NAVIGATION

February 22, 2018
Insider knowledge and data breaches

Photo:

Cyber-security in Florida

Insider knowledge and data breaches

Amy Martinez | 1/27/2016

Know About

Law #1

The Florida Information Protection Act

Bottom line: Under certain circumstances, Florida businesses must tell consumers — and the state — if they’ve suffered a data breach. They can be fined if they don’t.

This law, passed almost two years ago, requires organizations based in and outside the state to inform Floridians when their unencrypted personal information has been compromised.

Companies also must notify the Attorney General’s office if more than 500 of their customers are affected. Firms don’t have to tell consumers if they and law enforcement determine no one is likely to suffer identity theft or financial loss, but they still have to tell the Attorney General.

Failure to notify within the mandated 30 days violates Florida’s Deceptive and Unfair Trade Practices Act and can mean a $1,000 per day fine with penalties increasing substantially after 30 days.

Since July 2014, Florida’s Attorney General’s Office has participated in two settlements over breaches, one with Zappos for $106,000, of which Florida got $11,000, and one with TD Bank for $850,000, of which Florida got $59,000. The breaches, however, predate the law.

“We have several investigations pending, and as these investigations are active and ongoing, it would not be appropriate to comment any further,” says Whitney Ray, spokesman for Attorney General Pam Bondi. That said, Bondi has alerted consumers, beginning in 2014, about breaches at Community Health Systems, Jimmy John’s, Home Depot, Anthem and T-mobile.

Attorneys who specialize in cybersecurity say most businesses seem unaware of their duty under the law. “Nobody really knows about it,” says Paul Lopez, chair of the litigation department at Tripp Scott in Fort Lauderdale.

The law doesn’t allow a consumer affected by a data breach to sue the business or organization that got breached. But plaintiffs lawyers could still sue for negligence or breach of fiduciary duty and might cite the act as establishing an obligation to protect information, Lopez says.

Law #2

The Computer Abuse and Data Recovery Act

Bottom line: Businesses can sue hackers or former employees who steal data.

This cyber-oriented law, which took effect Oct. 1 gives businesses the ability to go after — and collect damages from — people who access their data without permission and cause harm to the business or gain for themselves.

A company has to show that it took reasonable steps — a password, for instance — to keep unauthorized people off its computers. In theory, a company now could sue a hacker in Russia, but good luck collecting.

Attorney Paul Lopez expects the law will see a lot of use as an additional cause of action against former employees in cases over violation of non-compete clauses or theft of trade secrets. It’s said that seven of 10 cyber-attacks are by former employees or someone who once had access to a computer system.

Tags: Technology/Innovation

Digital Access

DIRECT DIGITAL ACCESS
Add digital to your current subscription, purchase a single digital issue, or start a new subscription to Florida Trend.

TABLE OF CONTENTS
An overview of the features and articles in this month's issue of Florida Trend.

ACCESS THIS ISSUE »

Florida Business News

Florida Trend Video Pick

National Space Council: State of the Satellite Industry
National Space Council: State of the Satellite Industry

Tom Stroup, president of the Satellite Industry Association, speaks on the industry's status during the National Space Council's second meeting at Kennedy Space Center on Wednesday, Feb. 21, 2018.

Earlier Videos | Viewpoints@FloridaTrend

Ballot Box

What's your favorite Florida beach? (tell us in comments)

  • The one nearest me, which is _____
  • One not near me, but I still think it's the best, which is ______
  • None, not a beach person

See Results

Ballot Box
Subscribe