Businesses that maintain, store, or use personal information acquired from their employees or customers are required to protect this sensitive information from unauthorized access under the Florida Information Protection Act of 2014 (FIPA). FIPA is a state directed law that outlines the legal requirements imposed on businesses and their vendors to safeguard personal information they hold. Non-compliance with the FIPA law is unlawful and may result in legal action including hefty financial penalties. This article discusses some key definitions and requirements of FIPA, and provides a few suggested practices that a business should implement as part of its compliance efforts.
Key Definitions
Type of Personal Information Covered
"Personal information” under FIPA covers a wide range of personally identifiable data elements that a business must ensure to protect from unauthorized access. These data elements are outlined in FIPA and include an individual's first name or first initial and last name combined with any one or more of the following:
A social security number.
A driver license number, ID card number, passport number, military ID number, and other like numbers that are issued on a government document and used to verify the person’s identity.
A financial account number or credit or debit card number combined with any required security code, access code, or password that would grant access to the individual's financial account.
Information about an individual's medical history, mental or physical condition, or medical treatment or diagnosis made by a doctor or other health care professional.
OR
An individual's health insurance policy number or a health insurance subscriber ID number and any unique identifier that a health insurer uses to identify an insured.
A username or email address combined with a password or security questions and answers that would grant access to an individual’s online account.
Essentially, any information about a person that can be used for identity theft or fraud can be considered personal information under FIPA. Except that, any information about an individual that is encrypted, secured, or modified by a method or technology that makes it incapable of personally identifying the individual or otherwise renders the information useless is not considered "personal information" for purposes of FIPA.
Type of Business Covered
FIPA applies to covered entities. A “covered entity” is broadly defined to capture any type of business that acquires, maintains, stores, or uses personal information. This includes third-party service providers (e.g., vendors) a business uses to maintain, store, or process personal information for it.
Data Breach Meaning
Under FIPA, a data breach means any type of unauthorized access to data containing personal information that is electronically or digitally stored on any type of computer system or other database. This includes recordable tapes and other mass storage devices.
Key Requirements
Notice of Data Breach May Be Required
A business that acquires, maintains, stores, or uses personal information and suffers or has reason to believe it has suffered a breach that may result in harm to its customers or employees must notify them within 30 calendar days of discovering the breach or having reason to believe a breach has occurred. This breach notice should include the date, estimated date, or estimated date range of the breach, a description of the types of personal information compromised, and what steps the compromised employees or customers can take to help protect themselves.
If the actual or suspected data breach affects more than 500 individuals, the business must also notify the Florida Attorney General’s office within 30 calendar days. This notice should include a summary of the events surrounding the breach, the number of individuals in Florida that were affected by the breach, a description of the services offered by the business, and the contact information of the business representative who can be contacted about the event.
This breach notification requirement also applies to applicable third-party service providers of the business, but with slightly different requirements. Specifically, where a service provider suffers or has reason to believe it has suffered a data breach, it must notify the business within 10 calendar days of discovering the breach or having reason to believe a breach occurred. The service provider's notice to the business should include all information the business will need to fulfill its breach notice requirements under FIPA.
While FIPA permits a service provider to also submit a breach notice on behalf of an affected business, be aware that if this notice fails to meet the breach notice requirements imposed on a business, the notice will be deemed a violation of FIPA against the business. As such, and to mitigate the risk of such a violation occurring, a business should work collaboratively with its third-party service provider to ensure the notice complies with FIPA requirements.
Take Reasonable Security Measures
A business that acquires, stores, maintains, or uses personal information should take commercially reasonable security measures to protect this sensitive information from unauthorized access, destruction, use, modification, or disclosure. This includes implementing a cybersecurity program, developing data security policies and procedures, training employees on data security best practices, conducting risk assessments, performing audits, taking any corrective action needed, and using appropriate technical safeguards such as firewalls and encryption.
Ensure Vendors Take Reasonable Security Measures
A business that intends to share its personal information with their vendors should ensure their vendors also take commercially reasonable security measures to protect this sensitive information. As one starting point, the contract between a business and vendor should include provisions that obligate both parties to comply with the requirements of FIPA and other applicable data security laws. The contract should also include certain representations and warranties covering data security and protection measures, terms outlining the procedure for events of an actual or suspected data breach, disclaimers, liability insurance requirements, indemnification rights and obligations, and terms that provide a framework for post-termination obligations, to name a few.
Destroy Personal Information Not Needed
When a business no longer needs the personal information for business purposes or pursuant to applicable record retention laws, FIPA requires the information be destroyed in a secure manner that prevents unauthorized access. This includes shredding paper documents and securely deleting electronic files.
Implement a Data Security Compliance Program
A business that acquires, maintains, stores, or uses personal information of its employees or customers should implement a data security compliance program that outlines how they will comply with the data privacy, security, and protection requirements mandated by FIPA and any other applicable data security regulations. This program should include, but is not limited to, policies and procedures, staff training, risk assessments, audits, corrective action plans, and incident response protocols.
Final Remarks
In today's modern world, it is common for a business to acquire, maintain, store, or use personal information of its employees and customers. It is also quite common that bad actors will attempt to hack a business to gain access to this information to sell on the dark web or commit fraud or theft.
Due to the type of personal information a business holds, the high value this information has to bad actors, and the ever-growing rate of cyberattacks on businesses, it is critical that businesses implement commercially reasonable security practices to safeguard this information from unauthorized access. This includes, but is not limited to, implementing data security policies and procedures, training employees on data security best practices, securely destroying personal information when it is no longer needed, and ensuring that third-party service providers are also taking appropriate security measures. A business that acquires, maintains, stores, or uses personal information and has no data security measures to safeguard this information may not only violate FIPA, but may also face legal action if a data breach occurs and potentially cause substantial damage to their reputation and bottom line.
The information provided in this article is for general informational purposes only. Nothing stated in this article should be taken as legal advice or legal opinion for any individual matter. As legal developments occur, the information contained in this article may not be the most up-to-date legal or other information.