1. Governing Texts 

1.1. Legislation

The Gramm-Leach-Bliley Act of 1999 ('GLBA') is applicable in Florida, and is a federal law that requires all financial institutions to explain how they share and protect their customer's data. Financial institutions are required to provide notice to their customers about how they share sensitive customer data, inform customers of their right to opt out of the sharing of that data, and implement specific data protections in accordance with a written information security plan. The Standards for Safeguarding Customer Information outline the primary data protection implications of the GLBA. Additional privacy and security requirements are provided by the Federal Trade Commission's ('FTC') Financial Privacy Rule (Privacy of consumer financial information), created under the GLBA to support the implementation of GLBA requirements. The FTC, the federal banking agencies, and other federal regulatory authorities, as well as state insurance oversight agencies enforce the GLBA. 

Florida also regulates the protection of financial information through sector-specific statutes and regulatory agencies.

The state of Florida does not have privacy and data security laws specific to financial institutions. However, Florida law governing banks and banking industries sets certain requirements that have data protection implications. 

Additionally, Florida has implemented the Florida Information Protection Act ('FIPA'), under §501.171 of Chapter 501 of Title XXXIII of the Florida Statutes ('Fla. Stat.'), which requires businesses including financial institutions, to take reasonable measures to protect personal information and report data breaches to affected consumers.

The provisions of FIPA apply broadly to any 'covered entity', which is defined to include any sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information of individuals in the state. 

Under FIPA, 'personal information' means the first initial or first name and last name in combinations with any of the following:

• a social security number;
• a driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity;
• a financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual's financial account;
• any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
• an individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.

'Personal information' also includes email addresses or usernames in combination with passwords (or security questions) that can be used to gain access to an individual's online account.

The term does not include information about an individual that has been made publicly available by a federal, state, or local governmental entity; or information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.

1.2. Supervisory authorities

The primary privacy regulator in Florida is the Office of the Attorney General ('AG'), and FIPA is enforced through the Legal Affairs Department of the AG. 

Additionally, the Florida Office of Financial Regulation ('OFR') provides regulatory oversight for Florida's financial services industry.

2. Personal and Financial Data Management

2.1. Legal basis for processing

There are no specific laws in Florida addressing the legal basis for processing personal and financial data. 

2.2. Privacy notices and policies

Under the regulations of the Florida Department of Financial Services, specifically Chapter 69O-128 of the Florida Administrative Code ('Fla. Admin. Code'), customers and consumers must be provided with a clear, conspicuous, and accurate privacy notice at the initial collection of personal information and annually during the continuation of the customer relationship.

2.3. Data security and risk management

FIPA requires each covered entity to take reasonable measures to protect and secure data in electronic form containing personal information.

2.4. Data retention/record keeping

Florida's Statutes, specifically §655.91 of Chapter 655 of Title XXXVIII of the Fla. Stat., sets out specific retention and destruction requirements for records of financial institutions. 'Records' include all books of account and other books of every kind, journals, ledgers, statements, instruments, documents, files, messages, writings of every kind, and other internal or other data and other information of every description, made or received by an institution in the regular course of its business or otherwise, regardless of the mode in which it is recorded. Financial institutions are not required to preserve or retain any of their records or copies thereof for longer than is expressly required by an applicable statute, rule, or regulation. If there is no such statute, rule, or regulation, records are to be retained for five years. 

Additionally, FIPA requires covered entities to take reasonable measures to dispose, or arrange for the disposal, of customer records containing personal information when retention of those records is no longer necessary. Such disposal must involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.

3. Financial Reporting and Money Laundering

The Florida Money Laundering Act ('the ML Act'), under §896.101 of Chapter 896 of Title XLVI of the Fla. Stat., seeks to penalise individuals or organisations using financial transactions to hide the proceeds of unlawful activities in the state of Florida. There are no specific data protection requirements under this statute. However, Fla. Stat. §896.101(10) provides that any financial institution or licensed money services business that receives a subpoena which contains a nondisclosure provision must not notify, directly or indirectly, any customer of that financial institution or money services business whose records are being sought by the subpoena, or any other person named in the subpoena, about the existence or the contents of that subpoena or about information that has been furnished to the state attorney or statewide prosecutor who issued the subpoena or other law enforcement officer named in the subpoena in response to the subpoena.

4. Banking Secrecy and Confidentiality

§662.146 of Chapter 662 of Title XXXVIII of the Fla. Stat. requires the books and records pertaining to customers, members, and stockholders of a family trust company or licensed family trust company be kept confidential. The family trust company must not release the books and records of customers, members, and stockholders except upon express authorisation from the individual. However, information may be released, without prior authorisation, in a manner prescribed by the board of directors, if a corporation, or managers, if a limited liability company, to verify or corroborate the existence or amount of a customer's account if that information is reasonably provided to meet the needs of commerce and to ensure accurate credit information.

5. Insurance

Chapter 69O-128 of the Fla. Admin. Code requires a licensee to provide notice to individuals about its privacy policies and practices. It also sets limitations for the disclosure of nonpublic personal financial information ('NPFI') about individuals to affiliates and nonaffiliated third parties. 

NPFI includes: 

• personally identifiable financial information; and
• any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.

NPFI does not include any list of individuals' names and addresses that contains only publicly available information, if not derived in whole or in part using personally identifiable financial information that is not publicly available, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.

