Third-Party Risk Management SOP - Florida
THIRD-PARTY RISK MANAGEMENT SOP — FLORIDA SUPPLEMENT
Organization: [________________________________]
SOP Number: TPRM-FL-[____]
Version: [____]
Effective Date: [__/__/____]
Approved By: [________________________________]
TABLE OF CONTENTS
- Purpose and Scope
- Florida Regulatory Framework
- Definitions
- Risk Tiering — Florida Enhancements
- Third-Party Lifecycle — Florida Requirements
- Roles and Responsibilities
- Documentation and Systems of Record
- Metrics, KRIs, and Reporting
- Exceptions and Compensating Controls
- Review Cadence
- Annexes
1. PURPOSE AND SCOPE
1.1 Purpose
This SOP supplements the organization's Universal Third-Party Risk Management SOP with Florida-specific requirements under the Florida Information Protection Act (FIPA) (Fla. Stat. § 501.171) and the Florida Digital Bill of Rights (FDBR) (Fla. Stat. § 501.701 et seq., effective July 1, 2024). FIPA imposes a 30-day breach notification requirement and mandates reasonable security measures. The FDBR establishes consumer privacy rights, processor obligations, and data protection assessment requirements for qualifying organizations.
1.2 Scope
Applies to all third-party relationships involving:
☐ Personal information of Florida residents (as defined by Fla. Stat. § 501.171(1)(g))
☐ Sensitive data of Florida consumers (as defined by FDBR, Fla. Stat. § 501.702)
☐ Services delivered to Florida-based operations or customers
☐ Vendors subject to Florida regulatory oversight
2. FLORIDA REGULATORY FRAMEWORK
| Statute/Regulation | Key Vendor Requirements |
|---|---|
| FIPA, Fla. Stat. § 501.171 | Reasonable security measures for personal information; 30-day breach notification to individuals; AG notification if >500 affected; third-party agents must notify covered entities upon breach discovery |
| FIPA, Fla. Stat. § 501.171(2) | Entities must take reasonable measures to protect and secure data in electronic form containing personal information |
| FIPA, Fla. Stat. § 501.171(3) | Notice to FL Dept. of Legal Affairs for breaches affecting >500 FL residents |
| FDBR, Fla. Stat. § 501.701 et seq. | Consumer rights (access, deletion, correction, portability, opt-out); processor obligations under § 501.711; data protection assessments under § 501.715 |
| FDBR, Fla. Stat. § 501.711(2) | Consent required before processing sensitive data |
| FDBR, Fla. Stat. § 501.715 | Data protection assessments for targeted advertising, sale of personal data, sensitive data processing, and profiling |
| OCC Bulletin 2023-17 | Full lifecycle TPRM (applies to federally regulated entities) |
3. DEFINITIONS
| Term | Definition |
|---|---|
| Personal Information (FIPA) | First name/initial + last name in combination with SSN, DL#, financial account numbers with access codes, medical info, health insurance info, or email/username with password (Fla. Stat. § 501.171(1)(g)) |
| Consumer (FDBR) | Florida resident acting in an individual or household context |
| Controller | Entity that determines purposes and means of processing personal data under FDBR |
| Processor | Entity that processes personal data on behalf of a controller under FDBR |
| Sensitive Data (FDBR) | Racial/ethnic origin, religious beliefs, mental/physical health, sexual orientation, citizenship/immigration, genetic data, biometric data, children's data, precise geolocation (Fla. Stat. § 501.702) |
4. RISK TIERING — FLORIDA ENHANCEMENTS
In addition to the universal tiering criteria, the following Florida-specific factors shall be evaluated:
| Factor | Elevated Risk Indicators |
|---|---|
| FIPA Data Elements | Vendor processes personal information containing SSN, DL#, financial accounts, or health data of FL residents |
| FDBR Applicability | Vendor meets FDBR applicability thresholds (>$1B revenue + data processing thresholds) |
| Sensitive Data Processing | Vendor processes sensitive data requiring consumer consent under FDBR § 501.711(2) |
| High-Risk Processing | Vendor conducts targeted advertising, sale of personal data, or profiling triggering DPA obligations under § 501.715 |
| Children's Data | Vendor processes data of children under 13, triggering COPPA and FDBR requirements |
| Florida Regulatory Oversight | Vendor subject to oversight by Florida OFR, DBPR, or other state regulators |
Vendors processing FIPA-defined personal information or FDBR-regulated data shall be classified no lower than Medium tier.
