Florida Senate - 2014 SB 1524
By Senator Thrasher
6-01033A-14 20141524__
1 A bill to be entitled
2 An act relating to security of confidential personal
3 information; providing a short title; repealing s.
4 817.5681, F.S., relating to a breach of security
5 concerning confidential personal information in third
6 party possession; creating s. 501.171, F.S.; providing
7 definitions; requiring specified entities to take
8 reasonable measures to protect and secure data
9 containing personal information in electronic form;
10 requiring specified entities to notify the Department
11 of Legal Affairs of data security breaches; requiring
12 notice to individuals of data security breaches in
13 certain circumstances; providing exceptions to notice
14 requirements in certain circumstances; specifying
15 contents of notice; requiring notice to credit
16 reporting agencies in certain circumstances; requiring
17 the department to report annually to the Legislature;
18 specifying report requirements; providing requirements
19 for disposal of customer records; providing for
20 enforcement actions by the department; providing civil
21 penalties; specifying that no private cause of action
22 is created; amending ss. 282.0041 and 282.318, F.S.;
23 conforming cross-references to changes made by the
24 act; providing an effective date.
25
26 Be It Enacted by the Legislature of the State of Florida:
27
28 Section 1. This act may be cited as the “Florida
29 Information Protection Act of 2014.”
30 Section 2. Section 817.5681, Florida Statutes, is repealed.
31 Section 3. Section 501.171, Florida Statutes, is created to
32 read:
33 501.171 Security of confidential personal information.—
34 (1) DEFINITIONS.—As used in this section, the term:
35 (a) “Breach of security” or “breach” means unauthorized
36 access of data in electronic form containing personal
37 information.
38 (b) “Covered entity” means a sole proprietorship,
39 partnership, corporation, trust, estate, cooperative,
40 association, or other commercial entity that acquires,
41 maintains, stores, or uses personal information. For purposes of
42 the notice requirements of subsections (3)-(6), the term
43 includes a governmental entity.
44 (c) “Customer records” means any material, regardless of
45 the physical form, on which personal information is recorded or
46 preserved by any means, including, but not limited to, written
47 or spoken words, graphically depicted, printed, or
48 electromagnetically transmitted that are provided by an
49 individual in this state to a covered entity for the purpose of
50 purchasing or leasing a product or obtaining a service.
51 (d) “Data in electronic form” means any data stored
52 electronically or digitally on any computer system or other
53 database and includes recordable tapes and other mass storage
54 devices.
55 (e) “Department” means the Department of Legal Affairs.
56 (f) “Governmental entity” means any department, division,
57 bureau, commission, regional planning agency, board, district,
58 authority, agency, or other instrumentality of this state that
59 acquires, maintains, stores, or uses data in electronic form
60 containing personal information.
61 (g)1. “Personal information” means either of the following:
62 a. An individual’s first name or first initial and last
63 name in combination with any one or more of the following data
64 elements for that individual:
65 (I) A social security number.
66 (II) A driver license or identification card number,
67 passport number, military identification number, or other
68 similar number issued on a government document used to verify
69 identity.
70 (III) A financial account number or credit or debit card
71 number, in combination with any required security code, access
72 code, or password that is necessary to permit access to an
73 individual’s financial account.
74 (IV) Any information regarding an individual’s medical
75 history, mental or physical condition, or medical treatment or
76 diagnosis by a health care professional.
77 (V) An individual’s health insurance policy number or
78 subscriber identification number and any unique identifier used
79 by a health insurer to identify the individual.
80 (VI) Any other information from or about an individual that
81 could be used to personally identify that person; or
82 b. A user name or e-mail address, in combination with a
83 password or security question and answer that would permit
84 access to an online account.
85 2. The term does not include information about an
86 individual that has been made publicly available by a federal,
87 state, or local governmental entity or information that is
88 encrypted, secured, or modified by any other method or
89 technology that removes elements that personally identify an
90 individual or that otherwise renders the information unusable.
91 (h) “Third-party agent” means an entity that has been
92 contracted to maintain, store, or process personal information
93 on behalf of a covered entity or governmental entity.
94 (2) REQUIREMENTS FOR DATA SECURITY.—Each covered entity,
95 governmental entity, or third-party agent shall take reasonable
96 measures to protect and secure data in electronic form
97 containing personal information and prevent a breach of
98 security.