With respect to the processing of NPFI, a licensee must provide an initial clear and conspicuous notice that accurately reflects its privacy policies and practices. 

When an existing customer obtains new products or services from a licensee that is to be used primarily for personal, family, or household purposes, the licensee satisfies the initial notice requirement if it provides a revised policy notice that covers the customer's new insurance product or service; or if the initial, revised, or annual notice that the licensee most recently provided to the customer was accurate with respect to the new product or service. 

Licensees must provide clear and conspicuous notice to customers that accurately reflects their privacy policies and practices at least once in each annual notice period during the continuation of the customer relationship. 

A licensee may not, directly or through any affiliate, disclose any NPFI about a consumer to a nonaffiliated third party unless:

• the licensee has provided to the consumer an initial and opt out notice;
• the licensee has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
• the consumer does not opt out.

6. Payment Services

There are no specific laws in the state of Florida linked to data protection in relation to payment services. 

However, Florida law imposes certain limitations on the use of payment device numbers. For example, Florida's Consumer Protection Act, and specifically §501.0118 of Chapter 501 of Title XXXIII of the Fla. Stat., limits the printing of a payment card numbers on receipts that are electronically printed in connection with the purchase of consumer goods or services. A merchant who accepts a payment card for the transaction of business may not print more than the last five digits of the payment card's account number or print the payment card's expiration date on a receipt provided to the cardholder.

7. Data Transfers and Outsourcing

Under FIPA, third-party agents that have been contracted to maintain, store, or process personal information on behalf of a covered entity or government entity have flow-down obligations to take reasonable measures to protect and secure personal information in electronic form. FIPA does not specifically define what constitutes 'reasonable measures'. However, in practice, a written information security policy is recommended. 

Additionally, third-party agents that maintain security systems for covered entities are obligated to report data breaches to covered entities within ten days. 

8. Breach Notification

A 'breach of security' or 'breach' means the unauthorised access of data in electronic form containing personal information. Such a breach does not include the good faith access of personal information by an employee or agent of the covered entity, provided the information is not used for a purpose unrelated to the business or subject to further unauthorised use.

A covered entity must give notice to each individual in the state whose personal information was, or the covered entity reasonably believes to have been, accessed as a result of the breach. Notice to individuals must be made as expeditiously as practicable and without unreasonable delay, taking into account the time necessary to allow the covered entity to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached, but no later than 30 days after the determination of a breach or reason to believe a breach occurred unless subject to an authorised delay. Such notice must include:

• the date, estimated date, or estimated date range of the breach of security;
• a description of the personal information that was accessed or reasonably believed to have been accessed as a part of the breach of security; and
• information that the individual can use to contact the covered entity to inquire about the breach of security and the personal information that the covered entity maintained about the individual.

The notice to an affected individual must be by one of the following methods:

• written notice sent to the mailing address of the individual in the records of the covered entity; or
• email notice sent to the email address of the individual in the records of the covered entity.

A covered entity required to provide notice to an individual may provide substitute notice in lieu of direct notice if such direct notice is not feasible because the cost of providing notice would exceed $250,000, because the affected individuals exceed 500,000 persons, or because the covered entity does not have an email address or mailing address for the affected individuals. 

Substitute notice must include:

• a conspicuous notice on the internet website of the covered entity if the covered entity maintains a website; and
• notice in print and to broadcast media, including major media in urban and rural areas where the affected individuals reside.

Notice to affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed. Such a determination must be documented in writing and maintained for at least five years. The covered entity must provide the written determination to the Legal Affairs Department of the AG within 30 days after the determination.

If a breach notification must be made to 500 or more individuals in the state, a covered entity must provide notice to the Legal Affairs Department of the AG. Such notice must be provided to the Legal Affairs Department as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred. A covered entity may receive 15 additional days to provide notice if good cause for delay is provided in writing within 30 days after determination of the breach or reason to believe a breach occurred. 

Notice to the Legal Affairs Department must include: 

• a synopsis of the events surrounding the breach at the time notice is provided;
• the number of individuals in the state who were or potentially have been affected by the breach;
• any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, and instructions as to how to use such services;
• a copy of the notice required sent to individuals; and 
• the name, address, telephone number, and email address of the employee or agent of the covered entity from whom additional information may be obtained about the breach.

If a breach notification must be made to more than 1,000 individuals at a single time, the covered entity must also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by federal law in under the Fair Credit Reporting Act of 1970. Notice must include the timing, distribution, and content of the individual notices.

9. Fintech

On 17 August 2021, the OFR issued an industry alert (accessible here) stating that a person engaged in the business of selling virtual currency in Florida must obtain a license under the state's money transmission law. With this announcement, Florida joins a few other states in expressly affirming that selling virtual currency, even in a noncustodial capacity, is subject to regulation.

10. Enforcement

FIPA is enforced through the Legal Affairs Department of the AG. While FIPA states that it does not create a private cause of action, covered entities who fail to provide required notices under FIPA are subject to the following civil penalties:

• $1,000 a day for the first 30 days;
• $50,000 subsequently for any 30-day period up to 180 days; and
• $500,000 as the maximum amount of penalties for violations exceeding 180 days.

These penalties can be enforced for failure to comply with any of the notice requirements under FIPA, including late notice and insufficient or incomplete notice. Also, these penalties are assigned regardless of the number of persons affected by a breach.

11. Additional Areas of Interest

Not applicable.

Starr Drum Partner
[email protected]
Maynard Cooper, Birmingham FL