Senate Bill sb2684
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2004 SB 2684
By Senator Aronberg
27-569C-04
1 A bill to be entitled
2 An act relating to privacy of personal
3 information; providing definitions; requiring
4 certain persons who maintain computerized data
5 that contains personal information to notify
6 any state resident whose unencrypted personal
7 information may have been obtained as a result
8 of a security breach; providing for forms of
9 notice; providing for delays in notification in
10 certain situations; providing an effective
11 date.
12
13 Be It Enacted by the Legislature of the State of Florida:
14
15 Section 1. (1) As used in this section, the term:
16 (a) "Breach of security" means the unauthorized
17 acquisition of computerized data which compromises the
18 confidentiality, integrity, or security of personal
19 information maintained by a person. Good-faith acquisition of
20 personal information by an employee or agent of such person
21 for legitimate purposes of the person is not a breach of
22 security.
23 (b) "Person" means any person or political subdivision
24 as defined in section 1.01, Florida Statutes, or any agency as
25 defined in section 20.03, Florida Statutes.
26 (c) "Personal information" means an individual's first
27 name or first initial and last name and at least one of the
28 following elements:
29 1. Social security number.
30 2. Driver's license number or state identification
31 card number.
1
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2004 SB 2684
27-569C-04
1 3. Account or card number and any required security
2 code, access code, or password that permits access to that
3 account.
4 (2)(a) Any person that conducts business in this state
5 and owns or licenses computerized data that contains personal
6 information about a resident of this state must notify that
7 resident regarding any breach of security of the data
8 immediately following discovery of the breach if the personal
9 information was, or is reasonably believed to have been,
10 acquired by an unauthorized person.
11 (b) Any person that conducts business in this state
12 and maintains computerized data that includes personal
13 information that is owned or licensed by another person must
14 notify such owner or licensee regarding any breach of security
15 of the data immediately following discovery, if the personal
16 information was or is reasonably believed to have been
17 acquired by an unauthorized person.
18 (3) Notice may be provided by United States mail or
19 by:
20 (a) Sending an e-mail notice to each affected
21 individual for whom it has an e-mail address;
22 (b) Conspicuously posting notice of the security
23 breach on the person's website; or
24 (c) Providing notification of the security breach to
25 major statewide media.
26 (d) If a person has established notification
27 procedures that are otherwise consistent with the requirements
28 of this section as part of an information security policy,
29 that person may notify affected individuals pursuant to such
30 procedures.
31
2
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2004 SB 2684
27-569C-04
1 (e) Notification may be delayed if a law enforcement
2 agency determines that the notification will impede a criminal
3 investigation.
4 Section 2. This act shall take effect July 1, 2004.
5
6 *****************************************
7 SENATE SUMMARY
8 Requires persons who maintain computerized data that
contains personal information about other persons to
9 notify them of any unauthorized acquisition of such data
due to a security breach. Provides for exceptions and
10 alternative notice. Provides for delaying such
notification in certain situations. (See bill for
11 detail.)
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
3
CODING: Words stricken are deletions; words underlined are additions.