| 1 | The Agriculture Committee recommends the following: |
| 2 |
|
| 3 | Council/Committee Substitute |
| 4 | Remove the entire bill and insert: |
| 5 |
|
| 6 | A bill to be entitled |
| 7 | An act relating to consumer protection; creating ss. |
| 8 | 501.165 and 501.166, F.S.; prohibiting the use of |
| 9 | deception to obtain certain personal information for |
| 10 | commercial solicitation purposes; prohibiting the sale or |
| 11 | other transfer to a third party of personal customer |
| 12 | information that is protected from disclosure; providing |
| 13 | exceptions; providing applicability; providing that |
| 14 | transferring such protected information in violation of |
| 15 | this section is an unfair or deceptive act or practice or |
| 16 | unfair method of competition; providing penalties; |
| 17 | creating s. 501.167, F.S.; prescribing duties of persons |
| 18 | and businesses holding computerized personal information |
| 19 | upon discovery of a breach of security of the system on |
| 20 | which such data are maintained; defining terms; |
| 21 | prescribing forms that notification of the breach must |
| 22 | take; providing exceptions; providing remedies; amending |
| 23 | s. 501.2075, F.S.; providing an exception to a civil |
| 24 | penalty; creating s. 501.2076, F.S.; prohibiting falsely |
| 25 | representing oneself as being affiliated with a law |
| 26 | enforcement or firefighting agency or public utility; |
| 27 | providing a penalty; providing that a violation of s. |
| 28 | 817.568, F.S., relating to the criminal use of personal |
| 29 | identification information, is an unfair or deceptive act |
| 30 | or practice or unfair method of competition in violation |
| 31 | of part II of ch. 501, F.S.; providing penalties; amending |
| 32 | ss. 501.203 and 501.204, F.S.; changing obsolete dates; |
| 33 | reenacting and amending s. 501.207, F.S., relating to |
| 34 | remedies of the enforcing authority under the Florida |
| 35 | Deceptive and Unfair Trade Practices Act; providing that |
| 36 | the court may order actions brought under that act on |
| 37 | behalf of an enterprise; providing for severability; |
| 38 | providing an effective date. |
| 39 |
|
| 40 | Be It Enacted by the Legislature of the State of Florida: |
| 41 |
|
| 42 | Section 1. Section 501.165, Florida Statutes, is created |
| 43 | to read: |
| 44 | 501.165 Obtaining personal information for commercial |
| 45 | solicitation.--Any person who intentionally uses deceptive |
| 46 | practices or means to obtain another person's address, telephone |
| 47 | number, or social security number and uses it to engage in |
| 48 | commercial solicitation, or provides it to another person for |
| 49 | purposes of commercial solicitation, commits an unfair or |
| 50 | deceptive act or practice or unfair method of competition in |
| 51 | violation of part II of this chapter, and is subject to the |
| 52 | penalties and remedies provided for such violation, in addition |
| 53 | to remedies otherwise available for such conduct. |
| 54 | Section 2. Section 501.166, Florida Statutes, is created |
| 55 | to read: |
| 56 | 501.166 Sale or transfer of personal customer |
| 57 | information.-- |
| 58 | (1) A person or an entity may not sell or otherwise |
| 59 | transfer to a third party personal customer information that is |
| 60 | protected from disclosure by law, contract, or a published |
| 61 | privacy policy unless the purchaser or transferee agrees to |
| 62 | abide by the contract or by the seller's or transferor's then- |
| 63 | existing privacy policy, if applicable. |
| 64 | (2) The prohibition in subsection (1) applies to any |
| 65 | customer who resides in this state at the time the personal |
| 66 | customer information is sold, transferred, or otherwise |
| 67 | obtained. |
| 68 | (3) A person who violates or fails to comply with |
| 69 | subsection (1) commits an unfair or deceptive act or practice or |
| 70 | unfair method of competition in violation of part II of this |
| 71 | chapter and is subject to the penalties and remedies provided |
| 72 | for such violation, in addition to remedies otherwise available |
| 73 | by law for such conduct. |
| 74 | Section 3. Section 501.167, Florida Statutes, is created |
| 75 | to read: |
| 76 | 501.167 Computerized information; breach of security; |
| 77 | procedure upon discovery.-- |
| 78 | (1) Any person or business that conducts business in this |
| 79 | state and that maintains computerized data that includes |
| 80 | personal information shall disclose any breach of the security |
| 81 | of the system following discovery or notification of the breach |
| 82 | of the security of the data to any resident of the state whose |
| 83 | unencrypted personal information was, or is reasonably believed |
| 84 | to have been, acquired by an unauthorized person. For purposes |
| 85 | of this section, a resident of this state may be determined to |
| 86 | be an individual whose principal mailing address as reflected in |
| 87 | the records of the person or business is in Florida. The |
| 88 | disclosure shall be made in the most expedient time possible and |
| 89 | without unreasonable delay, subject to the legitimate needs of |
| 90 | law enforcement, as provided in subsection (3) and the |
| 91 | completion of an investigation by the person or business to |
