________________________________________________

The author of this article is an information security specialist, not a lawyer. The opinions contained in this article should not be construed as legal advice. The reader should consult with a licensed attorney if legal advice is required in connection with FS 501.171.
________________________________________________

Cybercriminals prowl the Internet looking for openings in computer systems to exploit. They want to steal, alter, destroy, or otherwise illegally gain access to confidential information held by companies and organizations. Both vulnerabilities and threats are growing. Law enforcement officials have been unable to “make a dent” in cybercrime.

However, Florida legislators have decided who should have the lion’s share of responsibility for protecting PII (or personally identifiable information). Individuals now have a responsibility to protect confidential information if they are a “covered entity” or business in Florida.

Do you know what the law requires (FS 501.171)? Are you a “covered entity under Florida law”? Is your data processing system configured to comply with Florida privacy law? Can you prove that you have taken “reasonable steps” required by law to protect the confidential information you hold about employees, customers, and others?

Is your information system strong enough to detect a cyber attack?

Would you be able to successfully defend yourself against a compliance audit?

What can you do differently?

You may consult an attorney to determine if you are covered by the provisions of the Florida Information Privacy Act. The wisest and most prudent thing to do would be to assume that if you are acquiring or maintaining sensitive personal data from individuals, you are likely to be considered a covered entity.

Florida law includes a lengthy definition of what is protected. It is: any material, regardless of its physical form, on which personal information is recorded or preserved by any means, including, but not limited to, written or spoken, graphically represented, printed, or electromagnetically transmitted words that are provided by an individual for the purpose buying or leasing a product or obtaining a service.

Personal information covered by the Florida Privacy Law would include a person’s social security number, driver’s license or identification card number, passport number, military identification card, or other similar documents used to verify identity. Also included are financial account numbers, credit or debit card numbers with any required security code, access code or password that is necessary to allow access to an individual account; any information relating to a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a person’s health professional; or a person’s health insurance policy number or subscriber identification number and a unique identifier used by a health insurer to identify the person.

Storage of sensitive information would appear to include all “hard” or paper records and those stored by a cloud service. The covered entity is solely responsible for protecting the information it has collected and cannot transfer its responsibilities to a third party (such as a cloud storage company).

FS 501.171 states that each covered entity, government entity, or third party agent shall take reasonable steps to protect and secure data in electronic format that contains personal information.

The Law establishes, among other provisions, how violations will be reported to authorities (including the number of records compromised and notification requirements). Possible fines are included.

The Florida Information Privacy Law, FS 501.171 requires organizations to take reasonable steps to handle confidential information. The Act does not precisely dictate, however, the details of what information policies and procedures should be used.

There are a number of information security controls and standards, none of which have the force of law. However, many are considered very robust security models used in business and industry. Organizations, in the author’s opinion, should at least have an information security policy.

If not, there is likely no guidance from management. Meeting the “reasonable” measures to protect test under FS 501.171 would be challenging if the organization had not addressed the issue of how it officially handled or processed sensitive information.

You should always take aggressive action against potential intruders and protect sensitive information in your possession.