Florida’s Information Privacy Act


The author of this article is an information security specialist, not an attorney. The opinions contained in this article should not be construed as legal advice. The reader should consult with a licensed attorney if legal counsel is required relative to FS 501.171.

Cybercriminals prowl the Internet looking for openings in computer systems to exploit. They want to steal, alter, destroy or otherwise illicitly gain access to the confidential information held by businesses and organizations. Both vulnerabilities and threats are growing. Law enforcement officials have been unable to put a “dent” in cybercrime.

Law-makers in Florida, however, have decided who should have the lion’s share of the responsibility for protecting PII (or Personally Identifiable Information). Individuals now have the responsibility of protecting confidential information if they are a “covered entity” or business in Florida.

Do you know what the law (FS 501.171) requires? Are you a “covered entity under Florida law?” Is your data processing system set up to be in compliance with Florida’s privacy law? Can you prove that you have taken the “reasonable measures” that the law requires to protect the confidential information that you possess on employees, customers and others?

Is your information system strong enough to deter a cyber attack?

Would you successfully be able to defend yourself against a compliance audit?

What can you otherwise do?

You can consult with an attorney to determine if you are covered by the provisions of Florida’s Information Privacy Act. The wise and prudent thing to do would be to assume that if you are acquiring or maintaining confidential personal data on people, you are likely considered to be a covered entity.

Florida’s law includes a lengthy definition as to what is protected. It is: any material, regardless of physical form, on which personal information is recorded or preserved by any means, including, but not limited to, written or spoken words, graphically depicted, printed or electromagnetically transmitted that are provided by an individual for the purpose of purchasing or leasing a product or obtaining a service.

The personal information covered under Florida’s Privacy Act would include a person’s social security number, a driver’s license or identification card number, passport number, military identification card or other similar documents used to verify identity. Additionally included are financial account numbers, credit or debit card numbers with any required security codes, access code, or password that is necessary to permit access to an individual account; any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by an individual’s health care professional; or an individual’s health insurance policy number or subscriber identification number and an unique identifier used by a health insurer to identify the individual.

The storage of confidential information would appear to include all “hard copy” or paper records and those stored by a cloud service. The covered entity is solely responsible for securing the information it collected and cannot transfer its responsibilities to a third party (such as a cloud storage company).

FS 501.171 states that each covered entity, governmental entity or third-party agent shall take reasonable measures to protect and secure data in electronic form that contains personal information.

The Law states, among other provisions, how the breaches will be reported to authorities (including the number of compromised records and notification requirements). Possible fines are included.

Florida’s Information Privacy Act, FS 501.171 requires that organizations must take reasonable measures to handle confidential information. The Law doesn’t precisely dictate, however, the details of what information policies and procedures should be used.

There are a number of information security controls and standards, none of which carry the force of law. However, many are considered to be very robust security models that are used in business and industry. Organizations, in the opinion of the author, should at least have an information security policy.

Otherwise, guidance from management is likely absent. Meeting the test of “reasonable” measures to protect under the FS 501.171 would be challenging if the organization had failed to address the topic of how it officially handled or processed confidential information.

You should always take aggressive steps against possible intruders and protect the confidential information in your possession.

Partnerships – Eight Lessons We Can Learn From Brexit

On 23 June, the British public made an unexpected and dramatic decision that has not only laid the path for a less than friendly divorce from the EU, but also a rift between the United Kingdom partner countries as well. This decision exemplifies partnership relationships however large or insignificant.

Partnerships are complicated. If the foundations are not solid, you are laying down the path to ultimate collapse. So what lessons can we learn from recent events and how can we avoid our own Brexit partnership crises?

8 Lessons we can learn from Brexit

1 Stay focussed on the ultumate goal

When the founding fathers, Monnet and Schumann, dreamed of a united Europe, their dream was a Europe where no country would be able to take up arms against another. The memory of the carnage of war was raw and strong enough for six European nations to come together to form the European Coal and Steel Community which evolved into the European Economic Community.

Fast forward 40 years and under Jacques Delors, the 12 European member nations evolved into the Single Market, adding the free movement of goods, services, capital and labour to the Vision. This would evolve into a shared services arrangement like no other, spreading over time to 28 countries in total.

