Fla. Admin. Code Ann. R. 2-3.002 - Florida Digital Bill of Rights - Data Security

(1) Definitions - As used in this rule and Section 501.701, F.S.:

"Authorized user" means any affiliate, controller, processor, employee, contractor, agent, consumer, or other person that is authorized to access any personal data.

(2) General Data Security Practices -

(a) A controller shall protect the confidentiality, integrity, and accessibility of personal data it creates, receives, processes, archives, maintains, or transmits from the unauthorized access, use, disclosure, deletion, or modification of personal data.

(b) A controller shall establish, implement, and maintain data security practices that comply with the risk management framework and standards adopted by the National Institute of Standards and Technology (NIST) of the United States Department of Commerce, hereby adopted and incorporated by reference, which can be obtained from http://www.flrules.org/Gateway/reference.asp?No=Ref-16614 or https://doi.org/10.6028/NIST.SP.800-37r2, or their equivalent.

(c) Data security practices shall consider the volume and nature of personal data that is being processed or sold.

(d) A controller shall establish, implement, and maintain the security practices for the most sensitive type of data within a data set with mixed levels of sensitivity. For example, if sensitive personal data is not kept separate from other categories of personal data, the entire data set shall all receive the level of protection for sensitive personal data.

(e) A controller shall establish, implement, and maintain data security practices for personal data not subject to an exemption by the controller or processor after the satisfaction of the initial purpose for which such information was collected or obtained until the personal data has met its retention schedule.

(f) A controller shall establish, implement, and maintain procedures for the secure disposal of personal data.

(3) Administrative Data Security Practices -

(a) A controller shall establish, implement, and maintain effective organizational controls for personal data.

(b) A controller shall designate a qualified individual responsible for overseeing and implementing the data security practices required under the Florida Digital Bill of Rights, Section 501.701, F.S.

(c) A controller shall document compliance with data security practices, including any breach thereof.

(d) A controller shall regularly test and monitor compliance with data security practices, including key controls, systems, and procedures, to detect actual and attempted attacks on, or intrusions into systems that contain personal data.

(e) A controller shall limit access to its systems containing personal data to authenticated users and authorized users tasked with performing those duties.

(f) A controller shall manage access permissions, incorporating the principles of least privilege and separation of duties with respect to different types of personal data.

(g) A controller shall ensure that only authorized users have access to personal data. and shall verify the identity of authorized users that will access the controller's systems, manage access rights, and manage all stages in the life cycle of user access.

(h) A controller shall train authorized users in data security practices and identify when the initial purpose for the personal information collection has been met.

(i) A controller shall update training to provide current knowledge of security threats.

(4) Technical Data Security Practices - A controller shall maintain effective technical controls for personal data, including the use of encryption, audit controls that record and examine activity, time synchronization, and safeguards against unauthorized access or modification to personal data.

(5) Physical Data Security Practices - A controller shall limit and protect any storage of personal data on mobile electronic devices and passive storage media. Unencrypted storage of personal data on mobile electronic devices and passive storage media is prohibited.

Notes

Fla. Admin. Code Ann. R. 2-3.002

Rulemaking Authority 501.72(5), F.S. Law Implemented 501.72(5), F.S.

Adopted by Florida Register Volume 50, Number 129, July 2, 2024 effective 7/18/2024.