By Kathy Ennis, CPA, Partner and Lena Combs, CPA, Partner

Ransomware is a type of cyberattack that can infect a system whenever a user interacts with a malicious link, website, or file. In a ransomware attack, the hacker encodes data that can only be retrieved by paying a ransom and obtaining the encryption key used for decoding. Ransomware attacks are continuing to rise at an alarming rate, with cybercriminals targeting businesses across virtually all industries. 

If you get infected by ransomware, follow these tips on how to recover from a ransomware attack:

 

1. Discover what kind of ransomware is attacking you – The best way to do this is to ascertain how much of your data you still have access to. There are two common types of ransomware, screen-locking and encryption-based, with each operating a little differently. Depending on the type of ransomware impacting you, there’s a chance that data recovery is still possible, and there may be a way to decode the encrypted files without having to pay the ransom. If you don’t have the internal resources to diagnose the type of ransomware you’ve been infected with, engage with a trusted cybersecurity firm for help.

 

2. Disconnect from everything – The most important thing you can do is restrict ransomware impact by disconnecting your device, turning off the Wi-Fi, and preventing the virus from spreading throughout the network.

 

3. Take a picture of the ransomware screen – When attacked, a note identifying the ransom will be displayed, including the amount to be paid and where to send the payment. Take a picture so the information is readily available for when the appropriate authorities are contacted.

 

4. Enact your incident response plan – If you have one, enact your incident response policy immediately because this is a security breach. Follow the measures defined in your policy to ensure that the proper steps are taken, including notifying stakeholders of the breach.

 

5. Attempt restoration from backups – If possible, you may want to restore your systems from any backups you have available. However, be cognizant that the ransomware may have been in your system for some time, so any backups could be compromised as well. Before restoring, make sure to deploy antivirus software through your system.

 

6. Prevent it from reoccurring – Put measures in place to prevent future attacks. Protect your network with a phishing assessment and phishing awareness training. Understand your threat intelligence with an Open Source Intelligence Report (OSINT) Dark Web scan, and analyze your data privacy risks with Data Privacy Assurance. Ensure that you have an independent cyber insurance policy and conduct a risk analysis.

 

A proactive approach is the best way for businesses to help prevent a ransomware attack. In the event of a cyberattack, it is important for companies to investigate and immediately mitigate any impacts.

Withum is a forward-thinking, technology-driven advisory and accounting firm, committed to helping clients in the hospitality industry be more profitable, efficient, and productive in the modern business landscape. For more information, visit www.withum.com 

While it always feels satisfying in the moment to receive gifts or do things for yourself, most people would agree helping others provides the ultimate gratification. This is why Gas South has built giving back into the core of our company and who we are, recognizing that everything we do should further our mission to “Be A Fuel For Good.” From a corporate level, we’ve seen the incredible impact this has had on our culture, so here is our three-step guide to giving back:

 

Identify a Cause

There are so many people that need help in the world, while we wish we could have an impact on everything and everyone, it simply isn’t possible. That’s why it’s important to identify a cause you are passionate about as a starting point. At Gas South, our “North Star” is helping children in need, which provides a clear focus and directive when seeking organizations to support.

 

Quantify Your Gift

When it comes to monetary contributions, create a benchmark or goal to dictate your impact. Considering how revenue can fluctuate, we recommend dedicating a consistent percentage of your annual profits to your cause. At Gas South, we pledge to share 5% of our annual profits with children in need, so everyone in the organization knows our commitment level to the community. We are incredibly proud to have given more than $7.5 million to our charitable partners since 2005.

 

Time is Money

Donating money is an important component of giving back, but when it comes to truly enriching your team, nothing beats the hands-on experience of helping others. Aligning your employees with the cause you are supporting will further connect them to each other and the community, so when deciding where to donate money, don’t forget to look for organizations that provide opportunities to volunteer and lend a literal helping hand to others. At Gas South, our employees have volunteered nearly 1,600 volunteer hours in the last two years alone.

 

Considering the challenges presented by COVID-19 over the past 18 months, there have never been as many people in need as there are right now. And while giving back is the moral thing to do, it also provides tangible benefits for individuals and the organizations that unite them. That’s why Gas South constantly strives to “Be A Fuel For Good,” and it is our sincere hope others follow our steps to success and get more engaged with the communities we all serve.

 

By Vince Lombardo

As a leader, there are important responsibilities that naturally come with the job. These responsibilities may vary depending on your role, but one of the assumed responsibilities every leader has is the development of those around them.

Personal growth and development is not an occasional thing. While each individual must accept responsibility for their own growth and development, they often look to their leader to provide opportunities to help them achieve it. Many leaders fall short, and this is often where the “leading vs. managing” discussion begins. At the core of every opportunity to foster growth lies the decision to empower or enable.

Simply put, enabling is doing something challenging for another individual, while empowering is teaching them to do it for themselves.

One of my best childhood friends lived in a house where his mother did everything for him. His sole responsibility was to be a kid and enjoy life. He was not required to do the dishes, laundry, clean his room or make his bed. The Lombardo household was the complete opposite. If the trash was full and I didn’t notice, there was typically some form of feedback from my mom or dad. I used to be jealous of my friend’s situation, wishing I had it that “easy.”

