In light of several recent massive customer data breaches, states have expanded their state information security laws to include different notification requirements. Earlier this month, Florida enacted the Florida Information Protection Act of 2014 (“FIPA”), which replaced earlier version of a similar law. While quite expansive, let’s take a brief look at the new FIPA—and see just how “new” a law it really is.
- FIPA’s definition of “personal information” is quite broad. Most states define data breaches to be some identifying information (e.g. first initial and last name) PLUS some other data (e.g. bank account number, social security number, driver’s license number, etc). FIPA has that as part of its definition. What’s really new is that just a username/password combination constitutes “personal information.” Suddenly thrown into the realm of data breach notification laws are the inclusion of bulletin boards and discussion sites. A bit novel but not earth-shattering.
- FIPA requires notification to the Florida Attorney General when a breach involves 500 or more Florida residents. This isn’t particularly novel as other states, such as California, Idaho, Louisiana, Maryland, New York, and New Jersey (plus a bunch of others) have had similar types of requirements for years.
- FIPA involves third-parties that hold or warehouse a company’s data, and then suffer a breach. Again, this isn’t particularly new—Connecticut, for instance, has included a similar requirement since 2011.
Are these laws going too far and becoming too onerous for companies? Certainly, that is the position of some attorneys and lobbyists. Personally, I have very little sympathy for this position. First, most laws (except some narrow outdated examples) provide a huge exception for encrypted data. In other words, if your company gets hacked and suffers a data breach, there aren’t any notification requirements if that data is encrypted. Given how robust modern encryption technologies are, this makes sense because the bad guys can’t access the underlying data. Second, the enormous potential harm (e.g. identity theft, credit card fraud, etc.) and the comparatively low cost of data encryption shifts the burden squarely on the side of the companies holding customer data.
At the same time, there is one aspect of this issue where I do feel some sympathy for companies suffering a data breach—the confusing myriad of different state laws! In this online age, it simply doesn’t make sense for more than 99% of online activities to monitor or even care about what state their visitors come from. Yet the state where a customer resides makes all the difference in data breach notification. Different states require different types of notifications to different people and at different times. For all but the largest companies with the biggest legal teams, this is a nightmare. This plethora of different state laws also makes non-compliance much more likely—which ultimately hurts consumers. I would much rather see a uniform Federal data breach notification law. Alternatively, professional organizations like the International Association of Privacy Professionals (IAPP) can create a model standard that states can choose to adopt—much in the same way that the American Bar Association’s Model Rules of Professional Conduct help shape different state bar ethical requirements.
Learn how HiSoftware’s automated encryption solutions help prevent data breaches.