What is the Florida Information Protection Act (FIPA)? Compliance Tips

The Florida Information Protection Act of 2014 (FIPA) came into effect on July 1, 2014, expanding Florida's existing data breach notification statute requirements for covered entities that acquire, use, store or maintain Floridian's personal information.  

FIPA modified Florida's existing data breach notification law and applies to commercial and government entities.

Who is Covered Under FIPA?

FIPA applies to all covered entities. A covered entity is a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity or government entity that acquires, maintains, stores, or uses personal information.

More importantly, FIPA is an extraterritorial law, which means any company that acquires, uses, stores, or maintains the personally identifiable information (PII) of Floridians must comply. This includes covered entities with no physical footprint in Florida. This is an extraterritorial law akin to CCPA, GDPR, LGPD, and the SHIELD Act.

This means in the event of a security breach, FIPA will apply to any entity which the personal information of Floridians, regardless of the number of people or volume of data.

How to Comply With FIPA

In addition to the reactive component of FIPA, covered entities must report all data breaches. FIPA also has a proactive component that imposes obligations on covered entities regardless of whether they suffer a breach.  

Each covered entity, governmental entity, or third-party agent must take reasonable measures to protect and secure data personal information in electronic form.

Additionally, covered entities must take reasonable measures to dispose of or arrange for the disposal of customer records containing PII. Such disposal must involve shredding, erasing, or otherwise modifying the PII in the records to make them unreadable or undecipherable.

What are the Penalties for Not Complying With FIPA?

While FIPA states it does not create a private cause of action, it does contain provisions authorizing Florida's Department of Legal Affairs to bring an enforcement action against entities committing statutory violations.

Entities who fail to provide required notices under FIPA violate Florida Deceptive and Unfair Trade Practices Act (FDUTPA) and are subject to non-compliance civil penalties:

• $1,000 per day for the first 30 days
• $50,000 for each 30-day period up to 180 days
• A maximum penalty of $500,000 for violations exceeding 180 days

It's important to understand these penalties are enforced for failure to comply with any FIPA notice requirements, including late or incomplete notice, and they do not depend on the number of people affected.

What are the FIPA Requirements for Third Parties?

Third parties contracted to maintain, store or process personal information or security systems for covered entities have up to 10 days to report breaches to said entities.

Upon receiving notice of the breach, covered entities become responsible for providing the required notices within the stipulated 30-day period.

The third-party agent may notify affected individuals and the Attorney General on behalf of the covered entity, but the agent’s failure to provide proper notice has been deemed a violation against the covered entity.

This is why vendor risk management is so important. As it turns out, managing third-party and fourth-party risk is foundational to cybersecurity, ensuring business continuity and maintaining regulatory compliance.

Effective Vendor Risk Management can help you comply with FIPA because you will understand your vendor risk profile and be able to mitigate cybersecurity risk rather than relying on incident response.

What are the Data Breach Notification Requirements of FIPA?

FIPA reduces the time period allowed for reporting a breach of security to 30 days from 45 days under the previous Florida statute.

However, if a good cause is sent in writing to the Florida Department of Legal Affairs (or the Florida Office of the Attorney General) within 30 days of determining a breach, FIPA authorizes the department to authorize an additional 15 days to provide notice.

Like any notice requirement, prompt coordination with law enforcement agencies is essential. Additionally, law enforcement may delay required notices if they believe it could interfere with ongoing criminal investigations.

How Will Affected Individuals Be Notified Under FIPA?

In the event of a breach involving 500 or more individuals, notice to affected individuals must be made as soon as possible and without unreasonable delay. Additionally, the Department of Legal Affairs must provide a notice of the particulars.

For breaches involving 1,000+ individuals, covered entities must send notices to nationwide consumer credit reporting agencies.

However, individual notice may not be required if the covered entity determines the breach has not and will not likely result in identity theft or financial harm to the affected individuals.

In this situation, covered entities need to provide written determination to the Department of Legal Affairs within 30 days of their decision not to notify affected individuals.

Additionally, covered entities subject to federal regulation, such as HIPAA, GLBA, and FISMA, may defer notice requirements provided they send the requisite notice to the Department of Legal Affairs.

What Should Be Included in the Breach Notice to the Department of Legal Affairs?

The notice to the Department of Legal Affairs should include the following:

• A summary of the events surrounding the breach
• How unauthorized access was gained
• Any services related to the breach being offered without charge to affected individuals, such as credit reporting, and how individuals can access them
• A copy of the notice to affected individuals or an explanation of why a notice was not provided (no risk of financial harm or identity theft)
• The name, address, telephone number, and email address of the employee or third party who can provide additional information about the breach

Additionally, if the Attorney General requests any of the following, they must be provided:

• A police report
• An incident report
• A computer forensics report
• A copy of the information security policy in place regarding breaches
• Steps that have been taken to rectify the breach, such as improving data security and data protection efforts

What Should Be Included in the Notice to Affected Individuals?

The notice to affected individuals can take the following forms:

• In writing: Sent to the mailing address of the individual in the records of the covered entity
• By email: Sent to the email address of the individual in the records of the covered entity

In either form, the notice must include the following:

• The date or estimated date range of the breach
• A description of what personal information was accessed
• How the affected individual can inquire about the breach and their personal information

If the cost of direct notice exceeds $250,000, more than 500,000 individuals are impacted, or the covered entity does not have a mailing or email address for affected individuals, then a substitute notice can be provided.

The substitute notice must include a conspicuous notice on their website, in print, and to broadcast media where affected individuals reside.

What Types of Information Does FIPA Protect?

FIPA protects personal information and customer records.

Personal information means either of the following:

• An individual's first name or first initial and last name in combination with:
• A social security number
• A driver's license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity
• A financial account number or credit card or debit card number, in combination with any required security code, access code, or passport that is necessary to access the individual's financial account
• Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
• An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual
• A username or email address, in combination with a password or security question and answer that would permit access to an online account

Personal information does not include information about an individual that has been made publicly available by a federal, state, or local government entity. Nor does it include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or otherwise render the information unusable.  

Customer records are any material, regardless of form, in which personal information is recorded or preserved by any means, including and not limited to written or spoken words, graphically depicted, printed, or electromagnetically transmitted that are provided by a Floridian to a covered entity to purchase or lease a product or obtaining a service.

How UpGuard Can Help Meet FIPA Compliance Standards

UpGuard Vendor Risk can minimize the time your organization spends managing third-party relationships by automating vendor questionnaires and providing vendor questionnaire templates that map to the NIST Cybersecurity Framework and other best practices. We can help you continuously monitor your vendors' security posture over time while benchmarking them against their industry.

Each vendor is rated against 50+ criteria, such as the presence of SSL and DNSSEC, as well as the risk of domain hijacking, man-in-the-middle attacks, and email spoofing for phishing. Our platform scores your vendors each day with a security rating out of 950, and any significant score drops are automatically flagged and alerted.

UpGuard also offers a customizable questionnaire builder that allows businesses to meet FIPA compliance requirements. Businesses that follow FIPA rules will be able to manage their data breach risk more efficiently and reduce the likelihood of a security breach from occurring.