As the federal government hems and haws its way through new data breach legislation, states are springing into action to pass their own, tougher data breach laws – it’s just happened in Florida where Governor Rick Scott signed new data breach legislation.
Currently, 47 states already have their own data breach laws, but these laws are somewhat ambiguous. Many of them don't have strict deadlines for customer notification and few of them set monetary penalties for data breaches. Until now, that is.
The National Law Review reports that Florida's new data breach law might be the country’s toughest. Here are some of the highlights:
- Companies can pay up to $500,000 in civil penalties.
- After a breach, clients have to report the breach within 30 days to proper state authorities.
- IT consultants that manage a client's data have 10 days to report a breach to clients.
- Breaches affecting more than 1,000 Florida residents must be reported to consumer credit reporting agencies.
To any tech contractor, the first thing that jumps out about this law is the $500,000 in civil penalties (fines imposed by the government for breaking the law). If you work in healthcare IT, you're familiar with HIPAA and HITECH fines, but now Florida could impose half-million dollar fines for a data breach in any industry.
This law also recognizes that many companies aren't in charge of storing and maintaining their data. It’s one of the first to specify an IT consultant's responsibilities: you have 10 days to inform Florida clients about a breach of security.
3 Things Your Clients Won't Understand about a Data Breach until It's Too Late
- After a breach, you'll be put under the microscope. Following a data breach, you typically have to send copies of your security policy and details about your IT infrastructure to investigators. That's why it's important for your clients to invest in comprehensive security and document their IT policies. Having these things in place can reduce penalties and show investigators that you took adequate steps to prevent the breach.
- Data breaches are defined differently than you'd think. The Florida Information Protection Act defines a data breach as the unlawful access of private data. An older version of this law defined a breach as the acquisition of data, but lawmakers expanded the definition. Now, if you think that criminals or unauthorized individuals have accessed your data (even if there's no evidence they've downloaded it), you can still be required to inform law enforcement.
- Preventing identity theft and fixing a data breach are only part of your responsibilities. When a client thinks about a data breach, their first worries are probably repairing the breach and preventing customer identity theft. In reality, companies have many more responsibilities than those. Typically, you must inform law enforcement agencies, report the breach to consumer credit agencies, and participate in an investigation. A data breach is a crime, and it comes with many legal responsibilities.
Helping your clients understand data breaches better prepares them and could make them more likely to take data security seriously. A study by the Ponemon Institute showed that having a data breach response plan and maintaining a serious approach to data security can significantly lower the cost of a data breach.
If your clients want more protection for their customer data, you can always recommend that they invest in Cyber Liability Insurance, which covers the costs of investigations, customer notifications, and credit monitoring for customers after a data breach on their networks.
Technology Errors and Omissions: Insurance to Cover Data Breach Lawsuits
Say a Florida-based client is hit with a data breach. The civil penalties, repair costs, investigation expenses, and damages to their reputation could cost the client hundreds of thousands of dollars (if not more). The cost of data breach leads the client to sue their IT contractor.
What insurance protects you from a data breach lawsuit?
When you're sued, Errors and Omissions Insurance (also called Professional Liability Insurance) covers your legal expenses and pays the damages the judge rules you owe the client. As states strengthen their data breach laws, IT consultants can have the reassurance of knowing that their professional insurance covers client lawsuits.
For a free quote on E&O coverage for IT professionals, submit an online insurance application.