State Data Breach Notification Policy
Introduction
The lack of a federal Consumer Privacy Bill of Rights means states must pass their own policies to protect their residents from data breaches and mishandling of personal information. Florida’s Information Protection Act is one of the most comprehensive data breach notification laws in the United States.
Exemplary Laws
Colorado’s Consumer Data Privacy Law
In 2018, Colorado increased protections for its residents with a new data breach protection law. Colorado’s breach notification law contains some of the most protective provisions in the country, including:
- A private or government organization that stores paper or electronic records must notify consumers and the government of a breach of any size within thirty days of that breach. The notification must include contact information and updates on any investigation into the breach.
- If the breach affects more than 1,000 records, the organization must also notify all nationwide credit reporting agencies.
- The definition of “personal information” includes an individual’s first name or first initial and last name when combined with social security number, ID number, medical or health insurance information, or biometric data. It also includes email and online credentials as well as credit card information.
- Organizations maintaining personal information must destroy that information when it is no longer needed.
- The attorney general may impose civil and criminal penalties for violations.
What’s Missing from Colorado’s Law?
While Colorado’s data breach law is quite comprehensive, it would be improved by requiring that companies implement certain baseline data security processes, rather than give companies wide latitude to determine what constitutes reasonable security measures.
Florida Information Protection Act of 2014
In 2014, Florida enhanced the protections afforded consumer data of Florida residents with the passage of the Florida Information Protection Act (FIPA). Florida’s data breach law is exemplary as one of the most comprehensive data protection laws in the nation. Its strong provisions include:
- If a data breach incident compromises the personal information (including usernames/passwords for online accounts) of over 500 Florida residents, the company or entity breached must inform the Florida Department of Legal Affairs as well as each affected or likely affected resident within 30 days of the breach discovery. Florida’s 30-day breach notification deadline is the strictest in the country.
- The breached company or entity is required to make certain materials available to the state government upon request, such as remedial procedures, incident reports, and computer forensic reports.
- The definition of “personal information” was expanded to include individuals’ first name or first initial and last name, in combination with any one of the following: passport number; medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional; or health insurance policy number, subscriber identification number, or any unique identifier health insurers use to classify individuals. FIPA also includes in its definition of “personal information” a user name or email address coupled with a password or a security question and answer that would permit access to an online account.
- Mandated disposal standards for customer data no longer to be retained, to prevent against unauthorized access post-disposal.
- Proactive measures: a requirement for businesses and entities that collect customer data to “take reasonable measures to protect and secure data in electronic form containing personal information” on Florida residents.
What’s Missing from Florida’s Law?
While Florida’s data breach law is quite comprehensive, it would be improved by requiring that companies implement certain baseline data security processes, rather than give companies wide latitude to determine what constitutes reasonable security measures.