Florida Senate - 2014 CS for SB 1524
By the Committee on Commerce and Tourism; and Senator Thrasher
577-03111-14 20141524c1
1 A bill to be entitled
2 An act relating to security of confidential personal
3 information; providing a short title; repealing s.
4 817.5681, F.S., relating to a breach of security
5 concerning confidential personal information in third
6 party possession; creating s. 501.171, F.S.; providing
7 definitions; requiring specified entities to take
8 reasonable measures to protect and secure data
9 containing personal information in electronic form;
10 requiring specified entities to notify the Department
11 of Legal Affairs of data security breaches; requiring
12 notice to individuals of data security breaches under
13 certain circumstances; providing exceptions to notice
14 requirements under certain circumstances; specifying
15 contents and methods of notice; requiring notice to
16 credit reporting agencies under certain circumstances;
17 requiring the department to report annually to the
18 Legislature; specifying report requirements; providing
19 requirements for disposal of customer records;
20 providing for enforcement actions by the department;
21 providing civil penalties; specifying that no private
22 cause of action is created; amending ss. 282.0041 and
23 282.318, F.S.; conforming cross-references to changes
24 made by the act; providing an effective date.
25
26 Be It Enacted by the Legislature of the State of Florida:
27
28 Section 1. This act may be cited as the “Florida
29 Information Protection Act of 2014.”
30 Section 2. Section 817.5681, Florida Statutes, is repealed.
31 Section 3. Section 501.171, Florida Statutes, is created to
32 read:
33 501.171 Security of confidential personal information.—
34 (1) DEFINITIONS.—As used in this section, the term:
35 (a) “Breach of security” or “breach” means unauthorized
36 access of data in electronic form containing personal
37 information. Good faith access of personal information by an
38 employee or agent of a covered entity does not constitute a
39 breach of security, provided that the information is not used
40 for a purpose unrelated to the business or subject to further
41 unauthorized use.
42 (b) “Covered entity” means a sole proprietorship,
43 partnership, corporation, trust, estate, cooperative,
44 association, or other commercial entity that acquires,
45 maintains, stores, or uses personal information. For purposes of
46 the notice requirements in subsections (3)-(6), the term
47 includes a governmental entity.
48 (c) “Customer records” means any material, regardless of
49 the physical form, on which personal information is recorded or
50 preserved by any means, including, but not limited to, written
51 or spoken words, graphically depicted, printed, or
52 electromagnetically transmitted that are provided by an
53 individual in this state to a covered entity for the purpose of
54 purchasing or leasing a product or obtaining a service.
55 (d) “Data in electronic form” means any data stored
56 electronically or digitally on any computer system or other
57 database and includes recordable tapes and other mass storage
58 devices.
59 (e) “Department” means the Department of Legal Affairs.
60 (f) “Governmental entity” means any department, division,
61 bureau, commission, regional planning agency, board, district,
62 authority, agency, or other instrumentality of this state that
63 acquires, maintains, stores, or uses data in electronic form
64 containing personal information.
65 (g)1. “Personal information” means either of the following:
66 a. An individual’s first name or first initial and last
67 name in combination with any one or more of the following data
68 elements for that individual:
69 (I) A social security number.
70 (II) A driver license or identification card number,
71 passport number, military identification number, or other
72 similar number issued on a government document used to verify
73 identity.
74 (III) A financial account number or credit or debit card
75 number, in combination with any required security code, access
76 code, or password that is necessary to permit access to an
77 individual’s financial account.
78 (IV) Any information regarding an individual’s medical
79 history, mental or physical condition, or medical treatment or
80 diagnosis by a health care professional; or
81 (V) An individual’s health insurance policy number or
82 subscriber identification number and any unique identifier used
83 by a health insurer to identify the individual.
84 b. A user name or e-mail address, in combination with a
85 password or security question and answer that would permit
86 access to an online account.
87 2. The term does not include information about an
88 individual that has been made publicly available by a federal,
89 state, or local governmental entity or information that is
90 encrypted, secured, or modified by any other method or
91 technology that removes elements that personally identify an
92 individual or that otherwise renders the information unusable.
93 (h) “Third-party agent” means an entity that has been
94 contracted to maintain, store, or process personal information
95 on behalf of a covered entity or governmental entity.
96 (2) REQUIREMENTS FOR DATA SECURITY.—Each covered entity,
97 governmental entity, or third-party agent shall take reasonable
98 measures to protect and secure data in electronic form
99 containing personal information.