A great Vision in principle but difficult to achieve in practice, particularly as the four freedoms would exist best in an environment where language, sovereignty and identity were secondary to the ideal of a one tier Europe without the threat of war.

A vision personifies the ultimate goal and will take time to achieve. Partners to the vision will come up with a series of strategic plans, each with interim goals, all focussing on the ultimate vision. This is where the dreams of the founders begin to differ from expectations that evolve over time. The strategies will involve giving up a level of control. This has to be earned through trust; not blind trust, but trust earned and communicated over and over again. Lack of communication, infighting and bad publicity can easily damage the whole process.

For some, the EU was out there and apart from usually negative publicity in the newspapers (to increase sales), Europe wasn’t perceived as doing a lot except allowing the flood gates open for more foreign nationals to come and take their jobs. In the lead up to the 23 June referendum, proponents of the exit vote were able to capitalise on the lack of clarity of what the EU does by feeding on fear of not being in control of the national interest.

Partners bring to the Vision their own expectations and ideologies. A business partnership may have a Vision based on the pooled resources of two or more companies who are looking to strengthen their market share. A community partnership may have a vision that improves the lives of individuals and communities. In all cases, each partner will come to the table with their own expectations. How do they achieve the vision?

2 Agendas can change

Every partner comes to the table with an agenda. The visible items are put on the table, but some remain hidden. Agendas also change when circumstances change for partners. These can include financial, management and social. The UK has a reputation of being up front with its agenda even when at odds with the other European powers. In 1984 Margaret Thatcher successfully fought for a better financial arrangement and in the 1990’s John Major was successful in excluding the UK from the social Chapter of the Maastricht Treaty. These exemplify the relationship between the UK and our European partners and explain the comments around the less than happy marriage and expected rocky divorce.

Agendas underpin need. For each country, there is an identified perceived need to be in the Union. France wanted to harness post-war West Germany. Britain wanted to halt economic decline.

In the world of partnerships, it is vital for each partner to declare their agenda if they are to foster long term trust. Unfortunately, this is not always the case and partners can hold back the real reason they are interested in the partnership. Without due diligence, partners could find themselves at the wrong end of a hostile situation or find themselves in financial strife because they were not aware of a partner’s intention to use the partnership for personal gain.

3 Build Partnerships on solid foundations

Like the story of the foolish builders that built their houses on the sand, partnerships that are built on hollow foundations easily collapse at the first sign of adversity. The European Economic Community was built on foundations of a strong vision and values of a generation that were involved in major wars. Throughout the first 35+ years, the member countries only had to look to the Berlin Wall to be reminded of a divided Europe. October 1989 was a momentous milestone in the development of Europe, starting the healing process and laying the foundation for a larger, more integrated European Union.

The foundations of a good partnership can be measured by trust, commitment, values, philosophy and culture.

Without trust the EU would not have got to the level it has over the last 60 years. Without trust, it would not have increased from 6 to 28 countries. Whilst trust was high within the cogs and wheels of the European decision-making and administration machines, it didn’t necessarily ripple out to the masses.

Commitment is an interesting concept. Each country came to the table with their own agenda which helped them in bargaining their level of commitment. Commitment was tested at each milestone that led to the deepening of the EU. These milestones were marked by various Treaties, signed by the member countries. In 1991, the UK bargained itself out of the Social Chapter of the Maastricht Treaty. All countries who joined since 1990 are required to join the European Exchange Rate Mechanism (ERM) and adopt the Euro as a part of an economic and monetary union (again a condition of the Maastricht Treaty). A significant step in commitment was the introduction of the European Single Market in 1993. This opened the doors to the free movement of goods, capital, services and people which was further strengthened with the removal of physical barriers (incorporating the Schengen Area within the competencies of the EU as part of the 1997 Amsterdam Treaty), abolishing border controls between most member states. As European integration deepens, member countries are required to extend their commitment a step further, some would say, a step further away from their own sovereignty.

