Risk Management

Florida’s Information Privacy Act


This article is written by an information security expert, and not an attorney. This article is not intended to be taken as legal advice. If legal counsel is needed regarding FS 501.171, the reader should consult a licensed attorney.

Cybercriminals search the Internet for exploitable opportunities in computer systems. They seek to access confidential information owned by companies and organizations in order to alter, steal, destroy, or otherwise illicitly gain it. Both the threats and vulnerabilities are growing. However, law enforcement officials have not been able to make a dent in cybercrime.

Florida’s law makers have however decided who should bear the lion’s share of responsibility for protecting PII or Personally Identifiable Info. Individuals are now responsible for protecting confidential information if they’re a Florida “covered entity” business.

What is the law (FS501.171)? Are you considered a Florida “covered entity”? Is your data processing system in compliance to Florida’s privacy law Can you show that you have taken reasonable measures to protect confidential information about employees, customers, or others that you hold?

Is your information system robust enough to resist a cyberattack

Are you able to successfully defend yourself against a compliance review?

What are you able to do differently?

To determine if your business is covered under the Information Privacy Act of Florida, you can consult an attorney. If you are involved in the acquisition or maintenance of confidential personal data, it is prudent to assume you are covered.

The Florida law provides a detailed definition of what is protected. It refers to any material, regardless its physical form, that contains personal information. This includes written and spoken words, graphically rendered, printed, or electromagnetically transmitted. These materials are used by individuals for the purpose of purchasing, leasing, or obtaining services.

Florida’s Privacy Act covers personal information such as a person’s social security number. A driver’s license number or identification card number. Passport number. Military identification card. Other similar documents that are used to verify identity. Financial account numbers, credit and debit card numbers with any necessary security codes, access codes, or passwords that are required to allow access to an individual account; information about an individual’s medical history, mental, or physical condition or treatment or diagnosis by a healthcare professional; an individual’s individual health insurance policy number, subscriber identification number, and a unique identifier that is used by a medical insurer to identify the individual.

Confidential information storage would include both paper and hard copies. The covered entity is responsible for protecting the information it collects and cannot delegate its responsibilities (e.g., a cloud storage company).

FS 501.171 provides that all covered entities, governmental entities and third-party agents must take reasonable precautions to secure electronic data that includes personal information.

The Law outlines, among other things, how authorities will report breaches (including the number and notification requirements). These are the possible penalties.

Florida’s Information Privacy Act (FS 501.171) requires that organizations take reasonable steps to protect confidential information. While the Law doesn’t specify in detail what information policies and procedures are required, it does indicate how they should be applied.

There are many security measures and standards that can be used to protect information, none of which have legal force. Many are strong security models that can be used in industry and business. The author believes that every organization should have a policy on information security.

Management guidance is unlikely to be provided. If the organization has not addressed the issue of how confidential information is handled and processed, it would be difficult to meet the “reasonable” protection requirements under FS 501.171.

Protect your confidential information and take aggressive measures against potential intruders.


We are a team of professionals with each having two decades of experience in start-ups, sales, marketing, finance, HR, large scale project and profit centre management and running mature cross functional operations. At Molw.net we are big believers that knowledge transfer is critical to our industry’s evolution. We love to share our experiences and learnings through our online resources.

Related Articles

Back to top button