What is FIPA?
FIPA is a law that went into effect July 1, 2014. FIPA was enacted to protect the security of confidential and personal information. FIPA requires certain entities, referred to as “covered entities,” to report breaches of personal information to Florida’s Department of Legal Affairs. Covered entities are also responsible for reporting breaches of their third party agents. With the prevalence of hacking, data mining, and other activities that routinely threaten the security of electronic data, it is important for Florida businesses to understand their obligations under FIPA, establish policies and procedures to timely handle and report data breaches, and ensure that their third party agents report data breaches upstream so the covered entity can meet its reporting obligations. FIPA also contains requirements for disposing of customer records.
Who must comply with FIPA?
FIPA applies to “covered entities,” which means a sole proprietorship, partnership, corporation, limited liability company, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information. Given the breadth of this definition, most businesses in the state of Florida will be considered a covered entity.
What Type of Information is Covered by FIPA?
FIPA requires covered entities to report unauthorized access of data in electronic form containing “personal information,” (referred to as a “breach”). Personal information is broadly defined to include an individual’s first initial or first name and last name in combination with other confidential information, including, but not limited to: social security number; drivers’ license number; financial account or credit card number; information regarding medical history; or a health insurance policy number or subscriber number. Personal information also includes a user name or e-mail address in combination with a password and security question and answer that would permit access to an online account. The term does not include information made publicly available by a governmental entity, or information that is encrypted or where information is otherwise rendered unusable.
What is FIPA’s Breach Reporting Requirement?
FIPA’s breach reporting requirements require covered entities to report electronic data breaches to individuals whose personal information was compromised within 30 days of learning of a breach. If the breach involves 500 or more individuals, the covered entity must also provide notice to the Florida Department of Legal Affairs. If the breach involves more than 1,000 individuals, the covered entity must also notify credit reporting agencies. Due to the significant time and expense involved in reporting, businesses may consider obtaining insurance to cover reporting and other legal obligations that arise in the event of a data breach.
Third party agents of covered entities are required to report breaches to the covered entity within ten (10) days of a breach. Covered entities are ultimately responsible for reporting these breaches. As such, it is important that covered entities notify their third party agents of the reporting requirements, and ensure that contracts with these agnets have terms to protect the covered entity in the event the third party agent does not comply.
What are the penalties for non-compliance?
FIPA violations constitute a violation of the Florida Deceptive and Unfair Trade Practices Act, which may involve a civil penalty of up to $10,000 per violation along with attorneys’ fees in any litigation. Additional penalties may be assessed under FIPA including $1,000 per day that a violation continues up to 30 days, and $50,000 thereafter up to $500,000. FIPA does not create a private cause of action.
Written by: Samantha Prokop, Healthcare Attorney