Guide to

The Florida Information Protection Act (FIPA)

The Florida Information Protection Act of 2014 requires certain data protection measures from entities that acquire, use, store, or maintain Florida state residents’ personal information. It also mandates that covered entities take certain steps in the event of a breach of that information.

What types of businesses are subject to FIPA?

Under FIPA, covered entities include both organizations with and without a physical footprint in Florida. All associations, cooperatives, estates, trusts, corporations, sole proprietorships, NGOs, commercial entities, and government organizations that acquire, use, store, or maintain the personally identifiable information (PII) of individuals in the state are subject to the statute.

A breach is defined as the unauthorized access of electronic data that contains PII. PII refers to the combination of first initial or first name, last name, and any of the following:

ID card number, driver’s license, military identification number, passport number, or any such number present on a government document, which can be used to verify the identity of an individual
Social security number
Debit/credit card number or financial account number in combination with the password, access code, or security code that allows access to an individual’s financial account
Information pertaining to the mental or physical condition, diagnosis, or medical treatment by a health care professional
The medical history of an individual
Health insurance policy numbers or subscriber identification number
Other identification numbers or unique identifiers that can be used by health insurers to identify an individual
Email addresses or usernames in combination with passwords (or Security Q&A) that can be used to gain access to an individual’s online account

Key requirements of FIPA

Data security requirements:

“Each covered entity, governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal information.”

Notification requirements for security breaches:

Once an organization has determined that a breach has occurred, it must report the breach to the Department of Legal Affairs no later than 30 days after the determination of the breach. The organization may receive 15 additional days to provide notice if good cause for delay is provided in writing to the Department within 30 days after determination of the breach occurred.

Such notice needs to include:

Number of individuals in Florida who were or potentially have been affected by the breach
Any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, and instructions as to how to use such services
The name, address, telephone number, and email-address of the employee or agent of the covered entity from whom additional information may be obtained about the breach

For breaches affecting 500 persons or more, FIPA mandates organizations must also provide notice of particular facts. If the number of affected persons is 1,000 or more, entities should also send notices to nationwide consumer credit reporting agencies.

The organization must also notify each individual in the state whose personal information was accessed as a result of the breach.

Further, third-party firms that maintain security systems for covered entities have up to 10 days to report breaches to said entities. On receiving this notice, the affected entity becomes responsible for providing the required notices within the allotted 30-day notice period.

FIPA Enforcement and Penalties for Non-Compliance

FIPA authorizes Florida’s Legal Affairs Department to bring enforcement action against organizations committing statutory violations. Entities who fail to provide required notices under FIPA violate Florida’s Deceptive and Unfair Trade Practices Act (FDUTPA) and are subject to the following civil penalties:

$1,000 a day for the first 30 days,
$50,000 subsequently for any 30-day period up to 180 days, and
$500,000 as the maximum amount of penalties for violations exceeding 180 days.

FIPA: Frequently Asked Questions

FIPA protects personal information that can be used to identify an individual. This includes an individual’s first name or first initial and last name in combination with one or more of the following data elements when not encrypted:

Social Security Number (SSN)
Driver’s license or state identification card number
Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
Medical information, which includes any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
Health insurance information, such as policy number, subscriber identification number, or any other unique identifier used by a health insurer
Online account credentials, including email addresses and passwords or security questions and answers that permit access to an online account

The FIPA request protocol involves the process by which individuals or entities request information regarding how their personal data is being handled, especially in the event of a breach. Although FIPA does not explicitly define a “request protocol,” it mandates that businesses and governmental entities must establish and maintain protocols for managing personal information securely. These protocols should ensure that individuals can make inquiries or requests about their personal data, and organizations should have mechanisms in place to respond to such requests promptly. This may include providing details on how personal data is being stored, used, or shared, especially in the context of data breaches.

In Florida, PII is defined as any information that can be used to identify an individual either directly or indirectly when combined with other specified data elements. Under FIPA, this includes, but is not limited to:

First name or first initial and last name, combined with any of the following:
Social Security Number (SSN)
Driver’s license or state identification card number
Financial account numbers, credit or debit card numbers, in combination with any security or access codes
Medical information or health insurance details
Online account credentials, such as email addresses and passwords or security questions and answers PII also extends to any other data that can be used, either alone or in conjunction with other information, to identify a person or their private information.

