DISCLAIMER: The author of this article is an information security specialist, not a lawyer. The opinions contained in this article should not be construed as legal advice. The reader should consult with a licensed attorney if legal advice is required in connection with 501.171.
Florida legislators created a statute (501.171) that clearly establishes the responsibility to maintain the confidentiality of electronically stored “personally identifiable information” (or PII) on the owners of businesses and organizations.
Basically, the law requires a company to take “reasonable steps” to protect the confidential information it has about employees, customers, and others. Specifically, the law states that “Each covered entity, government entity, or outside agent shall take reasonable steps to protect and secure data in electronic format that contains personal information.”
People are starting to realize how important it is that information is processed securely. Financial losses from cybercrime and the illegal use of information now exceed the total from illegal drug trafficking. The problem is getting worse.
Cybercriminals can and do inflict irreparable damage to individuals, businesses, and national security. Florida’s privacy law was written to address the problem. Most businesses and organizations are considered covered entities under the law. However, very few are aware of what must be done to comply.
Please note the disclaimer statement below:
A careful reading of 501.171 reveals that a “covered entity” means a sole proprietorship, partnership, corporation, trust, estate, cooperative association, or other business entity that acquires, maintains, stores, or uses personal information. A covered entity may include a government agency.
Florida law requires that if a covered entity experiences a security breach that affects more than 500 people, that entity must report the matter to the Law Department. Other requirements are specified in the transcript. Various fines, related to an unreported security breach, can amount to $250,000.00.
Owners, directors, and managers have a fiduciary responsibility to become familiar with Florida privacy law. Ignoring it would be extremely reckless and foolish.
You should consider establishing an information security plan that can stand the test of taking “reasonable steps” to protect personally identifiable information if you don’t know it.
Managers can limit or even prevent significant damage to their information infrastructure by taking the following reasonable security measures to protect the organization:
1. Establish an information security policy.
2. Inventory all information assets.
3. Classify all information assets in terms of their criticality.
4. Implement logical and physical access controls.
5. Use network firewalls and intrusion detection devices.
6. Secure open work space.
7. Protect data in transit.
8. Manage mobile computing.
9. Create an incident response plan.
10. Have a data backup and restore plan for all mission critical data.
11. Develop a plan to discard or destroy unwanted data.
12. Develop and implement a security awareness program for all employees.
Federal and state organizations are beginning to respond to public demands to protect personally identifiable information. In almost all cases the burden has fallen on the shoulders of the business owner, directors and managers. Information security should be treated like any other business process (eg accounting, finance, manufacturing). Anything less puts an organization at risk.
