The Florida Information Protection Act of 2014 (FIPA) came into effect July 1, 2014, expanding Florida's existing data breach notification statute requirements for covered entities that acquire, use, store or maintain Floridian's personal information.
FIPA modified Florida's existing data breach notification law and applies to commercial and government entities.
Who is covered under FIPA?
FIPA applies to all covered entities. A covered entity is defined as a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity or government entity that acquires, maintains, stores, or uses personal information.
Importantly, FIPA is an extraterritorial law, which means any company that acquires, uses, stores or maintains the personally identifiable information (PII) of Floridians must comply.
This means in the event of a security breach, FIPA will apply to any entity which the personal information of Floridians, regardless of the number of people or volume of data.
How to comply with FIPA
In addition to the reactive component of FIPA, covered entities must report data breaches, FIPA also has a proactive component that imposes obligations on covered entities regardless of whether they suffer a breach or not.
Each covered entity, governmental entity or third-party agent must take reasonable measures to protect and secure data personal information in electronic form.
Additionally, covered entities must take reasonable measures to dispose or arrange for the disposal of customer records containing PII. Such disposal must involve shredding, erasing or otherwise modifying the PII in the records to make it unreadable or undecipherable.
What are the FIPA requirements for third-parties?
Third-parties who have been contracted to maintain, store or process personal information or security systems for covered entities have up to 10 days to report breaches to said entities.
Upon receiving notice of the breach, covered entities become responsible for providing the required notices within the stipulated 30-day period.
The third-party agent may notify affected individuals and the Attorney General on behalf of the covered entity, but the agent’s failure to provide proper notice is deemed a violation against the covered entity.
This is why vendor risk management is so important. As it turns out managing third-party and fourth-party risk is foundational to cybersecurity, ensuring business continuity and maintaining regulatory compliance.
A robust vendor risk management (VRM) program can help you comply with FIPA because you will understand your vendor risk profile and be able to mitigate cybersecurity risk rather than relying on incident response.
What are the data breach notification requirements of FIPA?
FIPA reduces the time period allowed for reporting a breach of security to 30 days, from 45 days under the previous Florida statute.
However, if a good cause is sent in writing to the Florida Department of Legal Affairs (i.e. the Florida Office of the Attorney General) within 30 days of determining a breach, FIPA authorizes the department to authorize an additional 15 days to provide notice.
Like any notice requirements, prompt coordination with law enforcement agencies is essential.
Additionally, law enforcement may delay required notices if they believe it could interfere with ongoing criminal investigations.
How must affected individuals be notified under FIPA?
In the event of a breach involving 500 or more individuals, notice to affected individuals must be made as soon as practical and without unreasonable delay. Additionally, a notice of the particulars must be provided to the Department of Legal Affairs.
For breaches involving 1,000+ individuals, covered entities must send notices to nationwide consumer credit reporting agencies.
However, individual notice may not be required if the covered entity determines the breach has not and will not likely result in identity theft or financial harm to the affected individuals.
In this situation, covered entities need to provide written determination to the Department of Legal Affairs within 30 days of their decision to not notify affected individuals.
What should be included in the breach notice to the Department of Legal Affairs?
The notice to the Department of Legal Affairs should include:
- A summary of the events surrounding the breach
- How unauthorized access was gained
- Any services related to the breach being offered without charge to affected individuals (e.g. credit reporting) and how individuals can access them
- A copy of the notice to affected individuals or an explanation of why a notice was not provided (e.g. no risk of financial harm or identity theft)
- The name, address, telephone number and email address of the employee or third-party who can provide additional information about the breach
Additionally, if the Attorney General requests any of the following, they must be provided:
- A police report
- An incident report
- A computer forensics report
- A copy of the information security policy in place regarding breaches
- Steps that have been taken to rectify the breach, e.g. improving data security and data protection efforts
What should be included in the notice to affected individuals?
Notice to affected individuals can take the following forms:
- In writing: Sent to the mailing address of the individual in the records of the covered entity
- By email: Sent to the email address of the individual in the records of the covered entity
In either form, the notice must include:
- The date or estimated date range of the breach
- A description of what personal information was accessed
- How the affected individual can inquire about the breach and their personal information
If the cost of direct notice exceeds $250,000, more than 500,000 individuals are impacted or the covered entity does not have a mailing or email address for affected individuals then a substitute notice can be provided.
The substitute notice must include a conspicuous notice on their website, in print and to broadcast media where affected individuals reside.
What are the penalties for not complying with FIPA?
While FIPA states it does not create a private cause of action, it does contain provisions authorizing Florida's Department of Legal Affairs to bring enforcement action against entities committing statutory violations.
Entities who fail to provide required notices under FIPA violate Florida Deceptive and Unfair Trade Practices Act (FDUTPA) and are subject to civil penalties:
- $1,000 per day for the first 30 days
- $50,000 for each 30-day period up to 180 days
- A maximum penalty of $500,000 for violations exceeding 180 days
It's important to understand these penalties are enforced for failure to comply with any FIPA notice requirements including late or incomplete notice, and they do not depend on the number of people affected.
What types of information does FIPA protect?
FIPA protects personal information and customer records.
Personal information means either of the following:
- An individual's first name or first initial and last name in combination with:
- A social security number
- A driver's license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity
- A financial account number or credit card or debit card number, in combination with any required security code, access code or passport that is necessary to access the individual's financial account
- Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
- An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual
- A username or email address, in combination with a password or security question and answer that would permit access to an online account
Personal information does not include information about an individual that has been made publicly available by a federal, state or local government entity. Nor does it include information that is encrypted, secured or modified by any other method or technology that removes elements that personally identify an individual or otherwise renders the information unusable.
Customer records are any material, regardless of form, which personal information is recorded or preserved by any means, including and not limited to, written or spoken words, graphically depicted, printed or electromagnetically transmitted that are provided by a Floridian to a covered entity for the purpose of purchasing or leasing a product or obtaining a service.
How UpGuard can help prevent data breaches
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches and assess their security controls.
UpGuard BreachSight can help monitor your organization for 50+ security controls providing a simple, easy-to-understand cyber security ratings and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos and more.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and providing vendor questionnaire templates that map to the NIST Cybersecurity Framework and other best practices. We can help you continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.