InformationWeek reports on a new law in Florida that concerns information privacy and security:
A new law designed to protect Floridians from identity theft could have far-reaching repercussions on healthcare organizations that reside or do business in the Sunshine State. Under the Florida Information Protection Act of 2014 (FIPA), any covered entity or third-party agent must now report breaches to the Florida Department of Legal Affairs and to consumers within 30 days (compared with the prior law’s 45 days). If they show good cause, organizations may get a 15-day extension or receive a law enforcement extension. Violators can be fined $1,000 per day for the first 30 days and $50,000 for each subsequent 30-day period under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA); the fine is not to exceed $500,000.
The state also expanded “personal information” to include individuals’ first name or first initial and last name, in combination with any one of the following: passport number; medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional; or health insurance policy number, subscriber identification number, or any unique identifier health insurers use to classify individuals. […]
The act, which passed unanimously, should slow the flood of data breaches, advocates said. Faster reporting times, an expanded collection of relevant data, and increased law enforcement involvement will encourage organizations to be more proactive and give law enforcement more opportunities to catch cybercriminals.