On June 20th, Governor Scott signed into law the Florida Information Privacy Protection Act of 2014 (§ 501.171(2014)). FIPA has several new components including requirements that a “covered entity” as defined in FIPA (basically any business that possesses “personal information”), take “reasonable measures to protect and secure data in electronic form containing ‘personal information’”.   Moreover and also new, is that a breach of security affecting 500 or more people shall mandatorily be reported—including certain prescribed information—to the Florida Department of Legal Affairs. FIPA continues to require notice to individuals and provides for methods of providing such notice.   Furthermore, FIPA now requires that the defined “personal information” be disposed of by “shredding, erasing, or otherwise modifying the personal information to make it unreadable or undecipherable through any means.” Breach of FIPA is now statutorily considered to be an unfair and deceptive trade practice for which statutory penalties are available.

What should your company do? At a minimum, these five things:

  1. 1. Determine whether your company possesses statutorily defined “personal information”;
  2. 2. If so, consider whether your company needs to possess “personal information” at all;
  3. 3. Review your data security policies, procedures and actual practices to assure that they provide“reasonable measures” to protect and secure such data;
  4. 4. Verify that your policies and procedures set out the appropriate protocols to comply with the notification requirements;
  5. 5. Consider whether your insurance policies provide coverage for data breach and notification.

The full text of FIPA is found here:


Should you company need assistance with its data security policies and procedures, please contact one of the Lowndes, Drosdick, Doster, Kantor & Reed, PA privacy attorneys to assist you.

Be Sociable, Share!