Cyber-security in Florida
Insider knowledge and data breaches
The Florida Information Protection Act
Bottom line: Under certain circumstances, Florida businesses must tell consumers — and the state — if they’ve suffered a data breach. They can be fined if they don’t.
This law, passed almost two years ago, requires organizations based in and outside the state to inform Floridians when their unencrypted personal information has been compromised.
Companies also must notify the Attorney General’s office if more than 500 of their customers are affected. Firms don’t have to tell consumers if they and law enforcement determine no one is likely to suffer identity theft or financial loss, but they still have to tell the Attorney General.
Failure to notify within the mandated 30 days violates Florida’s Deceptive and Unfair Trade Practices Act and can mean a $1,000 per day fine with penalties increasing substantially after 30 days.
Since July 2014, Florida’s Attorney General’s Office has participated in two settlements over breaches, one with Zappos for $106,000, of which Florida got $11,000, and one with TD Bank for $850,000, of which Florida got $59,000. The breaches, however, predate the law.
“We have several investigations pending, and as these investigations are active and ongoing, it would not be appropriate to comment any further,” says Whitney Ray, spokesman for Attorney General Pam Bondi. That said, Bondi has alerted consumers, beginning in 2014, about breaches at Community Health Systems, Jimmy John’s, Home Depot, Anthem and T-mobile.
Attorneys who specialize in cybersecurity say most businesses seem unaware of their duty under the law. “Nobody really knows about it,” says Paul Lopez, chair of the litigation department at Tripp Scott in Fort Lauderdale.
The law doesn’t allow a consumer affected by a data breach to sue the business or organization that got breached. But plaintiffs lawyers could still sue for negligence or breach of fiduciary duty and might cite the act as establishing an obligation to protect information, Lopez says.
The Computer Abuse and Data Recovery Act
Bottom line: Businesses can sue hackers or former employees who steal data.
This cyber-oriented law, which took effect Oct. 1 gives businesses the ability to go after — and collect damages from — people who access their data without permission and cause harm to the business or gain for themselves.
A company has to show that it took reasonable steps — a password, for instance — to keep unauthorized people off its computers. In theory, a company now could sue a hacker in Russia, but good luck collecting.
Attorney Paul Lopez expects the law will see a lot of use as an additional cause of action against former employees in cases over violation of non-compete clauses or theft of trade secrets. It’s said that seven of 10 cyber-attacks are by former employees or someone who once had access to a computer system.