What Do You Know About Florida’s Information Protection Statute?
DISCLAIMER: The author of this article is an information security specialist, not an attorney. The opinions contained in this article should not be construed as legal advice. The reader should consult with a licensed attorney if legal counsel is required relative to 501.171.Florida’s law-makers created a statute (501.171) that clearly places the responsibility of maintaining the confidentiality of electronically stored “personally identifiable information” (or PII) on business owners and organizations.The law basically requires a company take “reasonable measures” to protect the confidential information that you hold on employees, customers and others. Specifically, the law states that “Each covered entity, governmental entity or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal information.”People are beginning to realize just how important it is that information be processed in a safe and secure manner. Financial losses from cybercrime and the unlawful use of information now surpass the total of the illegal drug trade. The problem is getting worse.
Cybercriminals can and do inflect irreparable harm on individuals, companies and national security. Florida’s privacy law was written to address the issue. Most companies and organizations are considered to be covered entities under the law. However, very few are aware of what must be done to comply.Please note the disclaimer statement below:A careful reading of 501.171 reveals that a “covered entity” means a sole proprietorship, partnership, corporation, trust, estate, cooperative association or other commercial entity that acquires, maintains, stores or uses personal information. A covered entity may include a governmental agency.The Florida law requires that if a covered entity experiences a security breach affecting more than 500 people, that entity must report the matter to the Department of Legal Affairs. Other requirements are specified in the transcript. Various fines, connected to an unreported security breach, can range as high as $250,000.00.Owners, directors and managers have a fiduciary responsibility to become family with Florida’s privacy act. To ignore it would be extremely unwise and fool hearty.You should consider establishing an information security plan that can meet the test of taking “reasonable measures” to protect personally identifiable information if you are unaware.Managers can limit or even avoid significant damage to their information infrastructure by taking the following reasonable security measures to protect the organization:1. Establish an information security policy.2. Inventory all information assets.3. Classify all information assets as to their criticality.
4. Implement logical and physical access controls.5. Use network firewalls and intrusion detection devices.6. Secure the open workspace.7. Protect data in transit.8. Manage mobile computing.9. Create an incident response plan.10. Have a data back-up and restoration plan for all mission critical information.11. Develop a plan to discard or destroy unwanted data.12. Develop and implement a security awareness program for all employees.Federal and state organizations are beginning to respond to demands from the public to protect personally identifiable information. In nearly all cases the burden has fallen on the shoulders of the business owner, directors and managers. Information security should be treated like any other business process (e.g. accounting, finance, manufacturing). Anything less places an organization at risk.