100 (3) NOTICE TO DEPARTMENT OF SECURITY BREACH.—
101 (a) A covered entity shall give notice to the department of
102 any breach of security, as expeditiously as practicable, but no
103 later than 30 days after the determination of the breach or
104 reason to believe a breach had occurred.
105 (b) The written notice to the department must include:
106 1. A synopsis of the events surrounding the breach.
107 2. The number of individuals in this state who were or
108 potentially have been affected by the breach.
109 3. Any services related to the breach being offered,
110 without charge, by the covered entity to individuals, and
111 instructions as to how to use such services.
112 4. A copy of the notice required under subsection (4) or an
113 explanation of the other actions taken pursuant to subsection
114 (4).
115 5. The name, address, telephone number, and e-mail address
116 of the employee of the covered entity from whom additional
117 information may be obtained about the breach, and the steps
118 taken to rectify the breach and prevent similar breaches.
119 (c) The covered entity must provide the following
120 information to the department upon its request:
121 1. A police report, incident report, or computer forensics
122 report.
123 2. A copy of the policies in place regarding breaches.
124 3. Any steps that have been taken to rectify the breach.
125 (d) For a covered entity that is the judicial branch, the
126 Executive Office of the Governor, the Department of Financial
127 Services, or the Department of Agriculture and Consumer
128 Services, in lieu of providing the written notice to the
129 department, the covered entity may post the information
130 described in subparagraphs (b)1.-4. on an agency-managed
131 website.
132 (4) NOTICE TO INDIVIDUALS OF SECURITY BREACH.—
133 (a) A covered entity shall give notice to each individual
134 in this state whose personal information was, or the covered
135 entity reasonably believes to have been, accessed as a result of
136 the breach. Notice to individuals shall be made as expeditiously
137 as practicable and without unreasonable delay, taking into
138 account the time necessary to allow the covered entity to
139 determine the scope of the breach of security, to identify
140 individuals affected by the breach, and to restore the
141 reasonable integrity of the data system that was breached, but
142 no later than 30 days after the determination of a breach unless
143 subject to a delay authorized under paragraph (b) or waiver
144 under paragraph (c).
145 (b) If a federal, state, or local law enforcement agency
146 determines that notice to individuals required under this
147 subsection would interfere with a criminal investigation, the
148 notice shall be delayed upon the written request of the law
149 enforcement agency for a specified period that the law
150 enforcement agency determines is reasonably necessary. A law
151 enforcement agency may, by a subsequent written request, revoke
152 such delay as of a specified date or extend the period set forth
153 in the original request made under this paragraph to a specified
154 date if further delay is necessary.
155 (c) Notwithstanding paragraph (a), notice to the affected
156 individuals is not required if, after an appropriate
157 investigation and consultation with relevant federal, state, and
158 local law enforcement agencies, the covered entity reasonably
159 determines that the breach has not and will not likely result in
160 identity theft or any other financial harm to the individuals
161 whose personal information has been accessed. Such a
162 determination must be documented in writing and maintained for
163 at least 5 years. The covered entity shall provide the written
164 determination to the department within 30 days after the
165 determination.
166 (d) The notice to an affected individual shall be by one of
167 the following methods:
168 1. Written notice sent to the mailing address of the
169 individual in the records of the covered entity; or
170 2. E-mail notice sent to the e-mail address of the
171 individual in the records of the covered entity.
172 (e) The notice to an individual with respect to a breach of
173 security shall include, at a minimum:
174 1. The date, estimated date, or estimated date range of the
175 breach of security.
176 2. A description of the personal information that was
177 accessed or reasonably believed to have been accessed as a part
178 of the breach of security.
179 3. Information that the individual can use to contact the
180 covered entity to inquire about the breach of security and the
181 personal information that the covered entity maintained about
182 the individual.
183 (f) A covered entity required to provide notice to an
184 individual may provide substitute notice in lieu of direct
185 notice if such direct notice is not feasible because the cost of
186 providing notice would exceed $250,000, because the affected
187 individuals exceed 500,000 persons, or because the covered
188 entity does not have an e-mail address or mailing address for
189 the affected individuals. Such substitute notice shall include
190 the following:
191 1. A conspicuous notice on the Internet website of the
192 covered entity if the covered entity maintains a website; and
193 2. Notice in print and to broadcast media, including major
194 media in urban and rural areas where the affected individuals
195 reside.