When it comes to partnerships, commitment follows a similar path. Partners agree to commit to an agreed agenda. As time progresses they may be asked to commit more according to an agreed direction. Sometimes the expectations are too high and partners begin to pull back. At other times, internal distractions, changes of management or changes of direction, impact on commitment to partnerships. The EU has survived and grown despite constant changes of member governments and despite internal distractions (eg unification of German). However, the British referendum decision to leave the EU is the first test of change of direction.

The EU has a Values Statement which states that “the Union is founded on the values of respect for human dignity, freedom, democracy, equality, the rule of law and respect for human rights, including the rights of persons belonging to minorities.” It states that “these values are common to the Member States in a society in which pluralism, non-discrimination, tolerance, justice, solidarity and equality between women and men prevail”.

The fundamental principles of British values include: democracy, rule of law, individual liberty, mutual respect and tolerance for those with different faiths and beliefs, and participation in community life.

Although these values appear similar, the EU values statement is stronger on the social aspects than the UK principles. This difference has been demonstrated a number of times, and is now the sticking point with respect to the free movement of people. The UK wishes to restrict the flow of movement of people into the UK. The UK Principles have always been slightly at odds with the EU values.

These values reflect different philosophical approaches. As an island, the UK has a natural barrier to the free movement of people. It also symbolises British sovereignty. The British people have the ability to say enough is enough. Whereas continental Europe has no natural internal borders and the histories of the people are very much different.

When it comes to partnerships, different philosophies / beliefs systems must be considered. An organisation grounded in social justice will not work effectively with an investment bank. Over the last 30 years, many UK manufacturing companies with long paternalistic foundations have closed down, along the way, being bought up and divested or closed by investment bankers interested in the monetary value of the land.

The success of the EU has been incredible considering it brings together so many diverse cultures. Culture is embedded in the tapestry of the European Union, enriched by the many spoken and written languages. Look within the culture of how the EU operates, then it is easy to see why people are confused. The EU Decision-making system is complex and different to how the UK operates. If it’s different, people don’t want to know until it affects them. Thus, it was easy for the Brexiteers to misinform the general public.

An example of the sensitivities of EU culture is what happened at the outbreak of the mad cow disease crisis. I was in Brussels the very day the whole thing erupted. Crisis meetings were held in Brussels and meetings seemed to move from one venue to another every two hours. I remember seeing cavalcades driving from one place to another across Brussels on a few occasions during the day. Absolute madness.

Like countries, every organisation has its own culture. An organisation with a culture of risk aversion is very different from an organisation with a culture of creativity. Even a partnership between sole traders may be impacted by their personalities. Two people who are control freaks will run into problems before too long. Somebody who takes risks will need to compromise if they are to partner with somebody who has difficulties making decisions.

Partnerships built on trust, commitment, similar values and philosophies and compatible cultures have a strong chance of lasting the distance. If any of these foundation stones were to be disturbed, the partnership could become rocky. Of all of these, trust is the most delicate. Break trust and the rest will fall like a pack of cards.

4 Formalise the Agreement

It’s not just an agreement, it’s the basis for your partnership. The first iteration must not just include the expected conditions, but must include a clear communication plan. If the communication isn’t right, then trust breaks down as people become disillusioned when things don’t go to plan and they feel they are being kept in the dark.

In the political arena, the evolving partnership between the European Countries is marked by Treaties. These Treaties include changes to the decision-making process. There is even a Directorate General for Communication. Even a well organised structure such as the European Union has failed to communicate effectively with the general public. Many people in the UK who knew their livelihoods were influenced by the European Union voted to remain in the EU. There are as many people who have no real idea how the EU influences their lives. This I know from my days working in a role that promoted benefits of being in the European Union. If anything, the EU has been a target by the press for scare mongering about the latest interference in the food we eat, or that decisions are made by unelected bureaucrats. If you don’t have an effective communication mechanism, that is written into the agreement, then you are leaving open a weakness in the partnership.

I labour the point about making sure communication is part of the initial agreement based on research I have carried out with partnerships that have been in existence for some time. As they evolved, lessons were learnt. From the wise came the following recommendations:

  • Make sure there is a written and signed agreement from the start
  • Communication arrangements should be explicit in the agreement
  • Articulate what is being brought into the partnership and what is not (people, resources, activities)
  • Each partner must commit – and that commitment must be articulated in the agreement (resources, time, funds).

