, vendors, and contractors, suggested Tatiana Melnik, a Tampa healthcare attorney, focusing on healthcare information technology (HIT).
Undertake a risk analysis to better assess potential risks and vulnerabilities to the confidentiality, integrity and availability of all personal information handled by the company. For a good risk analysis starting point, consider looking to the HIPAA materials and NIST (National Institute of Standards & Technology) guidance documents.
Review existing privacy and security policies and procedures; update as needed. The policies should reflect what the organization actually does and not what it would do in an ideal world. Policies that are in place but aren’t followed may demonstrate willful negligence and emerge as the proverbial “smoking gun” in litigation.
Develop an incident response plan, which should include a data breach notification plan. This plan should be called an “incident response plan” because not every incident is a breach. By calling something a “breach,” your team may be attributing a legal meaning to an event that is merely a potential security incident. Keep in mind, the term “breach” is defined in the statue. Any security incident is a stressful event. Having a plan in place, that at the very least contains important phone numbers for contacts who can assist you through the process, will ease the stress a bit. Your attorney should be the first call to make because you never know what you’re going to find during an investigation.
Encrypt personal information to the fullest extent possible and definitely encrypt all mobile devices. The loss and theft of laptops is one of the leading causes of data breaches. Laptops should have hard drive encryption, as opposed to a separate drive that each employee should use to store personal information. If your company is using a Windows-based product, check to see if BitLocker is available on the version you're using because it comes preinstalled in some Windows products and only needs to be enabled. Employee-owned mobile devices with access to “personal information” should be enrolled in a mobile device management system and the company should have written authorization from the employee to wipe the device, copy the device, and seize it in the event of litigation. Encryption is particularly important because it pulls the information out of the definition of “personal information” and therefore also pulls it out of the breach notification requirement.
Identify all vendor and business relationship that impact “personal information” and review the existing contracts to ensure that your business will receive timely notification in the event of an incident, and also cooperation during the investigation.
SOURCE: Tatiana Melnik, JD, Melnik Legal PLLC.