196 (g) Notice provided pursuant to rules, regulations,
197 procedures, or guidelines established by the covered entity’s
198 primary or functional federal regulator is deemed to be in
199 compliance with the notice requirement in this subsection if the
200 covered entity notifies individuals in accordance with any
201 rules, regulations, procedures, or guidelines established by the
202 primary or functional federal regulator in the event of a breach
203 of security. Under this paragraph, the covered entity must
204 provide notice to the department under subsection (3).
205 (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a covered
206 entity discovers circumstances requiring notice pursuant to this
207 section of more than 1,000 individuals at a single time, the
208 covered entity shall also notify, without unreasonable delay,
209 all consumer reporting agencies that compile and maintain files
210 on consumers on a nationwide basis, as defined in the Fair
211 Credit Reporting Act, 15 U.S.C. s. 1681a(p), of the timing,
212 distribution, and content of the notices.
213 (6) NOTICE BY THIRD-PARTY AGENTS; DUTIES OF THIRD-PARTY
214 AGENTS.—In the event of a breach of security of a system
215 maintained by a third-party agent, such third-party agent shall
216 notify the covered entity of the breach of security as
217 expeditiously as practicable, but no later than 10 days
218 following the determination of the breach of security. Upon
219 receiving notice from a third-party agent, a covered entity
220 shall provide notices required under subsections (3) and (4). A
221 third-party agent shall provide a covered entity with all
222 information that the covered entity needs to comply with its
223 notice requirements.
224 (7) ANNUAL REPORT.—By February 1 of each year, the
225 department shall submit a report to the President of the Senate
226 and the Speaker of the House of Representatives describing the
227 nature of any reported breaches of security by governmental
228 entities or third-party agents of governmental entities in the
229 preceding calendar year along with recommendations for security
230 improvements. The report shall identify any governmental entity
231 that has violated any of the applicable requirements in
232 subsections (2)-(6) in the preceding calendar year.
233 (8) REQUIREMENTS FOR DISPOSAL OF CUSTOMER RECORDS.—Each
234 covered entity or third-party agent shall take all reasonable
235 measures to dispose, or arrange for the disposal, of customer
236 records containing personal information within its custody or
237 control when the records are no longer to be retained. Such
238 disposal shall involve shredding, erasing, or otherwise
239 modifying the personal information in the records to make it
240 unreadable or undecipherable through any means.
241 (9) ENFORCEMENT.—
242 (a) A violation of this section shall be treated as an
243 unfair or deceptive trade practice in any action brought by the
244 department under s. 501.207 against a covered entity or third
245 party agent.
246 (b) In addition to the remedies provided for in paragraph
247 (a), a covered entity that violates subsection (3) or subsection
248 (4) shall be liable for a civil penalty not to exceed $500,000,
249 as follows:
250 1. In the amount of $1,000 for each day up to the first 30
251 days following any violation of subsection (3) or subsection (4)
252 and, thereafter, $50,000 for each subsequent 30-day period or
253 portion thereof for up to 180 days.
254 2. If the violation continues for more than 180 days, in an
255 amount not to exceed $500,000.
256
257 The civil penalties for failure to notify provided in this
258 paragraph apply per breach and not per individual affected by
259 the breach.
260 (c) All penalties collected pursuant to this subsection
261 shall be deposited into the General Revenue Fund.
262 (10) NO PRIVATE CAUSE OF ACTION.—This section does not
263 establish a private cause of action.
264 Section 4. Subsection (5) of section 282.0041, Florida
265 Statutes, is amended to read:
266 282.0041 Definitions.—As used in this chapter, the term:
267 (5) “Breach” has the same meaning as the term “breach of
268 security” as defined in s. 501.171 in s. 817.5681(4).
269 Section 5. Paragraph (i) of subsection (4) of section
270 282.318, Florida Statutes, is amended to read:
271 282.318 Enterprise security of data and information
272 technology.—
273 (4) To assist the Agency for Enterprise Information
274 Technology in carrying out its responsibilities, each agency
275 head shall, at a minimum:
276 (i) Develop a process for detecting, reporting, and
277 responding to suspected or confirmed security incidents,
278 including suspected or confirmed breaches consistent with the
279 security rules and guidelines established by the Agency for
280 Enterprise Information Technology.
281 1. Suspected or confirmed information security incidents
282 and breaches must be immediately reported to the Agency for
283 Enterprise Information Technology.
284 2. For incidents involving breaches, agencies shall provide
285 notice in accordance with s. 501.171 s. 817.5681 and to the
286 Agency for Enterprise Information Technology in accordance with
287 this subsection.
288 Section 6. This act shall take effect July 1, 2014.