Legal Law

What do you know about Florida’s information protection statute?

DISCLAIMER: The author of this article is an information security specialist, not an attorney. The opinions contained in this article should not be construed as legal advice. The reader should consult with a licensed attorney if legal advice is required regarding 501.171.

Florida lawmakers created a statute (501.171) that clearly establishes the responsibility to maintain the confidentiality of “personally identifiable information” (or PII) stored electronically on business and organization owners.

Basically, the law requires a company to take “reasonable steps” to protect the confidential information that you have about its employees, customers, and others. Specifically, the law states that “Each covered entity, government entity, or outside agent shall take reasonable steps to protect and secure data in electronic form containing personal information.”

People are beginning to realize how important it is that information is processed securely. The economic losses derived from cybercrime and the illicit use of information now exceed the total of illicit drug trafficking. The problem is getting worse.

Cybercriminals can and do inflict irreparable harm on individuals, businesses, and national security. Florida’s privacy law was written to address the problem. Most businesses and organizations are considered entities covered by the law. However, very few are aware of what must be done to comply.

Please note the disclaimer statement below:

A careful reading of 501.171 reveals that a “covered entity” means a sole proprietor, partnership, corporation, trust, estate, cooperative association, or other business entity that acquires, maintains, stores, or uses personal information. A covered entity can include a government agency.

Florida law requires that if a covered entity experiences a security breach affecting more than 500 people, that entity must report the matter to the Department of Legal Affairs. Other requirements are specified in the transcript. Multiple fines, related to an unreported security breach, can go up to $ 250,000.00.

Owners, directors, and managers have a fiduciary responsibility for being part of Florida privacy law. Ignoring it would be extremely reckless and foolish.

You should consider establishing an information security plan that can meet the test of taking “reasonable steps” to protect personally identifiable information if you do not know it.

Managers can limit or even prevent significant damage to their information infrastructure by taking the following reasonable security measures to protect the organization:

1. Establish an information security policy.

2. Inventory of all information assets.

3. Classify all information assets according to their criticality.

4. Implement logical and physical access controls.

5. Use network firewalls and intrusion detection devices.

6. Secure open workspace.

7. Protect data in transit.

8. Manage mobile computing.

9. Create an incident response plan.

10. Have a data backup and restore plan for all mission-critical information.

11. Develop a plan to discard or destroy unwanted data.

12. Develop and implement a safety awareness program for all employees.

Federal and state organizations are beginning to respond to public demands to protect personally identifiable information. In almost all cases, the burden has fallen on the shoulders of the business owner, directors, and managers. Information security should be treated like any other business process (eg accounting, finance, manufacturing). Anything else puts an organization at risk.

Leave a Reply

Your email address will not be published. Required fields are marked *