By Luis Salazar and Neha Dagley Watch out, retailers with stores in Florida. The Florida State Legislature has tightened controls over businesses for data security breaches. Effective July 1, 2014, the new Florida Information Protection Act (FIPA) will impact your business and how you handle data breaches. In recent years, data breaches have become commonplace, and have undoubtedly affected the chain-store industry.
FIPA: COMPLIANCE AND CONSEQUENCES The Act requires each covered entity and third-party agent to take reasonable measures to protect and secure data in electronic form containing personal information. The term covered entity includes various forms of commercial entities that acquire, maintain, store or use personal information. The definition of personal information includes the type of information that is commonly used in chain store operations, i.e., credit card and debit card numbers, as well as email addresses used with loyalty programs.
Notice is required to the department of legal affairs for any breach of security involving 500 or more individuals in Florida. Notice is also required to each individual in Florida whose personal information was accessed, or is reasonably believed to have been accessed, as a result of the breach. Notice is additionally required to consumer reporting agencies in the event of a breach involving more than 1,000 individuals at a single time. Third-party agents who contract to maintain, store or process personal information should be mindful of the new notice provisions requiring them to notify the covered entity no later than 10 days following determination of a breach of security.
The new law requires reasonable measures to dispose or arrange for disposal of customer records containing personal information when the records are no longer to be retained. Customer records include any material, regardless of physical form, on which personal information is preserved or recorded by any means.
A violation of the new law is treated as an unfair or deceptive trade practice under Florida Statute section 501.207 in any action brought by the department; however, the Act does not establish a private cause of action. A covered entity that violates the Act can be liable for an amount of $1,000 for each day up to the first 30 days, and thereafter, $50,000 for each subsequent 30 day period or portion thereof for up to 180 days. The penalty cannot exceed $250,000.
DATA SECURITY: ARE YOU MAKING THESE MISTAKES? Chain stores can be attractive targets for cyber criminals because they tend not to have robust security systems. Point of sale (POS), systems a critical component of the chain-store industry, have in fact become frequently targeted by cyber criminals. Below are key areas of security that should be reviewed, assessed, and addressed:
(1) KEEP ANTIVIRUS SOFTWARE AND HARDWARE UPDATED.Updated antivirus software provides a basic level of protection. In some cases, upgraded software protection may be required in order for a business to be in compliance with Payment Card Industry Data Security Standard (PCI DSS). Hardware upgrades are just as essential to maintaining security as updated software. Older machines can be easier to bypass then newer machines, and often time outdated hardware may not always support the newest software or technology.
(2) STRONGER AND UNIQUE PASSWORDS! A unique user ID and password is another basic level of protection that can add a layer of security for your computer systems. Many businesses make the mistake of using a common user ID and password permitting several employees to use the same credentials. This creates unnecessary exposure allowing your system to be readily hacked. It also makes it difficult to track and investigate the source of a breach particularly where numerous employees share the same login credentials.
Another common mistake is the use of simple passwords. Be sure to require the use of at least one character or symbol, a capital letter and a number.
(3) THIRD PARTY VENDORS AND REMOTE ACCESS. A strong level of control should be exercised over your third party vendors, especially where the vendor would have reason to obtain remote access to your systems. Security terms should be communicated with absolute clarity with the vendor. More importantly, before such remote access occurs, it may be wise to evaluate whether such access is critical to chain-store operations.
(4) DO NOT USE POS DEVICES FOR WEB BROWSING. Web browsing opens the gateway to accidental downloads of malware and viruses. A good practice is to use the POS device for that function only, and use other devices for work-related functions, including web browsing.
The new law forces stricter incident response times and stricter notice requirements, compliance with which can be a drain on business cash-flow and operations. An equally critical repercussion of a data breach, particularly for the chain-store industry, is the potential loss of customer trust and confidence. Having in place quick incident response protocols implemented with the assistance of compliance professionals is a prudent move for any customer-driven business.
Luis Salazar is a founding partner of Salazar Jackson, LLP, based in Miami. He heads the firm’s privacy and cyber-risk Group, and can be reached at [email protected]. Ms. Dagley is a senior counsel with the firm heading its India Practice Group, and can be reached at [email protected].