Then we went to college, and this amazing thing happened: I was able to keep a clean living space and take care of myself — laundry, cooking, cleaning, etc. while my friend was completely lost. He was living in a world where he struggled to function with basic everyday tasks. I was suddenly grateful for the upbringing provided by my parents.

Picture this: you receive a phone call from one of your teammates asking a question about whether a widget works with a certain system. They have access to a reference tool that easily answers the question and a support team they can call, yet they seek help from you. If you want to be like my friend’s mom and create people who are dependent, go ahead and answer the question. If you want to coach independent thinkers, teach them where to get the information and encourage them to seek it out for themselves.

The issue with the leader who enables is the scalability of their bandwidth. If you become the person your entire team depends on, your team can only be as big and productive as your work week can support. When you add middle management that copies this behavior, the same thing happens, just on a different scale.

Empowering people is the key to limitless potential. Empowerment gives people the tools, the power and the opportunity to think and do for themselves. When you empower people, you develop independent thinkers and doers, creating possibilities to achieve at any level they desire.

The leader who empowers is the leader who provides the path for people to discover their own ability.

When considering all of the situations we encounter with our teammates, you might realize how frequently this occurs. In fact, I bet that a sales leader encounters more than two or three dozen opportunities a day to ask questions or point people in the direction to solve a problem rather than simply answering it for them.

If you’re wondering, “How do I recognize the difference between enabling and giving advice or coaching?” the answer is simple. If you are being asked to provide an answer, a solution or a recommendation, stop and ask yourself this question: Am I doing something for them, or am I giving them the tools to do it for themselves?

Within that answer lies the solution.

Next time your phone rings or your inbox dings with a need from someone around you, take the time to consider your answer. Make the choice to give people the power to become independent rather than giving the solution that makes them dependent. It is not only wise, but it is your responsibility as a leader to facilitate their personal development. It will make a huge difference as you build for the future.

Vince Lombardo is President, U.S. Payments and Payroll Solutions, Heartland.Vince has been with Heartland for 16 years, growing the company into one of the largest providers of payments, POS and payroll solutions in the U.S.

by Eric Shapiro

Cyber hacks are very much on the rise. What most people don’t understand is that hackers are usually not targeting any business specifically. Usually, they are using bots to troll the net looking for companies with weak security controls. Or they are sending out blast phishing emails hoping a naïve employee will click on a link or open a document that is infected with malware.  Or they are creating social engineering scams to try to dupe people into wiring funds to the wrong bank accounts. Because these efforts are widely distributed and many bad actors are doing this, all companies are vulnerable. There are things all companies can do to stay vigilant and try to protect themselves beyond the usual firewalls, VPNs, etc.:

 

1. Implement Multi Factor Authentication (MFA) – This should be used for anyone that can access your system remotely.
2. Implement End Point Detection – This will help your IT staff continually monitor and respond to cyber threats.
3. Train, Train, Train – Make sure your entire staff understands the threat and stays vigilant against opening the wrong attachments. Do phishing exercises regularly.
4. Put controls in place around Wire Transfers – Make sure anyone that has the ability to do wire transfers is trained to correctly, verbally, confirm the details of all wires.

 

Due to the increase in frequency and severity of cyber-attacks, Cyber Insurance has become more expensive and more difficult to get.  It’s also become much more important to have. Carriers are now requiring their insureds to have these controls in place before they will provide insurance. When completing the application for insurance pay close attention to the questions about controls and answer them honestly. If you do not have all these controls in place, you will probably be required to implement them so have a plan in place and articulate that. Work with your insurance agent to get the proper coverage based on your exposure. Terms and conditions vary widely in the marketplace so be very careful to make sure you get the best coverage you can. Remember, especially with cyber, you get what you pay for so don’t just buy on price.

Eric Shapiro is the Regional President for Socius Insurance.

Al Saikali
Chair, Privacy & Data Security Practice
Shook, Hardy & Bacon, LLP

Ransomware attacks have sucked billions of dollars from American companies. Not just in ransoms paid, but also in lost revenue, the costs incurred restoring systems and investigating the incident, and the cost of class action lawsuits that have followed when customer/employee personal information is impacted. This article addresses some of the most common questions about ransomware and provides suggestions on ways to mitigate that risk.

What Is A Ransomware Attack?

Ransomware is a form of malware that encrypts (locks) your data and prevents access unless you unlock the data with a decryption key. There are three stages to a ransomware attack.

In the first stage, the threat actor (“the bad guy”) exploits an existing weakness (vulnerability) in your network. This vulnerability could be an open remote desktop protocol port, an employee who clicks on a phishing link, or unpatched software for an application or server/firewall. This stage gives the threat actor a foothold in your organization.

In the second stage of the attack, the threat actor performs reconnaissance in your network to identify and often exfiltrate/steal your data.

In the third stage, the threat actor deploys the ransomware that begins encrypting your files.  Without effective monitoring tools, all you will see is the end result when you turn on your computer, cannot access files because they’re encrypted, and find a ransom note threatening to release the stolen data on the dark web unless you pay a ransom.

