The author of this article is an information security specialist, not an attorney. The opinions contained in this article should not be construed as legal advice. The reader should consult with a licensed attorney if legal counsel is required relative to FS 501.171.
Cybercriminals prowl the Internet looking for openings in computer systems to exploit. They want to steal, alter, destroy or otherwise illicitly gain access to the confidential information held by businesses and organizations. Both vulnerabilities and threats are growing. Law enforcement officials have been unable to put a “dent” in cybercrime.
Law-makers in Florida, however, have decided who should have the lion’s share of the responsibility for protecting PII (or Personally Identifiable Information). Individuals now have the responsibility of protecting confidential information if they are a “covered entity” or business in Florida.
Do you know what the law (FS 501.171) requires? Are you a “covered entity under Florida law?” Is your data processing system set up to be in compliance with Florida’s privacy law? Can you prove that you have taken the “reasonable measures” that the law requires to protect the confidential information that you possess on employees, customers and others?
Is your information system strong enough to deter a cyber attack?
Would you successfully be able to defend yourself against a compliance audit?
What can you otherwise do?
You can consult with an attorney to determine if you are covered by the provisions of Florida’s Information Privacy Act. The wise and prudent thing to do would be to assume that if you are acquiring or maintaining confidential personal data on people, you are likely considered to be a covered entity.
Florida’s law includes a lengthy definition as to what is protected. It is: any material, regardless of physical form, on which personal information is recorded or preserved by any means, including, but not limited to, written or spoken words, graphically depicted, printed or electromagnetically transmitted that are provided by an individual for the purpose of purchasing or leasing a product or obtaining a service.
The personal information covered under Florida’s Privacy Act would include a person’s social security number, a driver’s license or identification card number, passport number, military identification card or other similar documents used to verify identity. Additionally included are financial account numbers, credit or debit card numbers with any required security codes, access code, or password that is necessary to permit access to an individual account; any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by an individual’s health care professional; or an individual’s health insurance policy number or subscriber identification number and an unique identifier used by a health insurer to identify the individual.
The storage of confidential information would appear to include all “hard copy” or paper records and those stored by a cloud service. The covered entity is solely responsible for securing the information it collected and cannot transfer its responsibilities to a third party (such as a cloud storage company).
FS 501.171 states that each covered entity, governmental entity or third-party agent shall take reasonable measures to protect and secure data in electronic form that contains personal information.
The Law states, among other provisions, how the breaches will be reported to authorities (including the number of compromised records and notification requirements). Possible fines are included.
Florida’s Information Privacy Act, FS 501.171 requires that organizations must take reasonable measures to handle confidential information. The Law doesn’t precisely dictate, however, the details of what information policies and procedures should be used.
There are a number of information security controls and standards, none of which carry the force of law. However, many are considered to be very robust security models that are used in business and industry. Organizations, in the opinion of the author, should at least have an information security policy.
Otherwise, guidance from management is likely absent. Meeting the test of “reasonable” measures to protect under the FS 501.171 would be challenging if the organization had failed to address the topic of how it officially handled or processed confidential information.
You should always take aggressive steps against possible intruders and protect the confidential information in your possession.