Don’t walk into a partnership purely on trust. Put everything in writing including how you’re going to communicate, including decision-making structures and the scope of the partnership. You don’t need to be as sophisticated as the European Union. By all means, keep it simple, but listen to the wise and save yourself and the partnership stress later on.

5 Sharing takes time

The road to integration was always going to be a lengthy one with a number of years between each update (Treaty). Apart from the practicalities, it was a wise move to make each change over a period of time. Even Regulations and Directives (agreed policy implementations) involve a period of time for each member country to adopt. It is easy to understand why it takes time for national structures to adopt changes that aim to standardise systems. There is a high level of complexity and change management that needs to be addressed for success.

So why do we rush into setting up a partnership with high expectations? We seem to think everything can be achieved in a very short space of time. We may even be generous and give ourselves 6 to 12 months. Before you know it, timelines start to go awry. Maybe it’s because the foundations aren’t strong enough yet, but it can also be because the partners did not understand the level to which they agreed to partner. There are many levels to a partnership. It can be as little as a networking partnership, or one where organisations cooperate with each other, or one where they integrate some of their services (back of house), or even a full on merger.

A partnership based on sharing resources, systems and processes takes time. It’s not just a paper exercise translated into action. People are involved. It may mean restructuring jobs, sharing some industry knowledge or sharing clients. Partners are expected to share some turf and even give some up. This has been a contentious area within the European Union. The UK has stood its ground on a number of occasions on matters of integration. An example is its withdrawal from the Exchange Rate Mechanism and consequently the decision to retain the Pound instead of adopting the Euro. It’s important to consider from the beginning what is and isn’t involved. Don’t go ahead assuming that a partner will change their mind later on.

If partnerships move too quickly, at least one partner will start to resist. It usually takes anything up to three years for partnerships to embed an agreed shared service unless there is an overarching imperative (eg merger). Sometimes funding or other imperatives means that potential partners are rushed into a creating a partnership. They work to an artificial deadline by which time they are only just beginning to get some traction. The problem isn’t the partners, it’s the unusually high expectations. I have clients who have been working with others for sharing and promoting training programs. It’s been two years and they are still having difficulties in sharing trainers and teaching materials. There have not been enough short term wins to instil enough confidence and overcome issues of mistrust.

6 Money talks – enough to control the conversation?

An entrepreneur recently said to me that he who controls the money controls the partnership. He had been burnt by some shady partners in the past. Reflecting on people I know who had been involved in partnerships that went wrong, money is at the root of a lot of problems (but not all).

A funding body that funds 12 to 18 month projects to facilitate partnership development, isn’t giving them enough time to succeed. I can also list a number of partnerships that have come together with funding, achieved some short term goals but then the partnerships waned when the funding stopped. Funding had been the key driver.

Many businesses go into partnership because they see a partnership as an investment opportunity into their business. If it’s not a mutually beneficial arrangement, it won’t take long for the cracks to show. There are two main scenarios. The partner absorbing the money may continue to treat the funds as part of ‘their’ business, effectively abusing the agreed arrangement. Alternatively, the partner providing the funds may seek to control the partnership. This is where many business partnerships come undone. The money controls the partnership.

In the community partnerships world, the smell of funding can bring partners to the table who, the minute the funds dry up, disappear as quickly as they came. This is a sad reflection on community collaboration that I’ve noticed both in the UK and in Australia.

How does any of this relate to Brexit? The UK’s interest in the EU has always been economic. Becoming a member in 1973 stopped the UK’s economic decline. The City of London has prospered to be one of the largest financial centres in the world. Paris and Frankfurt are jostling to become the supreme financial powerhouse following the Brexit vote, hoping to woo banks and financial investors away from London. The financial sector is already setting its sight on remaining EU members, deserting London as it moves to an uncertain future outside of the European bloc. Sound familiar?

7 Change is inevitable

All partnerships incur change for all partners. Nobody gets out of jail free. It’s the degree and speed of change that partners are prepared to bear that determines the success of the partnership venture.

