Data protection, drunk driving, and the Florida Information Protection Act

The new Florida Information Protection Act (FIPA) passed this summer has a lot of commonality with efforts to reduce drunk driving -- even if the law does not elevate beverage consumption to the "special kind of personal data" level.

FIPA  expands organizations’ requirement to report data breaches to state authorities and affected consumers within 30 days (down from the previous 45 days) and expands the grab-bag of “personal information” to include usernames, email addresses, and medical diagnoses among others. Failure to report a breach can result in fines reaching up to $500,000.

The time requirement sets Florida at the head of the US pack, as one of only seven states with a specific deadline for alerting victims. Other geographies such as Germany with its Bundesdatenschutzgesetz and the European Union have their own reporting requirements.

With alcohol consumption, there are very few regulations that directly prevent an intoxicated driver from taking the wheel. One limited example is the special case where drivers must puff on a breath analyzer, and show a minimal BAC, before starting up their vehicle.
But on the other side, there are lots of laws with an array of penalties that kick in when the police apprehend a driver under the influence. In effect, these laws raise the cost of drunk driving for the driver. And hopefully they also raise it up to the cost level incurred by society.

And so it is with the new Florida law. Instead of stipulating exactly how organizations should protect their data, the law expands the list of protected data, shortens the reporting requirement, and raises the penalty for not doing it. Forcing companies to disclose data breaches also raises the specter of increased customer churn, as nervous consumers take their business elsewhere – just ask victims of the Target hacking. On the down side, the law does focus on the limited 20% of the data pool that fits into the structured data category and skips over the 80% of unstructured data out there.

You could say that the law forces organizations to work “under the influence” as they realize that some data may not have a price, but its loss has a real cost. And as a few recent US elections have shown; as Florida goes, so goes the nation.

Here is a link to the entire Florida law.