Florida Information Protection Act (FIPA)
When it comes to protecting customer’s personal information, Florida means business. The Florida Information Protection Act (FIPA) which came into effect in mid-2014 applies to every business and government entity that stores the information of Florida residents. Essentially, this act:
- Expands the definition of ‘personal information’ that every entity is legally bound to safeguard
- Establishes stricter breach notification protocols than most other states in the US.
Learn More about this Act and How it Applies to Your Business
At Crown Information Management, we are well-versed with all aspects of FIPA and help several Florida businesses remain compliant with the act through:
- Secure management, storage and disposal services for paper based and electronic records.
- Training and consulting services to help clients’ streamline internal processes and policies related to data security and breach notifications.
Protect Your Customer’s Personal Information and Remain Compliant with FIPA
There are two key components to FIPA, a proactive and a reactive one.
- It informs businesses what they must do to protect customer information.
- It specifies what businesses must do if they experience a breach that involves their customers’ personally identifiable information (PII).
- Who does FIPA apply to? Even if you do not have a physical footprint in Florida, FIPA may be applicable to you. It covers all types of commercial and government entities, as well as trusts, estates, associations and non-profit organizations who collect, use, or store the PII of Florida residents.
- What is the scope of PII under FIPA? Typically, PII refers to the first name, last name, driver’s license, passport, military identification number, social security number, debit or credit card information, and financial account number. FIPA’s expanded definition of PII includes any information related to the individual’s mental or physical condition, medical history, or health insurance policies. It also includes email addresses, user names, secure passwords, or any other unique identifiers that can disclose the identity of the individuals, or give access to their health-related online accounts.
- What are the breach notification requirements under FIPA? Here are the key highlights of the act:
- It reduces the time period allowed for reporting a breach. Instead of 45 days, you will now have to report a breach within 30 days of identifying it.
- If the breach affects 500 persons or more, you must provide notice of the particulars to Florida’s Department of Legal Affairs.
- If the number of affected persons in the breach is 1,000 or more, you are required to send notices to nationwide consumer credit reporting agencies.
- If your entity is subject to federal regulation, you may be able to get extensions on the applicable notice requirements by sending requisite notice to the Department of Legal Affairs.
The bottom line is that FIPA expects you to ensure prompt coordination with law enforcement agencies for better containment and management of the losses that occur from a breach. Non-compliance with FIPA requirements will place your entity in violation of Florida’s Deceptive and Unfair Trade Practices Act (FDUTPA). You may also incur heavy civic penalties.
- How can you remain compliant with FIPA? If your entity conducts any business with Florida customers, you should:
- Evaluate your current systems and policies for data security and invest in necessary upgrades for safeguarding the physical and digital PII of your customers.
- Ensure that you are using appropriate measures for safe destruction of information.
- Review and update your agreements with third party agencies who have access to your customers’ PII.
- Review and improve your internal mechanisms to ensure compliance with FIPA’s breach reporting protocols.
As the information protection and breach notification landscape evolves, newer laws and statutes will continue to emerge. Knowing which ones apply to your business, and remaining compliant with each of them will be a critical component of running a successful business. The experts at Crown Information Management could help your company meet its compliance goals in a reliable, efficient, and cost-effective manner. As a SOC1 Level 2 Report, NAID AAA and PCI Certified company, we are knowledgeable about multi-industry laws and regulations, including FIPA, HIPAA, FACTA, FERPA, GLBA and more. You can count on us for a wide range of solutions for secure storage and destruction of physical and digital records.
To know more about our various services, call Crown Information Management at 800-979-9545, or contact us online.