What do you know about Florida’s data protection status?

DISCLAIMER: The author of this article is an information security specialist, not a lawyer. The opinions contained in this article should not be construed as legal advice. The reader should consult a licensed attorney if legal advice is required in connection with 501.171.

Florida legislators created a statute (501.171) that clearly establishes the responsibility to maintain the confidentiality of electronically stored “personally identifiable information” (or PII) on owners of businesses and organizations.

Basically, the law requires a business to take “reasonable steps” to protect the confidential information it has about employees, customers, and others. Specifically, the law states that “Each covered entity, government entity, or third party agent shall take reasonable steps to protect and secure data in electronic form that contains personal information.”

People are beginning to realize how important it is for information to be processed securely. Financial losses from cybercrime and illegal use of information now exceed the total for illegal drug trafficking. The problem is getting worse.

Cybercriminals can and do inflict irreparable harm on people, businesses, and national security. Florida’s privacy law was written to address the problem. Most businesses and organizations are considered covered entities under the law. However, very few are aware of what must be done to comply.

Please note the disclaimer statement below:

A careful reading of 501.171 reveals that a “covered entity” means a sole proprietorship, partnership, corporation, trust, estate, cooperative association, or other business entity that acquires, maintains, stores, or uses personal information. A covered entity may include a government agency.

Florida law requires that if a covered entity experiences a security breach affecting more than 500 people, that entity must report the matter to the Department of Legal Affairs. Other requirements are specified in the transcript. Multiple fines, related to an unreported security breach, can be as high as $250,000.00.

Owners, directors, and managers have a fiduciary responsibility to become familiar with Florida privacy law. To ignore it would be extremely reckless and foolish.

You should consider establishing an information security plan that can pass the test of taking “reasonable steps” to protect personally identifiable information if you don’t know it.

Managers can limit or even prevent significant damage to their information infrastructure by taking the following reasonable security measures to protect the organization:

1. Establish an information security policy.

2. Inventory all information assets.

3. Classify all information assets in terms of their criticality.

4. Implement logical and physical access controls.

5. Use network firewalls and intrusion detection devices.

6. Secure the open workspace.

7. Protect data in transit.

8. Manage mobile computing.

9. Create an incident response plan.

10. Have a data backup and restoration plan for all mission critical data.

11. Develop a plan to discard or destroy unwanted data.

12. Develop and implement a security awareness program for all employees.

Federal and state organizations are beginning to respond to public demands to protect personally identifiable information. In almost all cases the burden has fallen on the shoulders of the business owner, directors and managers. Information security should be treated like any other business process (eg, accounting, finance, manufacturing). Anything less puts an organization at risk.