Florida’s Information Privacy Act


The author of this article is an information security specialist, not an attorney. The opinions contained in this article should not be construed as legal advice. The reader should consult with a licensed attorney if legal counsel is required relative to FS 501.171.


Cybercriminals prowl the Internet looking for openings in computer systems to exploit. They want to steal, alter, destroy or otherwise illicitly gain access to the confidential information held by businesses and organizations. Both vulnerabilities and threats are growing. Law enforcement officials have been unable to put a “dent” in cybercrime.

Law-makers in Florida, however, have decided who should have the lion’s share of the responsibility for protecting PII (or Personally Identifiable Information). Individuals now have the responsibility of protecting confidential information if they are a “covered entity” or business in Florida.

Do you know what the law (FS 501.171) requires? Are you a “covered entity under Florida law?” Is your data processing system set up to be in compliance with Florida’s privacy law? Can you prove that you have taken the “reasonable measures” that the law requires to protect the confidential information that you possess on employees, customers and others?

Is your information system strong enough to deter a cyber attack?

Would you successfully be able to defend yourself against a compliance audit?

What can you otherwise do?

You can consult with an attorney to determine if you are covered by the provisions of Florida’s Information Privacy Act. The wise and prudent thing to do would be to assume that if you are acquiring or maintaining confidential personal data on people, you are likely considered to be a covered entity.

Florida’s law includes a lengthy definition as to what is protected. It is: any material, regardless of physical form, on which personal information is recorded or preserved by any means, including, but not limited to, written or spoken words, graphically depicted, printed or electromagnetically transmitted that are provided by an individual for the purpose of purchasing or leasing a product or obtaining a service.

The personal information covered under Florida’s Privacy Act would include a person’s social security number, a driver’s license or identification card number, passport number, military identification card or other similar documents used to verify identity. Additionally included are financial account numbers, credit or debit card numbers with any required security codes, access code, or password that is necessary to permit access to an individual account; any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by an individual’s health care professional; or an individual’s health insurance policy number or subscriber identification number and an unique identifier used by a health insurer to identify the individual.

The storage of confidential information would appear to include all “hard copy” or paper records and those stored by a cloud service. The covered entity is solely responsible for securing the information it collected and cannot transfer its responsibilities to a third party (such as a cloud storage company).

FS 501.171 states that each covered entity, governmental entity or third-party agent shall take reasonable measures to protect and secure data in electronic form that contains personal information.

The Law states, among other provisions, how the breaches will be reported to authorities (including the number of compromised records and notification requirements). Possible fines are included.

Florida’s Information Privacy Act, FS 501.171 requires that organizations must take reasonable measures to handle confidential information. The Law doesn’t precisely dictate, however, the details of what information policies and procedures should be used.

There are a number of information security controls and standards, none of which carry the force of law. However, many are considered to be very robust security models that are used in business and industry. Organizations, in the opinion of the author, should at least have an information security policy.

Otherwise, guidance from management is likely absent. Meeting the test of “reasonable” measures to protect under the FS 501.171 would be challenging if the organization had failed to address the topic of how it officially handled or processed confidential information.

You should always take aggressive steps against possible intruders and protect the confidential information in your possession.

Using Call Forwarding To Protect Your Privacy

Personal protection is more important than ever today. With identity theft, scammers, and intrusive telemarketers trying to get a hold of your personal information, it’s important to use safeguards that protect your information and keep you from being scammed. Most people think of protecting personal information such as their home phone and address, but if you run a business you need to think about protecting your business information, too.

If you run a business where you use your mobile phone number as your primary contact, you should consider using call forwarding to protect your privacy. Since you don’t always know who will be calling your business line, it’s best to keep that number private or use a virtual number that is forwarded to your main line. Since it is possible for people to locate an address from a blocked number, and if they have the resources they can locate the owner of a cell number, you can protect your personal and business information by having your calls forwarded to your business line.

How Call Forwarding Works

When using this feature, the provider will assign you a virtual number. Your actual phone number will be linked to this virtual number. When a client dials the virtual number, it will automatically ring through to your phone. The virtual number is not traceable to you, so you are able to keep your information private.

You can attach the number to any phone, so you can receive calls on your mobile phone, at home, or in the office. If you’d like business calls to ring through to your home while you’re working from home, the call forwarding will redirect the call to your home, but the client will never know that you are at home. Your clients don’t realize that they are being connected to a different number when they call since the transfer is seamless and seems like a regular phone call.

How It Protects Your Privacy

With the advancement of online searches, people can now do a reverse lookup. This allows someone to type in a phone number and receive the name and address of the owner. If the person is willing to pay a small fee, they can also receive more personal information in regards to the owner of that phone number. This puts a lot of personal information at anyone’s fingertips, and when you run a business you don’t necessarily want everyone knowing your personal business.

When you use a virtual number, you are being assigned a special number through a calling company. When a client dials the number, they are still connected to your regular phone but you won’t show up as the owner of the virtual number. This means that all of your personal information remains confidential. If a client looks up your phone number and is able to locate personal information, such as your address, you run the risk of them showing up at your home or business unannounced. By using call forwarding, you don’t have to worry about unannounced visitors or people using your information in an unethical way.