Data Breach Notification Law: Will Florida Lead? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Security & Privacy
12:15 PM
Mac McMillan
Mac McMillan
Connect Directly

Data Breach Notification Law: Will Florida Lead?

Florida's stringent new breach notification law might encourage lawmakers to finally enact a federal standard.

20 Tests Healthcare CIOs Must Juggle
20 Tests Healthcare CIOs Must Juggle
(Click image for larger view and slideshow.)

Many have argued the federal government should pass a single breach notification law that levels the playing field to protect consumer privacy for businesses that accept sensitive, personally identifiable information. So far Congress has been reluctant to do so, and as a result more than 40 states now have their own versions of this law, some of which have gone beyond what the federal government requires in other statutes, such as the Health Insurance Portability and Accountability Act (HIPAA).

California, for instance, has a five-day reporting requirement for in-state entities when there is a breach. Texas passed a comprehensive law last year affecting folks both inside and outside the state. Massachusetts has a more comprehensive breach law that goes beyond simply addressing notifications. Wisconsin has a more stringent law relating to misdirected faxes, and Minnesota is rumored to be considering laws based on the California system.

Then there's Florida. Florida's new law, which went into effect on July 1, is worth watching. This law fundamentally changes the playing field in terms of what information is protected and who the law applies to. It also affects the notification schema and does not distinguish between small and large breaches. To top it all off, it does not replace HIPAA -- it is an addition to HIPAA. This means healthcare organizations and business associates (BAs) must meet two separate breach standards with two very different timelines. The six million dollar question: What, if any, impact will Florida's new law have on other states that are contemplating their own breach laws to protect consumer information?

[For more on the Florida Information Protection Act of 2014, see Florida Law Aims To Tighten Data Security.]

To understand the potential implications of the new law better, it's helpful to clarify the differences between the Florida Information Protection Act (FIPA) and HIPAA. First, Florida's statement regarding the applicability of the statute is far broader, listing both government and private institutions that collect personally identifiable information as covered entities. So while HIPAA is very specific to the types of organizations it applies to, FIPA does not discriminate.

The second big difference is the law's treatment of large versus small breaches. Once again, FIPA does not differentiate -- all breaches, large or small, are subject to notifications. FIPA, like HIPAA, stipulates civil monetary penalties (CMPs), but unlike HIPAA, Florida's CMPs are rolled out on a much different schedule. They are initially assessed daily, then weekly -- and finally, there is an annual limit of $500,000.

The law includes the most comprehensive set of breach notification requirements for both covered entities (CEs) and BAs. Notification requirements are based on the number of individuals impacted. When 500 or more individuals are impacted, notification must be made to the State Attorney General (SAG) and to all individuals involved. For breaches affecting more than 1,000 individuals, the entity must notify all credit agencies in addition to the SAG and individuals involved. Breaches involving fewer than 500 records require notifications only to the individuals affected. Covered entities are responsible for the actions of their subcontractors and agents.

Finally, the rule also provides for the CE to notify and include local law enforcement in the decision to notify. The questions remain: Will Florida's new law influence other states to follow suit? And will the government finally issue a common breach notification law so we don't end up with multiple versions across different states?

Fully 75% of 536 respondents say their orgs are as or more vulnerable to malicious code attacks and security breaches compared with a year ago. And in the face of a crushing skills shortage, 40% subsist on no more than 5% of the IT budget. Where do we go from here? Get the Research: 2014 Strategic Security Survey report today (registration required).

Mac McMillan is co-founder and CEO of CynergisTek Inc., a firm specializing in the areas of information security and regulatory compliance in healthcare. He is the current Chair of the HIMSS Privacy & Security Policy Task Force and was recognized in 2012 as an HIMSS Fellow. ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/15/2014 | 3:06:12 PM
Uniform data breach
One piece that Mac didn't mention is that the Florida law (and most of the state laws) have a much more restricted definition of the identifiers that trigger a breach (they mostly look at financial impact), whereas HIPAA is much broader.  There are likely to be fewer health data breaches under FIPA than under HIPAA.
User Rank: Apprentice
7/21/2014 | 6:52:02 PM
Re: Is there a common denominator for health data breach notification?
I think it is a symptom of Washington not being directly affected by a catastrophic cyber attack at the moment. Our government seems to have become very reactionary, vice proactive. I cover this in today's blog here.
David F. Carr
David F. Carr,
User Rank: Author
7/17/2014 | 12:15:51 PM
Is there a common denominator for health data breach notification?
For any organization operating in multiple states, I'd think one challenge would be defining the superset of all these laws in order to formulate a consistent policy and business process for responding to incidents. How tough is that?

What's the political reason for the federal government's inaction? Or is it just a symptom of Washington gridlock in general?
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
Study: Cloud Migration Gaining Momentum
John Edwards, Technology Journalist & Author,  6/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Flash Poll