Computer breaches put millions of Americans at risk every year to cyber thieves who hack into databases for passwords, PIN numbers, Social Security numbers and other personal information.
The Target breach last year exposed 40 million people to potential financial losses. The nonprofit Identity Theft Resource Center has compiled 4,500 breaches over the past decade that have exposed 630 million confidential records. The number of breaches it recorded jumped 30 percent between 2012 and 2013.
That’s why it’s encouraging to see Florida adopt new data breach laws that are among the most expansive in the nation.
Gov. Rick Scott signed the Florida Information Protection Act of 2014 into law last month, and the new measures went into effect last week. They replace an existing set of laws with tougher requirements for protecting consumers and for reporting breaches to the state and to affected consumers.
Under the new law, data breaches affecting more than 500 Floridians must be reported to those consumers and to the state’s Attorney General’s Office within 30 days of discovering a breach. That trims 15 days off the previous law’s reporting requirement.
As anyone who’s been exposed to a breach knows, the sooner the various banks and credit card companies can be notified, the better the chance of avoiding an unauthorized purchase or withdrawal.
The law expands the kinds of personal information that must be protected and reported when breached. A person’s medical history, health insurance policy numbers and online user names and email addresses in combination with passwords and security questions are now considered “personal information” under the law.
As part of the reporting requirements, companies must outline the circumstances surrounding the breach and the total number of people affected in Florida. The new law also requires companies and government entities to take reasonable measures to protect personal information. And it gives enforcement authority to the Attorney General’s Office, which can demand computer forensic reports and breach policies from companies that are hacked or mistakenly expose personal information. Civil penalties up to $500,000 can be imposed for violating the breach laws, just as the previous law stipulated.
The rising tide of cyber crimes, and the lack of a federal breach notification law, has prompted a majority of the states to adopt measures that attempt to protect consumers when their personal information is exposed. Supporters say the laws have motivated private companies and governments to improve data security, or risk the fallout from appearing to conceal a breach that puts their customers and constituents at risk.
Some critics say only a small percentage of people who are notified of breaches become fraud victims and question whether the expense to notify is worth the effort. But to anyone who’s ever dealt with the financial chaos brought about by identity theft, arming the government with a law than can alert a potential victim is well worth the cost.