The analogy I like to give clients is to imagine if you were to leave your house for the weekend but your front door and a couple of windows are unlocked.  Those unlocked doors/windows are your vulnerabilities. A burglar will test your doors and windows until he finds an unlocked one and uses it to access your house (i.e., exploit your vulnerability). Once inside, he will perform reconnaissance – looking around your house to find where your valuable items are hidden – and he will steal (exfiltrate) some of your items in the process. Imagine if, before the burglar leaves your house, he goes around changing all the locks so you can no longer access your house. When you return home you realize your key doesn’t work anymore. You see a note on your front door that says, “If you want to re-enter your house you must pay me $5,000,000 in Bitcoin; and I stole your valuable/sensitive items, so unless you pay me in the next 72 hours I will sell everything I stole on the Dark Web.”  That is essentially a ransomware attack.

What To Expect When Under Attack?

When you are under attack, you can expect to lose access to critical functions as the encryption spreads like a virus throughout your connected network. Your access will be down for at least a few days and potentially even a few weeks. You will receive questions from employees, customers, business partners, and the media asking what is happening. You should expect to spend tens or hundreds of thousands of dollars, at minimum, responding to the incident. The good news is there are steps you can take to mitigate these risks.

Responding To The Attack

Like a boxer punched in the face by Mike Tyson, you will initially panic and be stunned when you first realize you are under attack. Try to set aside the panic (and the pain) to focus on some key initial steps that will help you recover:

• Contact your cyber insurance carrier immediately. The carrier will provide you with experts who can help restore your data, contain and eliminate the threat, identify and fix the vulnerability, negotiate with the threat actors (even if you need to buy more time), and advise you on your legal obligations.
• Do not erase anything and do not provide the only copies of your servers/workstations to third parties. These devices hold important information about the nature of the attack that the forensic firm will need to help you recover.
• Begin the process of restoring your information from backup.
• Operationally, you may need to start using an alternative method of communication while the recovery and remediation efforts are underway. You may also need to use a backup method of doing business, whether that is old-fashioned paper and pen or using personal laptops. (By the way, the lesson here is not “you’re better off just doing business the old-fashioned way with paper and pen” – that method may avoid a ransomware attack but it creates much larger data breach and security issues.)
• Work with your newly engaged cybersecurity experts to contain the threat, close the vulnerability, and identify which files may have been stolen or accessed.
• Your legal counsel will ensure you are: (a) meeting legal requirements to preserve certain evidence; (b) performing the forensic investigation under privilege; (c) issuing statements to employees, customers, and business partners that don’t create additional liability; (d) notifying the right law enforcement entities; and (d) notifying third-parties and customers whose data may be impacted in the manner required by law.

Are You Allowed To Pay A Ransom? 

There are instances where paying a ransom may be necessary. For example, where data your organization needs to survive has been encrypted and you cannot restore your system using your backup files (either because the backup files were also impacted or because they don’t exist). Another example is where sensitive customer data has been stolen and there is a threat to release that data on the dark web.

An initial question is whether the threat actors will actually provide the decryption key or delete the stolen data if they are paid the ransom.  Usually, yes. Their business model does not work unless they do.

So when is it illegal to pay a ransom? The law prohibits transactions that directly or indirectly benefit certain individuals/terrorist organizations on a list maintained by the Department of Treasury’s Office of Foreign Assets Control (OFAC). You cannot pay anyone on that list, and doing so may result in criminal and civil penalties. If you decide to make a ransom payment, the company you hire to facilitate that payment will first perform an “OFAC check” to ensure the payment you are about to make is not being made to an entity on that list.

Who Do I Need To Notify About The Attack?

If the threat actor accessed certain sensitive information (e.g., customer/employee personal information, or proprietary/sensitive information of business partners) there may be a legal obligation to notify those third parties whose information is impacted. There may also be an obligation to notify state attorneys general or other regulatory authorities. In some instances, your contracts with business partners may require that you notify them even if there is no proof that their information has been impacted. Your lawyer should be guiding you on these obligations, the timing of notice, and the content of that notice.

But even if there were no legal obligation to notify, you may want to consider providing an informal update to customers and business partners about what is happening. If you decide to do this, it is incredibly important to work with legal counsel on this messaging because one wrong word could create a potential negligent misrepresentation or deceptive trade practice claims.

The Risk of Class Action Lawsuits and Regulatory Enforcement Actions

Unfortunately, we live in a litigious society driven by individuals who are incentivized to file lawsuits against victims of a cyberattack. When you notify customers/employees that their information was impacted by the ransomware attack, there is a good chance that a plaintiff’s lawyer will learn about the attack from the news, from your regulatory notification, from a statement on your website, or from an individual who received notice and has questions about it. Increasingly, those lawyers are filing class action lawsuits against companies that are victims of cyberattacks. They use social media to find potential clients “impacted by the XYZ data breach.” These lawsuits are usually looking for a quick settlement where each impacted person perhaps receives very little, but the lawyers receive hundreds of thousands of dollars in attorney’s fees.

There is also a lower risk that the Office of the Florida Attorney General will seek penalties against your business for: (a) failing to adopt reasonable security safeguards to protect sensitive consumer information; (b) taking too long to notify impacted consumers; or (c) making statements about the incident that were not accurate. This is why incident response preparation is as important to minimizing costs as the response itself.