5. THIRD-PARTY LIFECYCLE — FLORIDA REQUIREMENTS
5.1 Due Diligence Enhancements
In addition to universal due diligence, the following Florida-specific assessments are required:
| # | Requirement | Applicable Tier | Evidence |
|---|---|---|---|
| 5.1.1 | Verify vendor maintains reasonable security measures per FIPA § 501.171(2) | All tiers handling FL personal information | ☐ Security policy ☐ SOC 2 report ☐ Pen test summary |
| 5.1.2 | Assess vendor's FIPA breach notification capability (30-day compliance) | All tiers | ☐ IRP ☐ Notification SLA |
| 5.1.3 | Evaluate FDBR processor obligations compliance (if vendor is a processor) | Critical/High | ☐ DPA ☐ Consumer rights workflow |
| 5.1.4 | Assess vendor ability to support data protection assessments (§ 501.715) | Critical/High | ☐ DPA support documentation |
| 5.1.5 | Verify consent mechanisms for sensitive data (§ 501.711(2)) | If sensitive data processed | ☐ Consent workflows ☐ Privacy policy |
| 5.1.6 | Evaluate children's data protections (COPPA + FDBR) | If children's data | ☐ COPPA compliance documentation |
5.2 Contract Requirements — Florida Additions
All contracts with vendors handling Florida resident data must include:
| Clause | Requirement | Citation |
|---|---|---|
| Breach Notification | Vendor must notify organization within [____] hours of discovering a breach, to allow compliance with FIPA's 30-day deadline | Fla. Stat. § 501.171(3) |
| Reasonable Security | Vendor represents and warrants implementation of reasonable security measures for personal information | Fla. Stat. § 501.171(2) |
| FDBR Processor Terms | If vendor acts as processor: process only on documented instructions; implement appropriate security; support consumer rights; allow audits; delete/return data on termination | Fla. Stat. § 501.711 |
| Data Protection Assessment Support | Vendor will cooperate with controller's data protection assessments for high-risk processing | Fla. Stat. § 501.715 |
| Sensitive Data Consent | Vendor will not process sensitive data without confirming consumer consent has been obtained | Fla. Stat. § 501.711(2) |
| Subprocessor Approval | Vendor will obtain written approval before engaging subprocessors for FL resident data | FDBR processor obligations |
| AG Notification Support | Vendor will cooperate in notifying FL Dept. of Legal Affairs when >500 residents affected | Fla. Stat. § 501.171(3) |
5.3 Ongoing Monitoring — Florida Additions
| Monitoring Activity | Frequency | Responsible |
|---|---|---|
| FIPA compliance validation | Annual | Compliance |
| FDBR consumer rights request support review | Semi-Annual (Critical/High) | Privacy |
| Sensitive data processing consent verification | Annual | Privacy |
| Florida breach notification readiness | Annual (tabletop exercise) | Security / Compliance |
| FDBR data protection assessment updates | As triggered by processing changes | Privacy |
5.4 Offboarding — Florida Additions
☐ Confirm deletion of all Florida resident personal information
☐ Obtain written certification of destruction
☐ Verify subprocessors have also returned or deleted Florida resident data
☐ Document compliance with FIPA and FDBR obligations through termination
6. ROLES AND RESPONSIBILITIES
| Role | Florida-Specific Responsibilities |
|---|---|
| Business Owner | Ensure vendor SLAs support FIPA 30-day notification; escalate FDBR compliance gaps |
| Compliance | Monitor FIPA/FDBR regulatory updates; review vendor Florida compliance; coordinate AG notifications |