99 (3) NOTICE TO DEPARTMENT OF SECURITY BREACH.—
100 (a) A covered entity shall give notice to the department of
101 any breach of security following discovery by the covered
102 entity. Notice to the department must be made within 30 days
103 after the determination of the breach or reason to believe a
104 breach had occurred.
105 (b) The written notice to the department must include:
106 1. A synopsis of the events surrounding the breach.
107 2. A police report, incident report, or computer forensics
108 report.
109 3. The number of individuals in this state who were or
110 potentially have been affected by the breach.
111 4. A copy of the policies in place regarding breaches.
112 5. Any steps that have been taken to rectify the breach.
113 6. Any services being offered by the covered entity to
114 individuals, without charge, and instructions as to how to use
115 such services.
116 7. A copy of the notice sent to the individuals.
117 8. The name, address, telephone number, and e-mail address
118 of the employee of the covered entity from whom additional
119 information may be obtained about the breach and the steps taken
120 to rectify the breach and prevent similar breaches.
121 9. Whether notice to individuals is being made pursuant to
122 federal law or pursuant to the requirements of subsection (4).
123 (c) For a covered entity that is the judicial branch, the
124 Executive Office of the Governor, the Department of Financial
125 Services, and the Department of Agriculture and Consumer
126 Services, in lieu of providing the written notice to the
127 department, the covered entity may post the information
128 described in subparagraphs (b)1.-7. on an agency-managed
129 website.
130 (4) NOTICE TO INDIVIDUALS OF SECURITY BREACH.—
131 (a) A covered entity shall give notice to each individual
132 in this state whose personal information was, or the covered
133 entity reasonably believes to have been, accessed as a result of
134 the breach. Notice to individuals shall be made as expeditiously
135 as practicable and without unreasonable delay, taking into
136 account the time necessary to allow the covered entity to
137 determine the scope of the breach of security, to identify
138 individuals affected by the breach, and to restore the
139 reasonable integrity of the data system that was breached, but
140 no later than 30 days after the determination of a breach unless
141 subject to a delay authorized under paragraph (b) or waiver
142 under paragraph (c).
143 (b) If a federal or state law enforcement agency determines
144 that notice to individuals required under this subsection would
145 interfere with a criminal investigation, the notice shall be
146 delayed upon the written request of the law enforcement agency
147 for any period that the law enforcement agency determines is
148 reasonably necessary. A law enforcement agency may, by a
149 subsequent written request, revoke such delay or extend the
150 period set forth in the original request made under this
151 paragraph by a subsequent request if further delay is necessary.
152 (c) Notwithstanding paragraph (a), notice to the affected
153 individuals is not required if, after an appropriate
154 investigation and written consultation with relevant federal and
155 state law enforcement agencies, the covered entity reasonably
156 determines that the breach has not and will not likely result in
157 identity theft or any other financial harm to the individuals
158 whose personal information has been accessed. Such a
159 determination must be documented in writing and maintained for
160 at least 5 years. The covered entity shall provide the written
161 determination to the department within 30 days after the
162 determination.
163 (d) The notice to an affected individual shall be by one of
164 the following methods:
165 1. Written notice sent to the mailing address of the
166 individual in the records of the covered entity; or
167 2. E-mail notice sent to the e-mail address of the
168 individual in the records of the covered entity.
169 (e) The notice to an individual with respect to a breach of
170 security shall include, at a minimum:
171 1. The date, estimated date, or estimated date range of the
172 breach of security.
173 2. A description of the personal information that was
174 accessed or reasonably believed to have been accessed as a part
175 of the breach of security.
176 3. Information that the individual can use to contact the
177 covered entity to inquire about the breach of security and the
178 personal information that the covered entity maintained about
179 the individual.
180 (f) A covered entity required to provide notice to an
181 individual may provide substitute notice in lieu of direct
182 notice if such direct notice is not feasible because the cost of
183 providing notice would exceed $250,000, the affected individuals
184 exceed 500,000 persons, or the covered entity does not have an
185 e-mail address or mailing address for the affected individuals.
186 Such substitute notice shall include the following:
187 1. A conspicuous notice on the Internet website of the
188 covered entity, if such covered entity maintains a website; and
189 2. Notice in print and to broadcast media, including major
190 media in urban and rural areas where the affected individuals
191 reside.