How To Mitigate The Risks

The good news is that there are steps your organization can take to minimize the likelihood of an attack and the impact of such an attack.  From a technical perspective, one such measure is implementing multifactor authentication on any application, remote access protocols, email, or other sensitive information.

• Multifactor authentication requires you to authenticate yourself in more than one way (e.g., something you know, like a password, and something you have, like a phone where you receive a text with a short code).
• Ensure you are backing up your information securely, from an offline source that is not connected to your network.
• Purchase cyber insurance. A cyber policy typically covers most costs you will incur when responding to a ransomware attack, including legal counsel, forensic experts, data restoration services, certain operational losses, and sometimes cyber-extortion costs (threat-actor negotiation services and payment of a ransom). It also typically covers the costs associated with class action lawsuits and regulatory enforcement actions.
• Prepare an incident response plan, which is your roadmap for what to do if you ever fall victim to a cyberattack. The document describes who would need to be involved (internally and externally) and what steps to consider on operational, security, legal, and financial issues.
• It is not enough just to have a plan; you need to test it. The individuals who would be involved in responding to a cyberattack should meet at least annually to walk through a simulated attack. You can hire a third-party cybersecurity firm or a good lawyer to moderate this exercise.
• Perform cybersecurity training for all levels of employees/directors/owners of your company at least once each year.
• Deploy endpoint-monitoring tools that are constantly searching for unusual behavior and malware on your network.
• Minimize the amount of sensitive data you collect. If you do not need it, don’t collect/keep it. If you really need it, encrypt it.
• Engage a third-party cybersecurity firm to assess your environment. Let them identify your vulnerabilities (unlocked doors/windows) and prioritize which ones you should fix in which order. Florida has some outstanding cybersecurity firms that can help you do this.

Conclusion

There are other security measures you can and should implement. Working with a third-party cybersecurity expert and legal counsel experienced in cybersecurity will help you identify which of those measures are right for your organization, and how to prioritize implementing them.

Al Saikali chairs the Privacy and Cybersecurity Practice at the law firm of Shook, Hardy & Bacon, LLP. He and his team regularly represent companies in preparing for and responding to cybersecurity attacks. If you have questions, you may contact Al at [email protected]. 

 

This blog post will summarize Senate Bill 1864, released on Friday, which is the first “comprehensive” privacy bill to be released in advance of the 2022 Florida legislative session. This is a long post, so I begin with a “too long, didn’t read” section that I’ve found helpful in articles I’ve read. I then describe the FPPA in detail, but by pulling various pieces of the 34-page law together by subject matter. I close with some personal opinions about this bill and what we can expect in the upcoming legislative session.

 

TL;DR

The Florida Senate has released the first privacy bill of the 2022 legislative session. The Florida Privacy Protection Act (FPPA), drafted by Sen. Jennifer Bradley, is a combination of the CCPA and VCDPA, but does not contain a private right of action. It is similar to the bill Sen. Bradley authored last year but with a few tweaks and one significant change – it would create a dedicated Consumer Data Privacy Unit in the Florida Attorney General’s Office.

I expect to see several more privacy bills released soon, including Rep. Fiona McFarland’s bill, which I anticipate will have some form of a private right of action and perhaps more aggressive and broader requirements.  I also think we will see a few other privacy/cybersecurity bills this legislative session including one that updates the Florida Information Protection Act (Florida’s data breach notification law) in ways that most will not expect.

We can anticipate that, like last year, the big fight will be over whether the law includes a private right of action. If, like last year, the House insists on including an incredibly broad private right of action, I believe it is unlikely to become law, because the political composition in the Florida legislature has not changed significantly since last year.  That said, whether a bill ultimately becomes law depends less on the desire of the legislators as a whole, and more on the “horse trading” that ultimately takes place in the final hours of the legislative session.

The FPPA’s Scope and Key Definitions

The Florida Senate was first out of the gate in the 2022 Florida privacy race, releasing SB 1864, a bill authored by Senator Jennifer Bradley (the leader on all things data privacy in the Florida Senate).  The proposed law (the Florida Privacy Protection Act) is similar to the privacy bill the Senate passed at the end of the last legislative session – which contained many consumer rights but no private right of action. The FPPA draws from the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and the Virginia Consumer Data Protection Act (VCDPA). (Author’s Note – I think it was smart of the Senate to release this bill quickly and, whether intentional or not, it helps the Senate appear proactive on privacy and set the narrative.)

To whom does the FPPA apply? Like the GDPR (and the VCDPA), the FPPA applies to “controllers” and “processors.” A controller is a for-profit entity that does business in Florida and determines the purposes/means of processing. Also, similar to the VCDPA, a controller must either: (a) control the processing of personal information of 100,000 or more Florida residents (“consumers”); or (b) control or process the personal information of at least 25,000 consumers and derive 50% or more of its revenue from selling personal information.

A “processor” processes personal information on behalf of, and at the direction of, a controller. Whether an entity is a controller or processor is a fact-based determination that depends upon the context in which the personal information is processed.