FIPA defines a data breach as the unauthorized access to, or acquisition of, electronic data that compromises the security, confidentiality, or integrity of personal information. This applies to situations where personal information is not encrypted or was improperly secured, making it vulnerable to exposure. A breach under FIPA involves any event where there is reason to believe that unauthorized individuals have accessed or obtained this sensitive information, potentially leading to identity theft or other forms of fraud.

Under FIPA, third-party service providers play a critical role in maintaining data security. If a third-party service provider experiences a data breach involving personal information they manage on behalf of another entity, they are required to notify the primary entity as soon as possible. The primary entity is then responsible for notifying affected individuals and the Florida Department of Legal Affairs if the breach involves more than 500 individuals. This requirement ensures that the responsibility for data protection is extended through the supply chain, holding third-party providers accountable for the security of the personal information they handle.

While FIPA does not prescribe specific technical standards or security measures, it requires that entities take “reasonable measures” to protect and secure personal information from unauthorized access, use, destruction, or disclosure. This means that organizations must implement appropriate physical, administrative, and technological safeguards based on the sensitivity of the data they handle. Examples of reasonable measures might include data encryption, access controls, regular security assessments, employee training, and incident response planning. Entities must ensure that these measures are sufficient to protect against the identified risks and are updated as needed to address emerging threats.

FIPA mandates that affected individuals be notified within 30 days of discovering a data breach. The 30-day period begins from the date the entity determines that a breach has occurred and that it poses a risk to individuals’ personal information. If more than 500 individuals are affected by the breach, the entity must also notify the Florida Department of Legal Affairs within the same 30-day period. Entities may request an additional 15 days (totaling up to 45 days) if good cause for the delay is provided in writing. In certain cases, where a breach involves particularly sensitive information or has significant implications, entities may need to notify consumer reporting agencies and other relevant bodies as part of their notification obligations.

If an entity cannot meet the 30-day notification deadline, FIPA requires the entity to provide a written notice to the Florida Department of Legal Affairs, explaining the reasons for the delay. This notice must include the reasons why the 30-day requirement could not be met and an estimated time frame for when the notifications will be completed. Acceptable reasons for delay might include the need for additional time to accurately determine the scope of the breach or to restore the integrity of the data system. However, entities should aim to notify affected individuals as soon as possible, as delays can increase the risk of harm to those impacted by the breach.

A breach notification under FIPA must include several key elements to ensure that affected individuals are fully informed about the incident and how they can protect themselves. The notification should contain:

A description of the incident in general terms, including what happened and when it occurred
The types of personal information that were accessed or acquired during the breach
The steps that the entity has taken to address the breach and mitigate its effects
Contact information for the entity, including a toll-free number or email address that individuals can use to get more information or assistance
Recommendations for individuals on how to protect themselves, such as monitoring their accounts, placing fraud alerts, or obtaining credit reports The notification may also include information about any services, such as credit monitoring, that the entity is offering to affected individuals as a precautionary measure

FIPA is one of several state-level data protection laws in the United States that address the protection of personal information and the notification requirements following a data breach. It is similar to, but distinct from, other state laws like California’s Consumer Privacy Act (CCPA) and Massachusetts’ Data Security Law. FIPA may overlap with federal laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), which impose additional requirements on specific industries like healthcare and finance. Entities subject to these federal regulations may be exempt from certain aspects of FIPA, provided they comply with the applicable federal requirements. However, entities should carefully assess their compliance obligations under both state and federal laws to ensure they meet all relevant standards and avoid penalties.

Hyperproof makes FIPA compliance simple

Leverage an out-of-the-box FIPA framework template so you can get started quickly and seamlessly
Easily map FIPA controls to other frameworks relevant to your business
Accelerate your compliance process to meet FIPA requirements efficiently
Seamlessly integrate with your existing project management and security tools, like ServiceNow, Jira, and Asana
Reuse evidence across multiple frameworks and standards
Efficiently and continuously collect and store evidence to support your FIPA compliance efforts