Blog
What is the Florida Information Protection Act (FIPA)? Compliance Tips

What is the Florida Information Protection Act (FIPA)? Compliance Tips

Abstract shapeAbstract shape

The Florida Information Protection Act of 2014 (FIPA) came into effect July 1, 2014, expanding Florida's existing data breach notification statute requirements for covered entities that acquire, use, store or maintain Floridian's personal information.  

FIPA modified Florida's existing data breach notification law and applies to commercial and government entities. 

Who is covered under FIPA?

FIPA applies to all covered entities. A covered entity is defined as a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity or government entity that acquires, maintains, stores, or uses personal information. 

Importantly, FIPA is an extraterritorial law, which means any company that acquires, uses, stores or maintains the personally identifiable information (PII) of Floridians must comply.

This includes covered entities with no physical footprint in Florida. This is known as an extraterritorial law akin to CCPA, GPDR, LGPD, and the SHIELD Act.

This means in the event of a security breach, FIPA will apply to any entity which the personal information of Floridians, regardless of the number of people or volume of data. 

How to comply with FIPA

In addition to the reactive component of FIPA, covered entities must report data breaches, FIPA also has a proactive component that imposes obligations on covered entities regardless of whether they suffer a breach or not.  

Each covered entity, governmental entity or third-party agent must take reasonable measures to protect and secure data personal information in electronic form.

Additionally, covered entities must take reasonable measures to dispose or arrange for the disposal of customer records containing PII. Such disposal must involve shredding, erasing or otherwise modifying the PII in the records to make it unreadable or undecipherable.

What are the FIPA requirements for third-parties?

Third-parties who have been contracted to maintain, store or process personal information or security systems for covered entities have up to 10 days to report breaches to said entities. 

Upon receiving notice of the breach, covered entities become responsible for providing the required notices within the stipulated 30-day period.

The third-party agent may notify affected individuals and the Attorney General on behalf of the covered entity, but the agent’s failure to provide proper notice is deemed a violation against the covered entity.

This is why vendor risk management is so important. As it turns out managing third-party and fourth-party risk is foundational to cybersecurity, ensuring business continuity and maintaining regulatory compliance.

A robust vendor risk management (VRM) program can help you comply with FIPA because you will understand your vendor risk profile and be able to mitigate cybersecurity risk rather than relying on incident response

What are the data breach notification requirements of FIPA?

FIPA reduces the time period allowed for reporting a breach of security to 30 days, from 45 days under the previous Florida statute.

However, if a good cause is sent in writing to the Florida Department of Legal Affairs (i.e. the Florida Office of the Attorney General) within 30 days of determining a breach, FIPA authorizes the department to authorize an additional 15 days to provide notice. 

Like any notice requirements, prompt coordination with law enforcement agencies is essential. 

Additionally, law enforcement may delay required notices if they believe it could interfere with ongoing criminal investigations.

How must affected individuals be notified under FIPA?

In the event of a breach involving 500 or more individuals, notice to affected individuals must be made as soon as practical and without unreasonable delay. Additionally, a notice of the particulars must be provided to the Department of Legal Affairs. 

For breaches involving 1,000+ individuals, covered entities must send notices to nationwide consumer credit reporting agencies. 

However, individual notice may not be required if the covered entity determines the breach has not and will not likely result in identity theft or financial harm to the affected individuals. 

In this situation, covered entities need to provide written determination to the Department of Legal Affairs within 30 days of their decision to not notify affected individuals. 

Additionally, covered entities subject to federal regulation such as HIPAA, GLBA, FISMA, may defer notice requirements provided they send the requisite notice to the Department of Legal Affairs. 

What should be included in the breach notice to the Department of Legal Affairs?

The notice to the Department of Legal Affairs should include: 

  • A summary of the events surrounding the breach
  • How unauthorized access was gained
  • Any services related to the breach being offered without charge to affected individuals (e.g. credit reporting) and how individuals can access them
  • A copy of the notice to affected individuals or an explanation of why a notice was not provided (e.g. no risk of financial harm or identity theft)
  • The name, address, telephone number and email address of the employee or third-party who can provide additional information about the breach

Additionally, if the Attorney General requests any of the following, they must be provided:

What should be included in the notice to affected individuals?

Notice to affected individuals can take the following forms:

  • In writing: Sent to the mailing address of the individual in the records of the covered entity
  • By email: Sent to the email address of the individual in the records of the covered entity

In either form, the notice must include:

  • The date or estimated date range of the breach
  • A description of what personal information was accessed
  • How the affected individual can inquire about the breach and their personal information 

If the cost of direct notice exceeds $250,000, more than 500,000 individuals are impacted or the covered entity does not have a mailing or email address for affected individuals then a substitute notice can be provided. 

The substitute notice must include a conspicuous notice on their website, in print and to broadcast media where affected individuals reside. 

What are the penalties for not complying with FIPA?

While FIPA states it does not create a private cause of action, it does contain provisions authorizing Florida's Department of Legal Affairs to bring enforcement action against entities committing statutory violations.

Entities who fail to provide required notices under FIPA violate Florida Deceptive and Unfair Trade Practices Act (FDUTPA) and are subject to civil penalties:

  • $1,000 per day for the first 30 days
  • $50,000 for each 30-day period up to 180 days
  • A maximum penalty of $500,000 for violations exceeding 180 days

It's important to understand these penalties are enforced for failure to comply with any FIPA notice requirements including late or incomplete notice, and they do not depend on the number of people affected. 

What types of information does FIPA protect? 

FIPA protects personal information and customer records.

Personal information means either of the following:

  • An individual's first name or first initial and last name in combination with:
  • A social security number
  • A driver's license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity
  • A financial account number or credit card or debit card number, in combination with any required security code, access code or passport that is necessary to access the individual's financial account
  • Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
  • An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual
  • A username or email address, in combination with a password or security question and answer that would permit access to an online account

Personal information does not include information about an individual that has been made publicly available by a federal, state or local government entity. Nor does it include information that is encrypted, secured or modified by any other method or technology that removes elements that personally identify an individual or otherwise renders the information unusable.  

Customer records are any material, regardless of form, which personal information is recorded or preserved by any means, including and not limited to, written or spoken words, graphically depicted, printed or electromagnetically transmitted that are provided by a Floridian to a covered entity for the purpose of purchasing or leasing a product or obtaining a service. 

How UpGuard can help prevent data breaches

Companies like Intercontinental ExchangeTaylor FryThe New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches and assess their security controls. 

UpGuard BreachSight can help monitor your organization for 50+ security controls providing a simple, easy-to-understand cyber security ratings and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos and more.

UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and providing vendor questionnaire templates that map to the NIST Cybersecurity Framework and other best practices. We can help you continuously monitoring your vendors' security posture over time while benchmarking them against their industry. 

Each vendor is rated against 50+ criteria such as presence of SSL and DNSSEC, as well as risk of domain hijackingman-in-the-middle attacks and email spoofing for phishing.

Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.

We're experts in data breaches and data leaks, our research has been featured in the New York TimesWall Street JournalBloombergWashington PostForbesReuters and Techcrunch.

If you'd like to see how your organization stacks up, get your free Cyber Security Rating

Book a demo of the UpGuard platform today.

UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.

Sign up to our newsletter

Get curated cybersecurity news and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
Website Security scan resultsWebsite Security scan ratingAbstract shape