Shook, Hardy & Bacon Data Privacy & Security Co-Chair Al Saikali recently spoke with Compliance Week about the new Florida Information Protection Act of 2014, which requires companies to notify customers and the state's Department of Legal Affairs within 30 days of unauthorized data access. Titled "States Making Tough New Breach Notification Demands," the July 2014 article notes that the absence of federal rules has created a compliance challenge for companies facing a patchwork of state measures.
As Saikali explains, Florida's law includes both "a reactive component—what companies must do after a breach—and a proactive component for what companies must do to protect personally identifiable information (PII)." To this end, Florida has expanded the definition of customer and now considers usernames, passwords and password recovery questions as PII along with names, addresses and Social Security numbers. "As long as you have information about Florida residents you would be expected to comply with the law," concludes Saikali. "It is triggered by the jurisdiction of the individual whose information is compromised. That's a little controversial, but we haven't seen a challenge yet from any company saying they don't need to comply because they are not in Florida."