New Florida Information Protection Act

A new Florida law – The Florida Information Protection Act (FIPA) – took an effect on July 1, 2014. The new law requires companies to take reasonable steps to protect and secure data containing personal information in electronic form. The law also requires notice to individuals of data security breaches where such individual’s personal information has, or reasonably may, be accessed.

“As the field of cyber risk continues to develop, laws such as FIPA will become more prevalent — as will civil and regulatory litigation emanating from FIPA and like-related statutes. This raises the question as to how a company’s insurance will respond,” said Dan Freudenthal, president of CRIO.

FIPA also requires the company to notify the Florida Department of Legal Affairs of any breach of security which affects 500 or more individuals in the state. The statute sets forth the substantive requirements for such notification letter. If the company identifies circumstances requiring notice of more than 1,000 individuals at a single time, FIPA requires that the company shall also notify all consumer reporting agencies.

Among other measures, the law will allow the Florida attorney general to require a copy of an incident or forensic report, along with copies of companies’ policies and procedures at the time of the data breach.

Regarding enforcement of this statute, FIPA provides that violations will be treated as an unfair or deceptive trade practice and civil penalties will be assessed. The law outlines implementation of the penalties, which are not to exceed $500,000.00.

“Directors & Officers policies may provide coverage for regulatory investigations and lawsuits, but subject to exclusions. The crime policy may present limited or no coverage depending upon the type of the cyber-related loss. However, neither of those policies may provide coverage for the costs associated with navigating and remedying a data breach,” commented Greg Barret, Principal of CRIO. “As such, businesses should consider whether it is prudent to obtain cyber risk policies which may provide coverage for exposure associated with business interruption, notification costs, forensic IT services, PR services for public damage control, or third party liability claims”.

The above discussion is not exhaustive and businesses should become familiar with the provisions relevant to this new law as well as their insurance policies.