What is personal information? Personal information is defined broadly as “information that identifies or is linked or reasonably linkable to an identified or identifiable consumer.” It does not include consumer information available in governmental records, information that is publicly available, or information that is de-identified or aggregate consumer information. Additionally, the FPPA’s consumer rights do not apply to pseudonymous information as long as all information necessary to identify the consumer is kept separate and is subject to effective technical and organizational controls that prevent the accessing/combining of such information.

What is a “sale” of personal information? A core part of the FPPA governs the sale of personal information, but the term “sale” is not limited to a monetary exchange. A sale occurs where a controller makes a consumer’s personal information available to a third party in exchange for monetary “or other valuable consideration, including nonmonetary transactions and agreements for other valuable consideration between a controller and a third party for the benefit of a controller.”

A sale does NOT include:

(a) disclosing personal information to a processor;

(b) disclosing personal information to a third party to provide a product/service requested by the consumer;

(c) disclosing personal information to an affiliate;

(d) disclosing personal information for nontargeted advertising;

(e) transferring personal information as an asset that is part of a merger, acquisition, bankruptcy, or other transaction where a third party assumes control of the controller’s assets; or,

(f) disclosing personal information to law enforcement or emergency services for the purpose of providing assistance to the consumer.

What Are A Controller’s Obligations Under The FPPA?

Notice of collection/processing.  A controller must inform consumers of the purposes for which personal information is collected or used and whether that information is sold. It must do this at or before the point of collection. These notice requirements do not apply if the controller does not control the collection of personal information. In an instance where the controller collects personal information about (but not directly from) consumers, the controller may provide the required information on its Internet home page or in its online privacy policy.

Notice of sale.  A controller that sells personal information must provide notice that the information may be sold and that consumers have the right to opt out. Additionally, the controller must provide a link on its home page titled “Do Not Sell My Personal Information” that enables a consumer to opt out of the sale of the consumer’s personal information. The controller may not require a consumer to create an account in order to direct the controller not to sell the consumer’s information.

Website privacy policy. Where a controller collects personal information through its website or an online service, the controller must provide a notice that includes:

(a) the categories of personal information the controller collects through the site or online service and the categories of third parties to whom the controller may disclose such personal information;

(b) a description of the process for a consumer who uses or visits the site or online service to review and request changes to any of his/her personal information collected from the consumer through the site or online service;

(c) the process by which the controller notifies consumers of material changes to the privacy policy;

(d) whether a third party may collect personal information about a consumer’s online activities over time and across different sites or online services when the consumer uses the controller’s site or online service; and,

(e) the effective date of the notice.

Minimum necessary. A controller’s collection, use, and retention of personal information must be reasonably necessary to achieve the purposes for which the personal information was collected or processed. This remains the case for any onward transfer of personal information. If a controller wants to do otherwise, it must obtain the consumer’s consent.

Reasonable security or practices. A controller must implement reasonable security procedures and practices, appropriate to the nature of the personal information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Agreement with processor. If a controller discloses personal information to a processor, it must enter into an agreement that requires the processor to comply with the controller’s obligations under the FPPA and prohibits downstream recipients from selling the personal information or disclosing, retaining, or using it. (Author’s Note – this appears to be an error in the bill; the downstream recipients must retain and use the information, so I assume what the bill means is that the downstream recipients cannot retain or use the personal information outside the scope of why it is being shared with them.) If a processor shares the information with a third party for a “business purpose,” the processor must notify the controller and restrict the downstream recipients from selling the personal information or retaining, using, or disclosing it (again, I’m assuming retention/use is permitted, but only to the extent necessary to complete the transaction).

Consent for processing sensitive data. A controller must obtain the consumer’s consent before processing sensitive data concerning that consumer.  Sensitive data means information like racial or ethnic origin, religious beliefs, health diagnosis, sexual orientation, citizenship/immigration status, biometric information, personal information collected from a known child, and precise geolocation data. Additionally, if a controller wants to process sensitive data obtained from a known child (i.e., younger than 13), the processing must be limited to delivery of a product or service requested by the child’s parent and must be in accordance with the Children’s Online Privacy Protection Act (COPPA).

Establish a request process. A controller must establish a designated address through which a consumer may submit a request to exercise his or her FPPA rights. If the request is pursuant to the “right to know” (below) then the controller must disclose any personal information about the consumer it has collected, directly or indirectly, since January 1, 2023, including information it obtained through a processor. (Author’s Note – so this means a comprehensive data inventory may not be necessary, but a process for identifying and recording the collection of this data will be crucial.) The controller has 45 days to respond to a right to know/delete/repair request. This time period can be extended by 45 days if the controller determines that such an extension is reasonable necessary, but the controller must notify the consumer of the necessity of the extension.  If a processor receives a right to know/delete/repair request, it must notify the controller of the request within 10 days. The processor must help the controller respond to the request by, at minimum, providing the consumer’s personal information in the processor’s possession. Where directed by the controller, a processor must correct inaccurate personal information or delete personal information, or enable the controller to do the same.

Employee training.  A controller must ensure that all individuals who handle consumer inquiries about the controller’s privacy practices or the controller’s compliance with the opt-in and opt-out requirements are informed of the requirements and how to direct consumers to exercise their rights.

What Are A Consumer’s Rights Under The FPPA?

