With all manner of personal and professional information on the internet as a result of cloud storage, online banking, and web-based interfaces, data breaches have become commonplace. Of late, one of the most notable data breaches came from Equifax one of the three credit bureaus, which ultimately affected up to 143 million customers. If a business the caliber of a major credit bureau, which is tasked with the responsibility of keeping personally identifying information private, falls victim to such a massive interference, then no business can be assured immunity.
Florida’s data breach statute is codified in Florida Statutes § 501.171. In short, the data breach statute provides legal liability for those who suffer an intrusion. The statute applies to entities that maintain, store, or use an individual’s personal information. If the personal information that you maintain, store, or use is accessed without authorization, your business may be liable up to $500,000 per breach. However, there are certain steps that your business can take to limit legal liability in the event of a data breach.
In order to fall under Florida data breach statute, an individual’s personal information must consist of an individual’s first name or first initial and last name, combined with any of the following:
· Social security number;
· Driver’s license, identification card, passport, military identification, or some other similar number on a government document used for identity;
· Financial account number or credit or debit card number, in combination with any required security code, access code, or password necessary to access the financial account;
· Information related to an individual’s medical history, treatment, condition, or diagnosis; or
· Information relating to an individual’s health insurance policy number.
Additionally, personal information can consist of an individual’s email address combined with the password or answer to a security question to gain access to that account.
Therefore, the easiest way to limit legal liability from a data breach is to eliminate the maintenance, storage, or use of this type of information. Obviously, this is easier in theory than in practice, but to the extent that your business can limit this information, it would be prudent to do so.
Under the data breach statute, if the personal information data is encrypted, secured, or modified so as to remove the elements that personally identify an individual, then the data breach falls outside the scope of the statute.
For good measure, implement a system to destroy personal information once it is no longer necessary. Set at time limit—say 30, 60, 90 days or longer—for information to be destroyed through shredding, erasing, or modification.
The data breach statute contains clear steps that must be taken once a data breach has been identified.
· Step 1: ensure that the data breach has actually stopped. Immediately unplug all Ethernet cables from all computers and hard drives.
· Step 2: avoid the destruction of any evidence. Do not delete any information on any computers or hard drives. In fact, we advise our clients to properly shut down all computers and hard drives, place them in a sealed container or bag, and tape the container or bag shut and initial with the date and time.
· Step 3: contact an attorney for an immediate consultation regarding potential obligations under the data breach statute.
If we suspect that a data breach has occurred, the first thing we will do is contact one of our preferred national computer forensic firms to conduct a forensic analysis on the affected machine. Doing so provides us with a clear understanding of the scope of the breach. Based on that information, we will advise how best to comply with the data breach statute while also limiting legal exposure.
In today’s digital world, encountering a data breach is unavoidable if your business maintains, stores, or uses personal information. Vigilance is necessary for prevention, and preparation is necessary to limit liability and ensure your company has the resources and protocol in place for a efficient cleanup.
If you have any questions or concerns about this issue or any other matter, please contact our office directly at 813-223-1099.