Edward Longe: Floridians fear data insecurity

On July 3, 2024, The Tampa Bay Times broke a story that sent shock waves across the state. The newspaper reported that “HIV test results, detailed doctors’ notes, and immunization and virus testing records were among thousands of state health department files seized by hackers — and released on the dark web.”

Less than one month later, National Public Data, “a company that collects personal data to resell and process background checks,” confirmed that a data breach with 2.9 billion pieces of data, including Social Security numbers and personal addresses, had been leaked and were available on the dark web.

Both breaches confirmed that data is king in 2024.

Governments at every level collect and use personal data for a wide array of purposes, from providing public services to crafting an effective legislative agenda. Similarly, private companies also collect and use personal data, often using it to inform product development decisions or to sell to other companies for profit.

Yet, with governments and private entities collecting so much data, Florida remains one of the most cyber-vulnerable states in America. According to the Federal Bureau of Investigation, Florida ranked third in the country for total cyber incidents, with 41,061 incidents reported in 2023. Only Texas and California had more reported incidents.

With so many data breaches and sensitive information ending up in unknown hands, Floridians are rightly concerned about how both governments and private companies are using their data. Recent polling from The James Madison Institute outlines this trend. That poll found that 78% of Floridians are concerned about what the government is doing with their data, with 79% expressing concern about what private companies are doing with their private information.

Given the recent and high-profile Department of Health and National Public Data incidents, these concerns are not unfounded.

As Florida moves into the 2025 Legislative Session, the question becomes, what can lawmakers in Tallahassee do to better protect personal data and mitigate Floridians’ legitimate concerns?

Firstly, government and private sector agencies should move toward the principle of data minimization and not collect any more data than is necessary for their work. Collecting fewer data points ultimately means that, in the event of a data breach, less data is likely to end up on the dark web or in the hands of criminal networks. Data minimization is not to say they shouldn’t collect data, as it is often vital for both groups to provide services, but collecting too much presents avoidable risk. Additionally, the legislature should not pass legislation requiring agencies or private companies to collect more data.

Secondly, government agencies and the private sector must invest seriously in cybersecurity training and infrastructure. All too often, data breaches occur because low-level employees are not cyber-aware or because they haven’t created a robust cybersecurity infrastructure. In either case, it’s often too easy for criminals to access Floridians’ personal data. While Florida does mandate cybersecurity training for municipal and state employees, it only covers basic standards. Additionally, many municipalities only dedicate a small portion of their annual budget to cybersecurity infrastructure.

Thirdly, it’s easy to assume that with data, the solution is all stick and no carrot. Florida should follow the example of Tennessee and Utah and enact a safe harbor for private sector companies that adhere to certain cybersecurity standards but fall victim to data breaches. Such a measure would incentivize private companies to do more to protect Floridians’ personal data.

The Florida Legislature passed a cyber incident safe harbor bill in 2023. However, Gov. DeSantis vetoed the proposal, arguing it would “result in Floridians’ data being less secure as the bill provides across-the-board protections for only substantially complying with standards. This incentivizes doing the minimum when protecting consumer data.” DeSantis’ veto message supported the principle of a cyber incident safe harbor, encouraging the legislature to pass a bill that provides “liability protection while also ensuring critical data and operations against cyberattacks.”

We hope the Florida Legislature and Governor’s Office will reach a consensus on this important issue in 2025.

With so much data being collected by both the public and private sectors, Floridians are right to worry about how governments and private companies use their data. Floridians should be equally concerned about how both are protecting that sensitive information, an anxiety confirmed by recent JMI polling.

As we move toward the 2025 Legislative Session, lawmakers would be wise to prioritize these concerns and make Florida the most cyber-secure state in the nation.

___

Dr. Edward J. Longe is the director of the Center for Technology and Innovation at The James Madison Institute.