[BreachExchange] Florida privacy law adds breach notification and strengthens compliance

[Audrey McNeil]

http://www.csoonline.com/article/3112741/leadership-
management/florida-privacy-law-adds-breach-notification-
and-strengthens-compliance.html

We all remember from our early education learning about the three major
branches of government in the US: The executive, the legislative and the
judicial branches. But how does our legal system work to create privacy law
for all our different business sectors?

Hint.. it’s not how they do it in Europe. We begin by looking at
Constitutional law. The U.S and state Constitutions are the primary source
of law in America. However a state Constitution may afford more privacy
protection than the broader U.S. Constitution. Enter the FIPA act of 2014
from the state of Florida.

The Florida Information Protection Act. Each state has its own flavor of
data privacy law if it has one at all. FIPA says, "An act relating to
security of confidential personal information; providing a short title;
repealing s. 4 817.5681, F.S., relating to a breach of security concerning
confidential personal information in third-party possession; creating s.
501.171, F.S.; providing definitions; requiring specified entities to take
reasonable measures to protect and secure data containing personal
information in electronic form; requiring specified entities to notify the
Department of Legal Affairs of data security breaches; requiring notice to
individuals of data security breaches under certain circumstances..."

That's how the Florida statute reads but what does it really mean when it
comes down to the responsibility to secure patient records or your
companies Personally Identifiable Information?

Florida's expanded law places even more emphasis on organizations to
safeguard data. Before, the definition of breach meant it was unlawful and
unauthorized. Now it's just unauthorized. The statute now requires a
notification to the Attorney General for breaches, which is a big change.
It requires consultation with local law enforcement; before, it was
optional.

This act may be cited as the “Florida 29 Information Protection Act of
2014.

 What is required:

Appraise policies and procedures to verify that they are implemented
effectively.
Set up reporting for large printing jobs.
Limit access to sensitive information.
Review all employees' access to systems, data, and sensitive areas.
Review business associate and contractor agreements and security.
Consider the role of bring-your-own-device (BYOD) policies.
Assess physical security, as well as cyber security.
Ensure that customer record disposal policies meet new legal provisions.
Create an investigative and reporting process if a breach occurs.
Select an external partner for forensic investigations, audits, and other
data breach services.

Differs from European legal system

A great way to look at the differences between US law and Europe is to use
Safe Harbor as an example.

US Privacy Principle’s and their impact on international agreements like
Safe Harbor. The United States takes a sectoral approach to information
privacy. So specific laws protect privacy rights for a given industry or
sector. We don’t have one broad privacy rights standard for all as is the
case in Europe. This led to our headaches with the now defunct Safe Harbor
law.

USA Privacy Principles. By now we are all familiar with the US Europe Safe
Harbor law meltdown. Safe Harbor was an international agreement with Europe
and the USA that was supposed to assure that Europeans data privacy was
protected to their high standard while their data was in US servers.
However it was challenged by Max Schrems who filed complaints against
several U.S. Internet giants including Facebook for collaboration with the
US government surveillance activities.

So as the US was surveilling Facebook and other US companies, it was not
just US citizens data within its scope, it was the entire global internet
population. Surprise! So as usual the technology and its capabilities was
far ahead of our ability to regulate it.

After 15 years of Safe Harbor that some 4,700 companies relied on for
international data exchange which ran the worlds global business giants,
privacy concerns shot it down almost overnight. The new law that replaces
Safe Harbor is EU-US privacy shield.

At the end of the day all countries including the US need to continue to
implement a balanced surveillance program to protect their citizens from
terrorist and other international illegal activities to include drug and
human trafficking. Ever since Edward Snowden compromised the NSA’s
surveillance program, it has been an ongoing battle to determine how to do
this in a balanced way that everyone agrees with. It’s ironic that Snowden
had to flee to China and eventually Russia the true protectors of freedom
and democracy, who certainly value your privacy correct?

State privacy laws like FIPA

There are many laws at the state level that regulate the collection and use
of personal data, and the number grows each year. We know from our legal
primer that federal laws preempt state laws. Most states have enacted some
form of privacy legislation, however California leads the way in the
privacy arena, having enacted multiple privacy laws, some of which have
far-reaching effects at a national level. California was the first state to
enact a security breach notification law (California Civil Code §1798.82).
The law requires any person or business that owns or licenses computerized
data that includes personal information to disclose any breach of the
security of the system to all California residents whose unencrypted
personal information was acquired by an unauthorized person.

Most of the early state security breach notification laws mirrored
California's law, and tended to be reactive, that is, they established
requirements for responding to a security breach. But what about compliance
for preventing a breach? More recently, a number of states laws have
enacted more prescriptive and preventative laws, that is, these laws are
more stringent and actually establish requirements to avoid a security
breach.

As an IT auditor in security and compliance this is very good news! The
best example of a preventative-type of law is the Massachusetts Regulation
(201 CMR 17.00), which prescribes in considerable detail an extensive list
of technical, physical and administrative security protocols aimed at
protecting personal information that affected companies must implement into
their security architecture, and describe in a comprehensive written
information security policy.

The bottom line is that U.S. and European laws are very different in their
approach. The U.S.  has state laws vs a broad national law in Europe to
cover privacy for all industries. FIPA  state law strengthens
accountability for all enterprises which include all business sectors. FIPA
helps assure what really matters in data compliance is met and adds a bit
more! Also remember to visit your state's legal portal to see the whole
State Statute as in this example below for Florida.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160902/8b085b63/attachment.html>