192 (g) A covered entity that is in compliance with any federal
193 law that requires such covered entity to provide notice to
194 individuals following a breach of security is deemed to comply
195 with the notice requirements of this subsection if the covered
196 entity has promptly provided the notice to the department under
197 subsection (3).
198 (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a covered
199 entity discovers circumstances requiring notice pursuant to this
200 section of more than 1,000 individuals at a single time, the
201 covered entity shall also notify, without unreasonable delay,
202 all consumer reporting agencies that compile and maintain files
203 on consumers on a nationwide basis, as defined in the Fair
204 Credit Reporting Act, 15 U.S.C. s. 1681a(p), of the timing,
205 distribution, and content of the notices.
206 (6) NOTICE BY THIRD-PARTY AGENTS; DUTIES OF THIRD-PARTY
207 AGENTS.—In the event of a breach of security of a system
208 maintained by a third-party agent, such third-party agent shall
209 promptly notify the covered entity of the breach of security.
210 Upon receiving notice from a third-party agent, a covered entity
211 shall provide notices required under subsections (3) and (4). A
212 third-party agent shall provide a covered entity with all
213 information that the covered entity needs to comply with its
214 notice requirements.
215 (7) ANNUAL REPORT.—By February 1 of each year, the
216 department shall submit a report to the President of the Senate
217 and the Speaker of the House of Representatives describing the
218 nature of any reported breaches of security by governmental
219 entities or third-party agents of governmental entities in the
220 preceding calendar year along with recommendations for security
221 improvements. The report shall identify any governmental entity
222 that has violated any of the applicable requirements in
223 subsections (2)-(6) in the preceding calendar year.
224 (8) REQUIREMENTS FOR DISPOSAL OF CUSTOMER RECORDS.—Each
225 covered entity or third-party agent shall take all reasonable
226 measures to dispose, or arrange for the disposal, of customer
227 records containing personal information within its custody or
228 control when the records are no longer to be retained. Such
229 disposal shall involve shredding, erasing, or otherwise
230 modifying the personal information in the records to make it
231 unreadable or undecipherable through any means.
232 (9) ENFORCEMENT.—
233 (a) A violation of this section shall be treated as an
234 unfair or deceptive trade practice in any action brought by the
235 department under s. 501.207 against a covered entity or third
236 party agent.
237 (b) In addition to the remedies provided for in paragraph
238 (a), a covered entity that violates subsection (3) or subsection
239 (4) shall be liable for a civil penalty not to exceed $500,000,
240 as follows:
241 1. In the amount of $1,000 for each day the breach goes
242 undisclosed for up to 30 days and, thereafter, $50,000 for each
243 30-day period or portion thereof for up to 180 days.
244 2. If notice is not made within 180 days, in an amount not
245 to exceed $500,000.
246
247 The civil penalties for failure to notify provided in this
248 paragraph shall apply per breach and not per individual affected
249 by the breach.
250 (c) All penalties collected pursuant to this subsection
251 shall be deposited into the General Revenue Fund.
252 (10) NO PRIVATE CAUSE OF ACTION.—This section does not
253 establish a private cause of action.
254 Section 4. Subsection (5) of section 282.0041, Florida
255 Statutes, is amended to read:
256 282.0041 Definitions.—As used in this chapter, the term:
257 (5) “Breach” has the same meaning as the term “breach of
258 security” as provided in s. 501.171 in s. 817.5681(4).
259 Section 5. Paragraph (i) of subsection (4) of section
260 282.318, Florida Statutes, is amended to read:
261 282.318 Enterprise security of data and information
262 technology.—
263 (4) To assist the Agency for Enterprise Information
264 Technology in carrying out its responsibilities, each agency
265 head shall, at a minimum:
266 (i) Develop a process for detecting, reporting, and
267 responding to suspected or confirmed security incidents,
268 including suspected or confirmed breaches consistent with the
269 security rules and guidelines established by the Agency for
270 Enterprise Information Technology.
271 1. Suspected or confirmed information security incidents
272 and breaches must be immediately reported to the Agency for
273 Enterprise Information Technology.
274 2. For incidents involving breaches, agencies shall provide
275 notice in accordance with s. 501.171 s. 817.5681 and to the
276 Agency for Enterprise Information Technology in accordance with
277 this subsection.
278 Section 6. This act shall take effect July 1, 2014.