The EU is an example of incremental change that impacts all members from the minute they become members. In the case of the EU, change rippled out into the community. It didn’t take too many years for Britain to adopt continental bistros, wine and food to the demise of the greasy spoon cafes. Holidays to the continent replaced annual breaks to the seaside. Europe got closer with only 20 minutes in the Eurotunnel for people travelling to Paris or Brussels.

The Coal and Steel Community evolved into the European Economic Community, which, by the time Britain joined, got caught up in butter mountains due to the Common Agricultural Policy. All change, influenced by Margaret Thatcher’s renegotiation of the UK’s financial contribution, saw a rise in structural interventions such as the European Social Fund and the European Regional Development Fund. These became the financial mechanisms for creating and balancing employment across Europe. I remember one region in the UK that set out to prove they had a very high level of social disadvantage so that they could qualify for a high percentage of funding from Europe.

It wasn’t just financial interventions that were used to support change, but also standards. Here lie the myriad of myths such as abolition of prawn cocktail crisps where the reality was that a new directive was introduced to reconcile standards across member countries regarding artificial sweeteners. A lack of understanding or selfish interests perpetuated such myths, some with the intention of slowing down change. By harmonising standards, the EU aims to set quality across Europe. However, many of these standards have been set at common denominator levels where some countries standards remain higher than the standard, allowing other countries to reach an achievable level.

The EU decision-making process is a sophisticated system that crosses cultural and language boundaries. It employs people and resources with the right skills and abilities to manage change with the support of 28 countries. Institutions are divided between the countries to promote commitment. It employs Directives and Regulations for countries to engage with the change process, recognising through Directives that it takes time to embed policy change at the national level.

A partnership at the EU level, though more sophisticated, is no different from a partnership at the grass roots level. Change is inevitable. Everybody must be prepared to engage with change, even if it means wholesale change within each partner’s business or organisation. Change comes with decisions that impact on systems and processes. There will be resistance and there are likely to be those waiting to take advantage of opportunities to throw a spanner in the works.

8 All good things come to an end

Unless a partnership leads to a merger, partnerships will come to an inevitable conclusion. As the EU is heading even more closer towards integration, the UK has decided to get off the carousel. This is not surprising for a country that values its sovereignty. The UK can only play the game for so long before it has to compromise its position. It has always stood out at the decision-making table; at some times standing alone. It will not be a great surprise if other countries also find themselves at the brink of making a decision to wind back their involvement when faced with the decision of further integration.

This is the story of a partnership that grew too big and wanted to go too deep. Had the EU remained at 12 or 15 members, the deepening of the EU might have happened a lot quicker with an equitable balance of economies. Instead, rapid growth led to greater movement of people towards employment in other countries, creating concern for local employment in those countries.

Partnerships are for a purpose. Once that purpose has been served, or when an alternative comes along, the time arrives to dismantle the partnership. That is unless the partnership extends into a merger. Another instance when a partnership ends is because of unresolvable conflict, especially when trust irrevocably breaks down. Some partnerships can be saved by taking an objective view of what is happening in the partnership life cycle and identifying what can be done to move forward again. Inevitably, four out of five strategic alliances and partnerships fail.

80% is a high failure rate. Contributing to this is that very few people, businesses and organisations really go through a process to establish whether the partnership will likely succeed or fail. For many, gut feelings or existing relationships form the basis for the partnership inception. There may be a business case, but no real understanding of the everyday nuances and mechanics of partnerships. There’s nothing to measure during the partnership that identifies problems and enables solutions based on a solid understanding of partnership dynamics. If 80% of the effort were to be put into getting to understand partnerships, to be more objective about the risks and to ensure that the project has solid foundations BEFORE signing any contracts, the rate of failure within the first five years would reduce considerably.

What Are the Hidden Threats to Driver Safety?

When you’re running a business, you’ve got a whole host of obligations. Those obligations range from profit obligations to shareholders all the way to smaller obligations, like a promise made to a junior member of your team.

