Examining Florida’s New FIPA Law for Data Breaches

July 22, 2014 |

In light of several recent massive customer data breaches, states have expanded their state information security laws to include different notification requirements.  Earlier this month, Florida enacted the Florida Information Protection Act of 2014 (“FIPA”), which replaced earlier version of a similar law.  While quite expansive, let’s take a brief look at the new FIPA—and see just how “new” a law it really is.

  1. FIPA’s definition of “personal information” is quite broad.  Most states define data breaches to be some identifying information (e.g. first initial and last name) PLUS some other data (e.g. bank account number, social security number, driver’s license number, etc).  FIPA has that as part of its definition.  What’s really new is that just a username/password combination constitutes “personal information.”  Suddenly thrown into the realm of data breach notification laws are the inclusion of bulletin boards and discussion sites.  A bit novel but not earth-shattering.
  2. FIPA requires notification to the Florida Attorney General when a breach involves 500 or more Florida residents.  This isn’t particularly novel as other states, such as California, Idaho, Louisiana, Maryland, New York, and New Jersey (plus a bunch of others) have had similar types of requirements for years.
  3. FIPA involves third-parties that hold or warehouse a company’s data, and then suffer a breach.  Again, this isn’t particularly new—Connecticut, for instance, has included a similar requirement since 2011.

Are these laws going too far and becoming too onerous for companies?  Certainly, that is the position of some attorneys and lobbyists.  Personally, I have very little sympathy for this position.  First, most laws (except some narrow outdated examples) provide a huge exception for encrypted data.  In other words, if your company gets hacked and suffers a data breach, there aren’t any notification requirements if that data is encrypted.  Given how robust modern encryption technologies are, this makes sense because the bad guys can’t access the underlying data.  Second, the enormous potential harm (e.g. identity theft, credit card fraud, etc.) and the comparatively low cost of data encryption shifts the burden squarely on the side of the companies holding customer data.

At the same time, there is one aspect of this issue where I do feel some sympathy for companies suffering a data breach—the confusing myriad of different state laws!  In this online age, it simply doesn’t make sense for more than 99% of online activities to monitor or even care about what state their visitors come from.  Yet the state where a customer resides makes all the difference in data breach notification.  Different states require different types of notifications to different people and at different times.  For all but the largest companies with the biggest legal teams, this is a nightmare.  This plethora of different state laws also makes non-compliance much more likely—which ultimately hurts consumers.  I would much rather see a uniform Federal data breach notification law.  Alternatively, professional organizations like the International Association of Privacy Professionals (IAPP) can create a model standard that states can choose to adopt—much in the same way that the American Bar Association’s Model Rules of Professional Conduct help shape different state bar ethical requirements.

Learn how HiSoftware’s automated encryption solutions help prevent data breaches.

Back to Blog Home

Ken Nakata

Ken Nakata, JD, CIPP/US is the one of the most well-known attorneys in the area of IT accessibility and is the Director of Cryptzone’s Accessibility Consulting Practice (ACP). Nakata’s work focuses on Web and software accessibility from both a legal and technical perspective. Nakata’s ACP team helps organizations manage the change towards accessibility in all aspects, providing consulting services aimed at shaping their accessibility policies and practices, and evaluating the overall state of their Web properties leveraging Cryptzone’s accessibility solutions. He is also a board member for the International Association of Accessibility Professionals (IAAP),of which Cryptzone is a founding member.

Nakata worked for twelve years as a Senior Trial Attorney with the U.S. Department of Justice. He has argued on behalf of the United States government many times before the federal courts and has helped shape the government’s policies for the Americans with Disabilities Act and Section 508 of the Rehabilitation Act. Nakata also worked as Director of Accessibility and Government Compliance at BayFirst Solutions, a Washington, DC consulting firm.

In 2000, Attorney General Janet Reno presented Nakata with the Attorney General’s Award for Excellence in Information Technology. In addition to practicing law, Nakata is active in software and web-based technologies, including Java, JavaScript, SQL, and ColdFusion. In July 2001, he was certified by Sun Microsystems as a programmer for the Java 2 Platform. Nakata is a frequent speaker on both law and technology and is equally adept at conducting one-on-one workshops with programmers and developers as well as explaining law and policy to large audiences. He holds a Bachelors of Art degree in mathematics from John Hopkins University and a Juris Doctor degree from the University of Pennsylvania Law School, and is admitted to the bars of New York, the District of Columbia, Pennsylvania and Washington.

Leave a Reply

Your email address will not be published. Required fields are marked *