• United States




Florida privacy law adds breach notification and strengthens compliance

Sep 02, 20166 mins
Data and Information SecurityData BreachGovernment

Understanding how U.S. law works to protect our privacy.

We all remember from our early education learning about the three major branches of government in the US: The executive, the legislative and the judicial branches. But how does our legal system work to create privacy law for all our different business sectors?

Hint.. it’s not how they do it in Europe. We begin by looking at Constitutional law. The U.S and state Constitutions are the primary source of law in America. However a state Constitution may afford more privacy protection than the broader U.S. Constitution. Enter the FIPA act of 2014 from the state of Florida. 

The Florida Information Protection Act. Each state has its own flavor of data privacy law if it has one at all. FIPA says, “An act relating to security of confidential personal information; providing a short title; repealing s. 4 817.5681, F.S., relating to a breach of security concerning confidential personal information in third-party possession; creating s. 501.171, F.S.; providing definitions; requiring specified entities to take reasonable measures to protect and secure data containing personal information in electronic form; requiring specified entities to notify the Department of Legal Affairs of data security breaches; requiring notice to individuals of data security breaches under certain circumstances…”

That’s how the Florida statute reads but what does it really mean when it comes down to the responsibility to secure patient records or your companies Personally Identifiable Information?

Florida’s expanded law places even more emphasis on organizations to safeguard data. Before, the definition of breach meant it was unlawful and unauthorized. Now it’s just unauthorized. The statute now requires a notification to the Attorney General for breaches, which is a big change. It requires consultation with local law enforcement; before, it was optional.

This act may be cited as the “Florida 29 Information Protection Act of 2014.  

 What is required:  

  • Appraise policies and procedures to verify that they are implemented effectively.
  • Set up reporting for large printing jobs.
  • Limit access to sensitive information.
  • Review all employees’ access to systems, data, and sensitive areas.
  • Review business associate and contractor agreements and security.
  • Consider the role of bring-your-own-device (BYOD) policies.
  • Assess physical security, as well as cyber security.
  • Ensure that customer record disposal policies meet new legal provisions.
  • Create an investigative and reporting process if a breach occurs.
  • Select an external partner for forensic investigations, audits, and other data breach services.

Differs from European legal system

A great way to look at the differences between US law and Europe is to use Safe Harbor as an example. 

US Privacy Principle’s and their impact on international agreements like Safe Harbor. The United States takes a sectoral approach to information privacy. So specific laws protect privacy rights for a given industry or sector. We don’t have one broad privacy rights standard for all as is the case in Europe. This led to our headaches with the now defunct Safe Harbor law.

USA Privacy Principles. By now we are all familiar with the US Europe Safe Harbor law meltdown. Safe Harbor was an international agreement with Europe and the USA that was supposed to assure that Europeans data privacy was protected to their high standard while their data was in US servers. However it was challenged by Max Schrems who filed complaints against several U.S. Internet giants including Facebook for collaboration with the US government surveillance activities.  

So as the US was surveilling Facebook and other US companies, it was not just US citizens data within its scope, it was the entire global internet population. Surprise! So as usual the technology and its capabilities was far ahead of our ability to regulate it.

After 15 years of Safe Harbor that some 4,700 companies relied on for international data exchange which ran the worlds global business giants, privacy concerns shot it down almost overnight. The new law that replaces Safe Harbor is EU-US privacy shield.  

At the end of the day all countries including the US need to continue to implement a balanced surveillance program to protect their citizens from terrorist and other international illegal activities to include drug and human trafficking. Ever since Edward Snowden compromised the NSA’s surveillance program, it has been an ongoing battle to determine how to do this in a balanced way that everyone agrees with. It’s ironic that Snowden had to flee to China and eventually Russia the true protectors of freedom and democracy, who certainly value your privacy correct?

State privacy laws like FIPA

There are many laws at the state level that regulate the collection and use of personal data, and the number grows each year. We know from our legal primer that federal laws preempt state laws. Most states have enacted some form of privacy legislation, however California leads the way in the privacy arena, having enacted multiple privacy laws, some of which have far-reaching effects at a national level. California was the first state to enact a security breach notification law (California Civil Code §1798.82). The law requires any person or business that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system to all California residents whose unencrypted personal information was acquired by an unauthorized person.

Most of the early state security breach notification laws mirrored California’s law, and tended to be reactive, that is, they established requirements for responding to a security breach. But what about compliance for preventing a breach? More recently, a number of states laws have enacted more prescriptive and preventative laws, that is, these laws are more stringent and actually establish requirements to avoid a security breach.

As an IT auditor in security and compliance this is very good news! The best example of a preventative-type of law is the Massachusetts Regulation (201 CMR 17.00), which prescribes in considerable detail an extensive list of technical, physical and administrative security protocols aimed at protecting personal information that affected companies must implement into their security architecture, and describe in a comprehensive written information security policy.

The bottom line is that U.S. and European laws are very different in their approach. The U.S.  has state laws vs a broad national law in Europe to cover privacy for all industries. FIPA  state law strengthens accountability for all enterprises which include all business sectors. FIPA helps assure what really matters in data compliance is met and adds a bit more! Also remember to visit your state’s legal portal to see the whole State Statute as in this example below for Florida.


A senior security and compliance specialist, George Grachis has over 25 years’ experience in the tech sector. Some of his experience includes over a decade supporting the Space Shuttle program for Computer Sciences Corporation & Grumman Aerospace, security management for CFE Federal Credit Union, IT auditing & consulting for Deloitte and serving as Chief Security Officer for Satcom Direct.

George holds both the CISSP, and CISA certifications. George received the ISSA fellow Designation in 2016 and is currently an active senior board member of ISSA. George has been interviewed by WFTV ABC TV and Fortune Magazine. When not working he enjoys spending time with family & friends, Big Brothers Big Sisters, Playing the Drums, motorcycling, fitness, and writing articles for his blog, Virtual CISO.

The opinions expressed in this blog are those of George Grachis and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.