Florida FIPA – Florida Information Protection Act

Florida is no longer more lax in personal information security, data protection law and HIPAA compliance than most other states!  Florida is in fact leading the way in breach notification – FIPA applies to almost every company or organization doing business or providing service in the state with few exemptions or or political caveats.  

FIPA Florida

The Florida Information Protection Act of 2014 (FIPA), similar to but not to be confused with HIPAA, was passed through the Florida State Legislature in Tallahassee on June 20th and approved by Gov. Rick Scott. The law became effective as of July 1st, 2014. It encompasses two sides of the data breach notification law – how companies are expected to prevent a breach of personal information and what is expected of them should they experience a breach.

Personal Identification is defined under FIPA Florida as:

An individual’s first name or first initial combined with the individual’s last name in combination with one or more of the following:

  • Social Security Number
  • Drivers license or identification card number, passport number, military ID number or other similar government issued ID
  • Financial account number or credit/debit card number combined with the required security code
  • Any information regarding an individual’s medical history, mental or phyiscal condition, or medical treatment or diagnosis by a heath care professional
  • An individual’s health insurance policy number or subscriber identification number, along with any unique identifier used by a health insurer to identify the individual.

Personal Identifiable Information Under Florida FIPA is NOT:

  • Information that is encrypted
  • Secured or modified by any other method or technology
  • Modified to removes elements that personally identify an individual or that otherwise renders the information unusable.

 FIPA Security Breach Notification

“Covered entities must notify Florida’s Department of Legal Affairs (i.e., the Florida Office of the Attorney General) of any breach that affects more than 500 people. Notice must be provided as expeditiously as practicable, but no later than 30 days after determination of the breach or reason to believe a breach occurred. An additional 15 days is permitted if good cause for delay is provided in writing to the Attorney General within 30 days after determination of the breach or reason to believe a breach occurred.”

General Rules:

  • Less than 500 people effected, the individuals must be notified and/or as directed by law enforcement
  • 500 to 1000 people effected, notifications to Florida’s Attorney General, the individuals  and as directed by law enforcement
  • Over 1000 people effected – add the Credit Reporting Agencies to the above.

“A violation of the FIPA Security Law is an unfair or deceptive trade practice subject to an action by the Attorney General under Florida’s Deceptive and Unfair Trade Practices Act against the covered entity or third-party agent.  A covered entity that does not properly notify affected individuals or the Attorney General may be fined up to $500,000 per breach, depending on the number of days in which the covered entity is in violation of the Florida FIPA Security Law.  The law creates no private cause of action, nor does the presumed FDUTPA violation for the Attorney General appear to apply to a private action under FDUTPA.”

The departure here from most fine structures that exist – such as HIPAA … Fines are not issues on a per record basis, but rather on a scale of days, weeks, months a failure to notify condition occurred up  a maximum of $500K…in addition to any other regulatory agency criminal or civil fines assessed by HIPAA or NERC or…

The details get more complex depending on the covered entity’s business sector covered under HIPAA/HITECH or NERC or …

Upon request by the Attorney General, the entity, covered entity or third-party vendor  must provide a police report, incident report, or computer forensics report; a copy of the policies in place regarding breaches; and/or steps that have been taken to rectify the breach.

The definition of “Covered Entity” or CE under FIPA covers just about anyone doing business in the State of Florida or providing a service of any kind and does NOT exempt any state or federal agencies providing said services in Florida and you ARE as a CE responsible for the action of your business associates.

FIPA Requires Proactive Measures

The Florida Information Protection Act distinctly states that covered entities are to take all reasonable measures to protect and secure personal information. Third-party vendors and covered entities must also take thes same reasonable steps to protect and secure electronic personal information.  FIPA makes it clear – covered entities need to take proactive measures to protect the personal information of its clients; this includes taking all possible steps to dispose of customer records containing personal information – both hard and electronic copies.

Punishments for violating this provision of FIPA is through the Unfair and Deceptive Trade Practices statute it punishes those who thought it was to expensive or time consuming to take all reasonable step/measures to protect personal information of its customers or verify their business associates were taking all reasonable steps to protect personal information.

Worried About FIPA Compliance??  Get an IT or Network Security Risk Assessment

Our IT Security Audit and PSA – Perimeter Security Assessment will meet all security risk assessment goals. We take into account technical and administrative countermeasures, identify weaknesses and provide a detailed remediation road map that will take your company or organization beyond the letter of the law.  Want a quick gut check – get a Pen Test of your organization’s Web sites and public facing IP addresses. Want a complete assessment – get an Enterprise Security Risk Assessment.