________________________________________________
The author of this article is an information security specialist, not a lawyer. The opinions contained in this article should not be construed as legal advice. The reader should consult a licensed attorney if legal advice is required in connection with FS 501.171.
________________________________________________
Cybercriminals prowl the Internet looking for openings in computer systems to exploit. They want to steal, alter, destroy, or otherwise illicitly gain access to sensitive information held by companies and organizations. Both vulnerabilities and threats are growing. Law enforcement officials have been unable to “make a dent” in cybercrime.
Lawmakers in Florida, however, have decided who should bear most of the responsibility for protecting PII (or personally identifiable information). Individuals now have a responsibility to protect confidential information if they are a “covered entity” or business in Florida.
Do you know what the law requires (FS 501.171)? Are you a “Covered Entity Under Florida Law”? Is your data processing system configured to comply with Florida privacy law? Can you prove that you have taken “reasonable steps” required by law to protect the confidential information you hold about employees, customers, and others?
Is your information system strong enough to detect a cyber attack?
Would you be able to successfully defend yourself against a compliance audit?
What can you do differently?
You may consult with an attorney to determine if you are covered by the provisions of the Florida Information Privacy Act. The smartest and most prudent thing to do would be to assume that if you are acquiring or maintaining sensitive personal data of individuals, you are likely to be considered a covered entity.
Florida law includes a long definition of what is protected. It is: any material, regardless of its physical form, on which personal information is recorded or preserved by any means, including, without limitation, words written or spoken, displayed graphically, printed or transmitted electromagnetically, provided by an individual for the purpose of buy or lease a product or obtain a service.
Personal information covered by the Florida Privacy Act would include a person’s social security number, a driver’s license or identification card number, passport number, military identification card, or other similar documents used to verify identity. Also included are financial account numbers, credit or debit card numbers with any required security code, access code or password that is necessary to allow access to an individual account; any information relating to a person’s medical history, mental or physical condition, or a person’s medical diagnosis or treatment by a health care professional; or a person’s health insurance policy number or subscriber identification number and a unique identifier used by a health insurer to identify the person.
Confidential information storage would appear to include all “hard” or paper records and those stored by a cloud service. The covered entity is solely responsible for protecting the information it has collected and may not transfer its responsibilities to a third party (such as a cloud storage company).
FS 501.171 states that each covered entity, government entity, or third party agent must take reasonable steps to protect and secure data in electronic form that contains personal information.
The Act establishes, among other provisions, how breaches will be reported to authorities (including the number of records compromised and notification requirements). Possible fines are included.
The Florida Information Privacy Law, FS 501.171 requires organizations to take reasonable steps to handle confidential information. The Act does not, however, precisely dictate the details of what reporting policies and procedures must be used.
There are a number of information security controls and standards, none of which have the force of law. However, many are considered to be very robust security models used in business and industry. Organizations, in the author’s opinion, should at least have an information security policy.
Otherwise, there is likely to be no guidance from management. Meeting the “reasonable” measures to protect test under FS 501.171 would be challenging if the organization had not addressed the issue of how it officially handled or processed sensitive information.
You should always take aggressive action against potential intruders and protect sensitive information in your possession.