Opt out of sale.  A consumer can opt out of the sale of his/her personal information at any time. Once a controller receives an opt-out request, or if a controller does not obtain consent to sell “a minor’s” personal information, the controller is not allowed to sell that information without a subsequent express authorization from the consumer. (Author’s Note – the bill is confusing in its use of “minor” and “child”, which each have different meanings under Florida law). The controller has only 10 days to comply with the consumer’s request to opt out.  (Author’s Note – for larger companies that collect personal information in many different ways, this timeline will be challenging.)

Opt out of advertising.  A consumer can opt out of the processing of his/her personal information for targeted advertising or profiling at any time. To that end, a controller must provide a link on its home page titled “Do not Advertise To Me” that enables a consumer to opt out of targeted advertising or profiling. Even if the consumer opts out, however, a controller may still: (a) offer a different price, rate, level, quality, or selection of goods/services to the consumer; and (b) offer a loyalty, reward, premium feature, discount, or club card program. Additionally, a controller may charge a different price, rate, level, quality, or selection of goods/services to a consumer who has opted out of advertising as long as the charge is not unjust, unreasonable, coercive, or usurious.

Verifying the opt-out request. A controller is only required to comply with opt-out requests it is reasonably able to authenticate. However, the controller cannot require the consumer to declare his/her privacy preferences every time he/she visits the controller’s website or uses the controller’s online services.

Limited use of opt-out request. A controller cannot use any personal information collected in connection with the submission of an opt-out request for any reason other than for complying with the opt-out request.

Right to be left alone for one year. The controller must wait one year before asking any consumer who opted out of the sale of his/her data to re-authorize the sale of that consumer’s personal information.

Sale of a minor’s information (“right to opt in”). A controller may not sell personal information collected from consumers that are known to be 16 or younger, unless: (a) for children who are 13 to 16 years-old, the child has authorized the sale; or (b) for children who are younger than 13, the parent/guardian has authorized the sale. If parental consent is obtained in compliance with COPPA, then such consent meets the parental consent requirements of the FPPA.

Right to know. Where requested by the consumer, a controller must provide: (a) the categories of sources from which the consumer’s personal information was collected; (b) the specific items of personal information it has collected about the consumer; and (c) the categories of any third parties to whom the personal information was sold.

Right to delete. Consumers have the right to request that personal information that has been collected from the consumer be deleted. A controller can deny this request for any of the following seven reasons:

(a) to complete the transaction for which the personal information was collected, fulfill the terms of a warranty or recall, provide a good/services requested by the consumer, or perform a contract between the business and the consumer;

(b) to help ensure security and integrity;

(c) to identify and repair errors that impair existing intended functionality;

(d) to exercise free speech or another legal right;

(e) to engage in public or peer-reviewed scientific, historical, or statistical research; or,

(f) to comply with a legal obligation.

Right to correction. Consumers have the right to submit a verified request for correction of their personal information held by a controller if that information is inaccurate, “taking into account the nature of the personal information and the purpose for processing the consumer’s personal information.” (Author’s Notes – (1) I’m not sure what the quoted language means or how it would be implemented; and (2) this unrestricted right would conceivably give the consumer the ability to “correct” their information with something that is knowingly false in order to “game the system” in some way (e.g., take advantage of discounts, rewards, etc.).

What Are The Controller’s Rights Under The FPPA?

Right to refuse requests. If a consumer’s request is manifestly unfounded or excessive (e.g., repetitive), a controller may either charge a reasonable fee or refuse to act on it (in which case the controller must notify the consumer of the reason for refusing the request).

Safe harbor for other controller/processor violations. A controller is not liable for a processor’s violation of the FPPA if at the time the controller disclosed the personal information to the processor the controller did not have actual knowledge or a reason to believe the processor intended to commit such a violation. Similarly, a processor is not liable for the obligations of a controller. Likewise, a controller or processor that discloses personal information to a third-party controller or processor is not in violation of the FPPA for the third party’s violations if the controller/processor did not have knowledge at the time of disclosing the information that the recipient intended to commit a violation. Conversely, a third-party controller or processor receiving personal information from a controller or processor in compliance with the FPPA is not in violation of the FPPA for the controller’s/processor’s noncompliance.

When Does The FPPA Not Apply?

The FPPA includes a significant number of exceptions and exclusions.  For example, the FPPA would not apply where it would restrict a controller’s or processor’s ability to do any of the following 15 activities:

(a) comply with legal obligations;

(b) comply with an investigation, subpoena, or summons;

(c) cooperate with law enforcement;

(d) exercise, prepare for, or defend legal claims;

(e) conduct internal research to develop, improve, or repair products, services, or technology;

(f) effectuate a product recall or provide a warranty for products or services;

(g) identify or repair technical errors that impair existing or intended functionality;

(h) perform internal operations that are aligned with the consumer’s expectations or compatible with processing data in furtherance of the provision or a product or service requested by the consumer;

(i) provide a product/service (or perform a contract) specifically requested by a consumer; perform a contract to which the consumer or parent is a party;

(j) take steps to protect an interest that is essential for life or physical safety of the consumer or another person;

(k) prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, and prosecute those responsible;

(l) preserve the integrity or security of information technology systems;

(m) investigate, report, or prosecute those responsible for any illegal, malicious, harmful, deceptive, or otherwise harmful activities;

(n) engage in certain public or peer-reviewed scientific or statistical research in the public interest; and,

(o) assist another controller, processor, or third party with any of the above obligations.

