I recently learned of Florida Statute section 817.5681 thanks to an article in The Florida Bar Journal. It seems like hardly a day goes by that there isn’t a story about a lost or stolen laptop full of confidential data. Of course, the risk isn’t limited to laptops. Hackers, unscrupulous employees, burglars, or others may breach the security of a desktop as well. Plus USB thumbdrives, portable hard drives, and personal digital assistants can also be lost, stolen, or copied and returned.
Losing unencrypted computerized “personal information” about your clients or customers can be very expensive. Florida, 36 other states, and the District of Columbia have enacted data breach laws that impose substantial duties and fines when an unauthorized person acquires unencrypted data. How expensive? How about up to $500,000.00? In addition, you must without unreasonable delay notify every Florida resident whose unencrypted personal information was acquired by an unauthorized person and restore the integrity of your computerized data system. The cost of notifying every one of your customers could be substantial.
The terms “breach” and “breach of the security of the system” mean
unlawful and unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the person.
It does not, however, mean the good faith acquisition of the personal information by an employee or agent so long as the information is not used in an unauthorized manner. So, what is the “personal information” that is protected? “Personal information” means
an individual’s first name, first initial and last name, or any middle name and last name, in combination with any one or more of the following data elements when the data elements are not encrypted:
(a) Social security number.
(b) Driver’s license number or Florida Identification Card number.
(c) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
It “does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.”
There is hope though. The astute among you have already noticed the repeated use of the words “unencrypted” and “encrypted.” By definition the loss or unauthorized access to encrypted personal information does not violate the statute and is not subject to the substantial penalties or duties.
In one of those moments of serendipity, one of my favorite podcasts, Security Now with Steve Gibson and Leo Laporte, just happened to be discussing and highly recommending a hard drive encryption program called TrueCrypt. Steve Gibson really loved it. It can encrypt your laptop hard drive, portable hard drives, and flash drives. By using this or similar programs, you can protect yourself and your customers from the loss of data and the penalties of section 817.5681.
Of course, you should also use a firewall and periodically scan your computer for spyware and viruses. An estimated 500,00 to 2,000,000 computers worldwide are believed to be infected with spyware and other malware that could be used to steal personal information. A friend’s computer recently slowed to a crawl. I recommended that she download free software to scan for spyware and viruses. After days and days of scanning, she was able to identify and eliminate thousands of malware programs and the computer was good as new. I think she has learned her lesson. Don’t learn your lesson the hard way.
In closing, I can’t resist pointing out that, as usual, government protects itself from the expenses, penalties, and duties that it burdens private business with. The penalties don’t apply to governmental agencies who have custody of personal information. The penalties do, however, apply to private government contractors who lose personal information. The government is, of course, a major offender when it comes to the unauthorized disclosure of personal information. The IRS lost 490 laptops with personal taxpayer information and State of Florida lost a laptop containing Florida driver’s license numbers. Maybe the government ought to invest in a little encryption too.
Copyright Notice: All Rights Reserved Harry Thomas Hackney, P.A. 2008