Florida Gov. Rick Scott has signed into law a bill that repeals the state's current data security breach law and replaces it with what one observer describes as the nation's broadest and most encompassing breach law.
The Florida Information Protection Act of 2014 requires companies to take reasonable measures to protect and secure data containing personal information in electronic form and requires notice to individuals of data security breaches under certain circumstances. It becomes effective July 1.
“There are some unique provisions in (S.B. 1524) that aren't found in typical state breach laws,” said Nathan D. Taylor, of counsel with law firm Morrison & Foerster L.L.P. in Washington.
Among other measures, the law will allow the Florida attorney general to require a copy of an incident or forensic report, along with copies of companies' policies and procedures at the time of the data breach. “That's pretty ground-breaking” in requiring the company “to provide such detailed, sensitive information,” he said.
The law also includes a provision that now defines covered personal information to include a username or email address in combination with a password or security question and answer that would permit access to an online account. Only California and Puerto Rico's laws have similar provisions, Mr. Taylor said.
Other attempts elsewhere, including California, to pass a broad law have been unsuccessful, said Mr. Taylor.
“I think (Florida Attorney General Pam Bondi) made a case to the state Legislature that they need more power to address breaches after the spate of high-profile regional breaches occurred, and the Legislature listened,” he said.
He added that cyber breach laws are “only getting broader, and Florida is not likely to be the last to introduce and pass” a broad law, although it is unique in that jurisdictions elsewhere have just amended rather repealed existing law, he said.
Mr. Taylor said that with Kentucky having enacted a data breach law earlier this year, only Alabama, New Mexico and South Dakota do not have cyber breach laws.