In addition to the above restrictions, the FPPA also would not apply to any of the following 17 circumstances:

(a) personal information collected in the employment context. This means personal information about employees, owners, directors, officers, beneficiaries, job applicants, interns, or volunteers, as long as the controller is collecting/disclosing such information to the extent reasonable and necessary. (Author’s Note – this exclusion will likely require a correction by Sen. Bradley’s office because, as written, it implies that the FPPA would not apply to any controller that engages in this activity, which would be almost every company doing business in Florida).

(b) personal information in business-related communications/transactions;

(c) personal information in job applications and employment benefit documents;

(d) personal information in a contract with an independent contractor;

(e) protected health information (as that term is defined by HIPAA) that contains personal information;

(f) a covered entity or business associate under HIPAA;

(g) information collected for purposes of research;

(h) information created for purposes of the Health Care Quality Improvement Act;

(i) de-identified information under HIPAA or the Federal Policy for the Protection of Human Subjects (FPPHS);

(j) information collected as party of a clinical trial subject to the FPPHS;

(k) information collected, processed, sold, or disclosed pursuant to the Fair Credit Reporting Act;

(l) information and financial institutions regulated by the Gramm-Leach-Bliley Act;

(m) information collected, processed, sold, or disclosed pursuant to the Farm Credit Act;

(n) information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act;

(o) education information under the Family Education Rights and Privacy Act;

(p) information and entities governed by the Airline Deregulation Act (where preemption applies); and,

(q) vehicle information or ownership information shared between a new motor vehicle dealer, a distributor, or the vehicle’s manufacturer if the vehicle or ownership information is shared for the purpose of effectuating a vehicle repair covered by a warranty or recall, provided that the entity that receives the information does not sell, share, or use it for any other purpose.

How Will The FPPA Be Enforced?

First, there is no private cause of action established by the FPPA and will be enforced exclusively by the Florida Attorney General. In fact, it explicitly states that evidence of any noncompliance with the FPPA can only be used as the basis to prove a cause of action brought by the Florida Attorney General.

The bill defines two activities as unfair and deceptive trade practices: (a) failing to delete/correct a consumer’s personal information after received a verifiable request to which no exception applies; and (b) continuing to sell a consumer’s personal information after the consumer chooses to opt out, or selling the personal information of a consumer age 16 or younger without obtaining their consent. The Attorney General may give the controller/processor 45 days to cure such violations, but the right to cure is discretionary and whether it is provided depends on the number of violations, the likelihood of public injury, and the safety of persons/property.

On an annual basis, the Attorney General must submit a report to the Senate President and Speaker of the House of Representatives describing any actions taken to enforce the FPPA.

If the Attorney General brings an action, the court may grant actual damages to a consumer and/or injunctive/declaratory relief.

One More Thing . . .

The FPPA would create within the Florida Attorney’ General’s Office a Consumer Data Privacy Unit that must be headed by a director who is fully accountable to the Attorney General. That Unit will be responsible for enforcing the FPPA and, more generally, protecting the personal information of Florida residents.

When Will The FPPA Go Into Effect?

December 31, 2022.

What To Expect Next?

The FPPA is likely the first of at least two or three data privacy bills we can expect to be introduced in the Florida legislature during the 2022 session. Representative McFarland, the leader in data privacy and all things technology in the House of Representatives, is working on a comprehensive bill that will be introduced soon. She has been meeting with many different constituencies as she shapes version 2.0. I anticipate that bill will include broader requirements but (at least initially) keep a private right of action.

I also anticipate we will see a bill that updates Florida’s data breach notification law (the Florida Information Protection Act) by adding more specificity to the definition of “reasonable security.” We may even see a private right of action added to it.

What is the chance that any of these bills will become law? If you forced me to choose a side, I think a privacy bill will be passed during this legislative session, but I do not think it will include a private right of action. A comprehensive privacy bill almost passed last year and this year is an important election year in Florida for the Governor and members of both chambers, so passing a pro-populist privacy law will be important for political leaders who want to claim the mantle of “fighting back against big tech” even if the legislation goes far beyond that objective.

That said, there are many businesses who have not needed to comply with the CCPA or prepare for Virginia’s or Colorado’s privacy laws. For those companies, the FPPA will present a significant financial burden even without a private right of action. The truth is that whether we see a privacy law passed by the legislature will likely come down to how these bills are prioritized by leadership in both chambers during the “horse trading” process at the end of the legislative session. So strap yourself in for another three-month roller coaster!

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Small business owners are bold people. They see the opportunity to build something new and jump in with gusto.

So, it’s understandable that they don’t live for managing humdrum back-office tasks like time tracking, tax filing or payroll management.

But when it comes to these complicated, important tasks, what you don’t know could hurt you. Let’s discuss three management myths that might be costing your small business big.

 

Myth 1: Using payroll software is too expensive

Maybe you’ve heard that small businesses can get by just fine without technology. Roll up your sleeves and sharpen a fresh pencil to achieve the same result, right?

