The Florida Administrative Code Data Security Requirements and What to Do to Be Compliant

Written by Scott Pruitt on September 21, 2022

Warren Averett Florida Administrative Code Data Security Image

Florida’s state-maintained information has various level of data security requirements. There are legitimate needs for municipal and county agencies across the state to access the state’s information. Florida state driver’s license data that is maintained by Florida’s Department of Highway Safety and Motor Vehicles (the DHSMV) falls under these criteria.

Local governments and other municipal organizations that request access to that information have to enter a legally binding contract with the DHSMV that includes the agreement of the memorandum of understanding requiring to comply with the information security standards outlined in Rule 60GG-2 (the Rule). These organizations may not have a clear understanding of what they have agreed to implement.

The Florida Administrative Code Chapter 60GG-2 outlines the cybersecurity standards that have been established to secure state information technology data and resources.

The Rule establishes the Florida Cybersecurity Standards and is based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This framework covers five broad security functions to mitigate IT risk and outlines the controls in each functional area.

  1. Identify. Develop the organizational understanding of the cybersecurity risks to systems, assets and data.
  2. Protect. Develop and implement appropriate safeguards to ensure delivery of critical services.
  3. Detect. Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
  4. Respond. Develop and implement appropriate activities to act accordingly regarding a detected cybersecurity incident.
  5. Recover. Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

This Memorandum of Understanding for Driver’s License and/or Motor Vehicle Record Data Exchange (the Memorandum) sets out the organization’s obligations relating to cybersecurity and protecting this data.

The Memorandum also contains a section requiring the organization to “submit an Internal Control and Data Security Audit from a currently licensed Certified Public Accountant” within one year of the date the Memorandum is executed or within 120 days of a request by the DHSMV.

This audit against the NIST Cybersecurity Framework must include an attestation assessment of the internal controls of the organization that govern the use, disclosure, distribution or modification of the data in the state driver’s license system. Any identified control deficiencies would require corrective measures to be outlined to become compliant.

The American Institute of Certified Public Accountants has outlined procedures with SSAE21 examination standards to evaluate the organization’s assertion that they are compliant with the Rule. This results in an opinion whether the organization’s assertation of compliance is fairly stated.

Once completed, the organization would have to resubmit a new attestation audit every three years, and they are required to submit an annual certification statement that the organization is fully compliant with all the obligations in the MOU.

Failure to adhere to these contractual requirements bring the threat of contract termination and potential fines up to $25.00 per individual record. With the number of records involved, this can assess substantial penalties.

Warren Averett’s Security, Risk and Controls Group, which consists of information security consultants with industry-recognized CISA, CISM, CDPSE, CITP, CISSP and CPA certification backgrounds, can help your organization meet this regulatory goal and adopt a proactive approach to compliance while helping minimize the risk of a security breach and ensuring that you’re complying with Florida Cybersecurity Standards outlined in the Rule.

Back to Resources