Biz Rules: Florida Information Protection Act

Michael S. Taaffe of Shumaker Loop & Kendrick explains the Florida Information Protection Act (FIPA) and consumer data.

By Chelsey Lucas April 1, 2015

by Chelsey Lucas

THE FLORIDA INFORMATION PROTECTION ACT OF 2014 (FIPA) took effect last July to address the increasing threat of cyber data breaches. Businesses that retain private consumer data, which include any personal identifying information like address, phone number, date of birth or credit card information, are at risk for fines of up to $500,000 if the information is hacked.

Michael S. Taaffe, head of the data breach practice group at Shumaker, Loop and Kendrick, LLP’s Sarasota office, says when a breach is discovered, “It must be reported to the Florida attorney general within 30 days. You need to send a letter to every breached consumer and report it to the credit reporting agency so the affected individuals’ credit scores aren’t ruined.” The SLK Group also cites that companies must contact the Florida Department of Legal Affairs within 30 days for breaches affecting more than 500 people. “The key is to quickly shut down [the breach] and collect the data before it reaches the public domain,” he says.

More people are stealing information using their own phones or computers, so companies need to establish procedures.

“A lot of firms allow employees [to work with] their own devices, but they don’t use passwords, limitations or encryptions,” Taaffe adds. So employees simply snap a photo of the personal data with their phones. In this instance, he says, “No one knows they’re taking it, so we [have to] get a court order to review the devices.”

Statistically, every company has probably been breached by one or two sources,” Taaffe says. “Businesses must take precautions.” ■

Filed under
Show Comments