Above all else though, your first and primary obligation is always that of the safety of your employees. It comes above all else and is severely punished by the law should you fail to ensure effective care and protection for your staff.

In your own premises, ensuring safety is simple. After all, the risks within a building are often predictable and easy to manage. But what about when your staff step outside of your premises and take to the road using your fleet vehicles? You still have a duty of care, after all.

The answer is fleet risk management, but what are the hidden threats to your business that fleet risk management can protect against? Let’s take a look.

Invalid/banned driving licenses

It might seem like a slim risk, but there are a shocking number of drivers on the road which have had their licence revoked, are driving with an expired license or have been disqualified from driving for a period. In fact, 1 in 650 drivers who have had their licence checked are driving while disqualified and 1 in 300 have a revoked or expiring licence. Additionally, 1 in 16 drivers have issues with their photocard.

Driving with any of these issues is illegal and, should an accident happen, you will be held personally liable for failing to check their credentials. It’s why fleet driving license checking is utterly vital in a comprehensive risk management solution.

Bad driving habits

We’re all guilty of bad driving habits, picked up over years of driving the roads. Those bad habits are dangerous in our own vehicles, but in a fleet vehicle, it risks putting the entire business at risk unless you move to address them.

Whether it’s things like taking a corner too quickly, failing to check wing mirrors, consistently driving above the speed limit, late braking or any other bad driving habit, anything can put you, your staff and the public’s safety at risk. It’s why driver retraining is a legal requirement.

Other drivers

You can be as safe as possible on the road, but you simply can’t always predict what other drivers on the road will do. Either by inattention, inebriation or simply dangerous driving, many accidents which happen won’t be your staff’s fault.

Fleet driver training, however, can teach your staff to pay closer attention to the warning signs and act accordingly. It’s another small way that training proves essential – especially if it saves a life.

What Is a Cyber Security Risk Assessment and Why Do One?

Modern day companies face serious dangers from the cyber domain. The FBI recently reported that cybercrime increased 24% last year. The time has come for businesses to become proactive and conduct a cyber security risk assessment. It focuses on identifying the threats and vulnerabilities that confront an organization’s information assets.

Threats are forces that can harm organizations and destroy mission critical data. Vulnerabilities are the pathways that threats can follow to damage, steal, destroy or deny the use of information assets. Risks are realized when threats converge with vulnerabilities. Devastating losses can occur in a variety of ways.

A cyber risk assessment produces an understanding of the consequences associated with unauthorized disclosure of an organization’s confidential or mission critical information. A business owner or governing authority, with the results of a cyber risk assessment in hand, can decide to accept the risk, develop and use deploy countermeasures or transfer the risk.

The world is immersed in an enormous asymmetric threat environment that is enabled by an incalculable number of vulnerabilities. Cybercrime is growth industry has a low-risk with a high-pay off. The financial losses, due to data breaches, now exceed the dollar amount of the illegal global drug trade. Law enforcement, sadly, is unable to prevent cyber criminals from attacking your company. Organizations are largely on their own.

One of the few ways that a company can thwart cyber risks is to realistically assess its exposure and to implement controls that lower the chance of risks from being realized. Cyber security must be regarded as a business process that requires precise managerial controls similar to those found in accounting and finance.

How can an organization accomplish the cyber risk assessment?

Information assets must first be identified. Internal and external threats and vulnerabilities need to be realistically and objectively measured. The consequences of failing to offset risk needs to be understood. Existing policies, procedures and controls should be aligned with security
best practices. Risk mitigation strategies, based upon organizational priorities, can be adopted.

Organizations would then be able to focus on increasing their information security efforts.

Failing to take extra information security steps can result in irreparable harm to the organization, violations of regulations, statutes, fines, lawsuits and damage to the value of the company and customer base.

The directors of publicly owned corporations and privately owned companies must comply with multiple laws, regulations and take all prudent steps to prevent information security breaches. Doing otherwise is irresponsible and stands as evidence of a lack of due diligence.

The findings of a cyber risk assessment can point the way for an organization to develop and follow through upon an information security plan that assures mission critical information.

Avoiding the steps to correct any weaknesses that are discovered very well be considered to be a lack of due diligence.