| Security | Validate reasonable security measures under FIPA; review incident response alignment with 30-day timeline |
| Privacy | Assess FDBR processor obligations; review consumer rights support; coordinate data protection assessments |
| Legal | Ensure Florida-specific contract terms; advise on FDBR applicability thresholds |
7. DOCUMENTATION AND SYSTEMS OF RECORD
All Florida-specific TPRM activities shall be documented in the TPRM platform with the following additional fields:
☐ Florida data elements processed (FIPA categories)
☐ FDBR applicability determination
☐ FDBR processor agreement status
☐ Data protection assessment completion status
☐ Sensitive data consent verification
☐ FIPA breach notification SLA compliance tracking
8. METRICS, KRIs, AND REPORTING
Florida-Specific Metrics
| Metric | Target | Frequency |
|---|---|---|
| Vendors with FIPA-compliant breach notification SLAs | 100% of applicable vendors | Quarterly |
| FDBR processor agreements executed | 100% of applicable vendors | Quarterly |
| Data protection assessments completed (§ 501.715) | 100% of high-risk processing | Semi-Annual |
| Sensitive data consent verification rate | 100% | Annual |
| Time from vendor incident notification to AG notice (when applicable) | <30 days from determination | Per incident |
Report Florida-specific metrics to [Board/Committee] as part of quarterly TPRM reporting.
9. EXCEPTIONS AND COMPENSATING CONTROLS
Exceptions to Florida-specific requirements follow the universal exception process. Additional requirements:
☐ Exceptions involving FIPA or FDBR obligations must be approved by [CCO / General Counsel]
☐ Compensating controls must be documented with specific reference to the Florida statutory requirement
☐ Maximum exception duration: [____] days
10. REVIEW CADENCE
| Field | Information |
|---|---|
| SOP Owner | [________________________________] |
| Review Frequency | Annual, or upon material Florida regulatory change |
| Next Review Date | [__/__/____] |
11. ANNEXES
Annex A: Florida Data Elements Mapping
| FIPA Data Element | Example | Enhanced Controls Required |
|---|---|---|
| SSN | Social Security Number | ☐ Encryption ☐ Access logging ☐ MFA |
| DL# | Driver's license / state ID | ☐ Encryption ☐ Access controls |
| Financial Account | Account number + access code/PIN | ☐ Encryption ☐ Tokenization ☐ PCI DSS |
| Medical Information | Health records, diagnoses | ☐ Encryption ☐ HIPAA alignment |
| Health Insurance | Policy/subscriber numbers | ☐ Encryption ☐ Access controls |
| Email/Username + Password | Login credentials | ☐ Hashing ☐ MFA ☐ Monitoring |
Annex B: FDBR Processor Contract Checklist
☐ Processing limited to documented instructions
☐ Appropriate technical and organizational security measures
☐ Confidentiality obligations for personnel
☐ Subprocessor engagement requires written authorization
☐ Support for consumer rights requests (access, deletion, correction, portability, opt-outs)
☐ Cooperation with audits and assessments
☐ Deletion or return of data upon termination
☐ Notification if unable to meet FDBR obligations
SOURCES AND REFERENCES
- Florida Information Protection Act (FIPA), Fla. Stat. § 501.171
- Florida Digital Bill of Rights (FDBR), Fla. Stat. § 501.701 et seq. (eff. July 1, 2024)
- Fla. Stat. § 501.711 (Processor Duties)
- Fla. Stat. § 501.715 (Data Protection Assessments)
- OCC Bulletin 2023-17
- DOJ Evaluation of Corporate Compliance Programs (2023)
This template is provided for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before use.
About This Template
Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: April 2026