Unfortunately, untrue. Manual processes don’t scale as your business grows, and almost always end up costing more money than small business payroll software over time.

Consider the paperwork. When schedules, pay stubs (showing employees their take-home pay after federal taxes, health insurance deductions, etc.) and time-off balances are only available on paper, owners and managers become gatekeepers.

It’s an unwelcome distraction for management and a source of frustration for employees. Don’t forget, costs don’t just have to be monetary. This myth could be costing you time, employee morale or other resources you value.

One way to make it better for everyone is choosing a payroll provider that offers employee self-service — meaning your people have access to, and responsibility for, their own requests and information.

Everyone runs their lives from their phones…a fact we’re sure is irritating after the fifth reminder to your staff to stop watching TikToks or carrying on lengthy text conversations during shifts.

So why not empower your employees by giving them access to their own data? They can review their PTO, benefits administration, direct deposit paystubs and more via a user-friendly online portal. It will save you time and they’ll appreciate the freedom.

A study by the American Payroll Association brings some hard facts into the decision to outsource payroll processing. They found that companies using a technology solution for payroll and timekeeping experienced a payroll error rate of 2% or less. In contrast, an error rate of up to 8% has been found in organizations manually tracking hours.

If you’re still doing payroll without support, you could be leaving your business open to errors. Even the most detail-oriented person can make a mistake when transferring information from one document to another, accidentally causing a miscalculation in payroll or tax withholdings.

Consider a payroll provider that gives you the freedom to run payroll on your own terms. When you do need outside input, it should be easy to call or email your dedicated payroll specialist for on-the-spot customer support.

Data matters, too. When you have 24/7 access to customizable payroll reports, you can feel confident about where you are now and what business decisions you want to make next.

 

Myth 2: Compliance rules are optional for small businesses

There are a lot of hoops for small businesses to jump through for basic legal and financial compliance. Keeping track of them all and doing the mundane tasks with precision is a drag and not something any business owner looks forward to.

Some hate it so much they make the risky decision to just ignore their obligations. They think they are too small to be concerned about following employment laws. In reality, small businesses are just as obligated as larger organizations to abide by employment and labor laws; there’s no rule stating small businesses are entitled to leniency if they violate the law.

According to the U.S. Department of Labor, “willful violations may be prosecuted criminally and the violator fined up to $10,000. A second conviction may result in imprisonment. Employers who willfully or repeatedly violate the minimum wage or overtime pay requirements are subject to a civil money penalty of up to $1,000 for each violation.”

And those are just the penalties associated with wage-and-hour law noncompliance. They don’t include penalties or damages for discrimination, retaliation and more.

All it takes is one disgruntled employee or observant customer to get you in trouble. Is it really worth the risk?

It’s worth considering a full-service payroll solution. The right one will make compliance a breeze by giving you digital documentation whenever you need it.

That way, you’re protected if anyone were to question your hiring, scheduling, payroll or firing choices.

Myth 3: Investing in human resources isn’t for SMBs

If you were listing the most costly parts of running your organization, labor is probably very high on the list. But guess what? You can turn that expense into your greatest asset if you pay attention to what matters to your staff (like managing their onboarding with care).

Onboarding is about making sure new employees are set up for success. Employees do best when they have clear expectations for their role and know what their priorities should be. This can even be small things, like making sure they know how much sick leave they get or when payday is.

And it’s more important than you might think. Without a thorough onboarding experience, 17% of new hires will leave within 90 days and 20% will leave within 45 days. Turnover like that can consistently put you back at square one, having to dive back into a time-consuming cycle of recruiting, screening and hiring again after just a few pay periods.

If you don’t feel like your onboarding process is complete enough to set your new hires up for success, but don’t have the time to design it, you should consider a digital solution.

Payroll and HR software with the appropriate add-ons makes it easier to do onboarding right. Beyond creating prepared, well-adjusted new hires, you’ll also be able to manage the standards required for compliance with labor and recordkeeping laws.

For instance, an employee handbook may seem like something only larger businesses need to ensure thousands of employees are following procedure. But even if you have a small number of employees, it’s important to document your expectations for them.

No one likes having tough conversations addressing employee behaviors. Having an employee handbook and policy manual goes a long way in difficult conversations. Also, a well-written handbook can act as legal protection for your business should issues arise, according to the National Federation of Independent Business (NFIB).

But a handbook is only the first step. It’s important employees know it exists, read it and agree to follow it. While it’s possible without technology, it’s a lot easier with a digital solution.

Think about technology that makes reading and acknowledging the handbook part of the onboarding experience. That way, everyone is on the same page from the beginning. You have proof employees read the handbook, and they can access it when they’ve got questions.

 

Heartland Payroll+ was designed specifically for small business, so affordable pricing and user-friendly technology are a given. You buy what you want, when you’re ready for it, with the option to change your mind at any time.

The tech you buy is important. The provider you buy it from matters just as much. When it comes to guidance on compliance, company policies, hiring, terminations and more, we’re here for you.

Don’t allow your team, your business or yourself to fall prey to common myths for another minute. Learn more today: https://www.heartland.us/products/payroll-plus