What West Palm Beach SMBs need to know about Florida’s Data Protection Law

June 27th, 2019
What West Palm Beach SMBs need to know about Florida’s Data Protection Law

All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have passed laws forcing businesses to notify residents when their private information has been breached. However, only 22 states have passed laws that require preventive cybersecurity measures.

Florida is one of those states.

It’s ok if you cursed under your breath after reading that. For all their best intentions, cybersecurity regulations are a huge pain and you’re not the only person that feels this way. So many business owners and decision makers struggle with compliance that an entire industry has sprung up around helping small- and medium-sized businesses (SMBs) meet their legal obligations.

Third-party services like Capstone IT’s Cyber Shield don’t just make the Florida Information Protection Act of 2014 (FIPA) easy to deal with; they make it something you never have to think about again!

If you don’t think this law warrants investing in managed IT services, here are a few things you should consider.

Who must abide by FIPA?

The law applies to every entity that stores or accesses regulated personal information on Florida residents. You don’t even have to conduct business in the state to be defined as a “covered entity.” FIPA’s statutes also affect third-party agents that provide services to a covered entity. If you have any connection to Florida, there’s a good chance FIPA applies to you.

What counts as regulated personal information?

FIPA’s definition of personal information is one of the broadest in the nation. The law protects any digital data with a first name or first initial and last name combined with any of the following:

  • A social security number
  • A driver’s license or ID card number, passport number, or military identification number
  • A credit or debit card number, or a financial account number with a required security code, access code, or password
  • An individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual
  • A username or email address in combination with a password or security question and answer that would permit access to an online account (regardless of whether such sites include more traditional forms of personal information)

FIPA includes exemptions for information that is encrypted both in storage and in transit, which makes your life much easier if you have encryption-ready IT solutions like Office 365.

How can covered entities comply with FIPA?

The requirements of the law fall into two categories: proactive and reactive measures. The former is brief and vague, stating:

“Each covered entity...shall take reasonable measures to protect and secure data in electronic form containing personal information.”

“Reasonable” has not been defined by the state of Florida or by any of the other governmental agencies that threaten fines for those who don’t follow it. Our advice is to assume firewalls, cybersecurity employee training, data encryption, and application patching are the absolute minimum.

FIPA data breach notification requirements

The bulk of the 10-page law deals with how businesses must respond to any event that exposes regulated information to unauthorized parties. The first thing a breached business must do is notify any Floridian whose personal information was exposed.

Notifications must be given directly to individuals in writing or in an email. They must include the date the individual’s information was breached, details about what types of information were breached, and instructions for contacting the breached business for updates.

Second, a breached business must notify the Florida Office of the Attorney General if the event exposed information on more than 500 state residents. If the notification is delivered more than 30 days after the breach is discovered, fines start at $1,000 per day and increase over time, eventually reaching $500,000.

Thirty days may seem like plenty of time to notify authorities, but a forensic investigation to gather the necessary information is a complicated process. A breach notification must include:

  • A detailed report of what led to the breach
  • The number of affected Floridians
  • Any compensation services related to the breach being offered to the affected individuals, such as credit monitoring and instructions for using such services
  • Contact information for a covered entity’s representative from whom additional information may be obtained about the breach
  • Details about notices sent to affected individuals

The Attorney General’s office may also request a police report, IT forensics report, or a copy of the company’s written cybersecurity policies. In breaches with over 1,000 affected Floridians, the covered entity is required to notify credit reporting agencies.

How West Palm Beach SMBs can simplify compliance

Third parties play a big part in FIPA compliance. On one hand, the law specifically states that the burden of compliance rests with covered entities when a third-party provider causes a breach. On the other hand, a third-party provider that specializes in cybersecurity can assist with compliance tasks ranging from IT assessments to cyber insurance and everything in between.

Capstone IT’s Cybershield is a customizable support package for businesses in Stuart, Jupiter, Treasure Coast, and the surrounding areas. Our services are backed by years of experience and a team of certified technicians who act as your single point of contact for all your cybersecurity questions.

Want to learn more about our cybersecurity solutions? Download our free eBook!