| 92 | determine the nature and scope of the incident, to identify the |
| 93 | individuals affected, or to restore the reasonable integrity of |
| 94 | the data system. |
| 95 | (2) Any person or business that maintains computerized |
| 96 | data on behalf of another business or person which includes |
| 97 | personal information that the person or business does not own |
| 98 | shall notify the business or person to whom the personal |
| 99 | information belongs of any breach of the security of the data |
| 100 | immediately following discovery, if the personal information |
| 101 | was, or is reasonably believed to have been, acquired by an |
| 102 | unauthorized person. |
| 103 | (3) The notification required by this section shall be |
| 104 | delayed if a law enforcement agency determines that the |
| 105 | notification will impede a criminal investigation. If |
| 106 | notification is required by this section, it shall be made after |
| 107 | the law enforcement agency determines that it will not |
| 108 | compromise the investigation. |
| 109 | (4) For purposes of this section, the term "breach of the |
| 110 | security of the system" means unauthorized acquisition of |
| 111 | computerized data which materially compromises the security, |
| 112 | confidentiality, or integrity of personal information maintained |
| 113 | by the person or business and causes or is reasonably believed |
| 114 | to cause loss or injury to the state resident. Good faith |
| 115 | acquisition of personal information by an employee or agent of |
| 116 | the person or business for the purposes of the person or |
| 117 | business is not a breach of the security of the system, provided |
| 118 | that the personal information is not used for a purpose |
| 119 | unrelated to the business or subject to further unauthorized |
| 120 | disclosure. |
| 121 | (5)(a) For purposes of this section, the term "personal |
| 122 | information" means an individual's first name or first initial |
| 123 | and last name in combination with any one or more of the |
| 124 | following data elements, when the data elements are not |
| 125 | encrypted: |
| 126 | 1. Social security number. |
| 127 | 2. Driver's license number or Florida identification card |
| 128 | number. |
| 129 | 3. Account number, credit card number, or debit card |
| 130 | number, in combination with any required security code, access |
| 131 | code, or password that would permit access to an individual's |
| 132 | financial account. |
| 133 | (b) For purposes of this section, the term "personal |
| 134 | information" does not include publicly available information |
| 135 | that is lawfully made available to the general public from |
| 136 | federal, state, or local government records or widely |
| 137 | distributed media. |
| 138 | (6) For purposes of this section, notice may be provided |
| 139 | by one of the following methods: |
| 140 | (a) Written notice. |
| 141 | (b) Electronic notice, if the notice provided is |
| 142 | consistent with the provisions regarding electronic records and |
| 143 | signatures set forth in 15 U.S.C. s. 7001. |
| 144 | (c) Substitute notice, if the person or business |
| 145 | demonstrates that the cost of providing notice would exceed |
| 146 | $250,000, or that the affected class of subject persons to be |
| 147 | notified exceeds 500,000, or the person or business does not |
| 148 | have sufficient contact information. Substitute notice shall |
| 149 | consist of all of the following: |
| 150 | 1. E-mail notice when the person or business has an e-mail |
| 151 | address for the subject persons. |
| 152 | 2. Conspicuous posting of the notice on the Internet |
| 153 | website page of the person or business, if the person or |
| 154 | business maintains one. |
| 155 | 3. Notification to major statewide media. |
| 156 | (7) For purposes of this section, the term "unauthorized |
| 157 | person" means any person that is not the person to whom the |
| 158 | personal information belongs and that does not have permission |
| 159 | from or a password issued by the person or business that stores |
| 160 | the computerized data to acquire it. |
| 161 | (8) Notwithstanding subsection (6), a person or business |
| 162 | that maintains its own notification procedures as part of an |
| 163 | information security policy for the treatment of personal |
| 164 | information and is otherwise consistent with the timing |
| 165 | requirements of this part shall be deemed to be in compliance |
| 166 | with the notification requirements of this section if the person |
| 167 | or business notifies subject persons in accordance with its |
| 168 | policies in the event of a breach of security of the system. |
| 169 | (9) Notwithstanding subsection (6), notification is not |
| 170 | required if, after an appropriate investigation and after |
| 171 | consultation with relevant federal or state agencies responsible |
| 172 | for law enforcement, the person or business reasonably |
| 173 | determines that the breach has not resulted, and will not |
| 174 | result, in harm to the individuals whose personal information |
| 175 | has been acquired and accessed. Such a determination must be |
| 176 | documented in writing, and the documentation maintained for 5 |
| 177 | years. |
| 178 | (10) Not less than 2 business days prior to making the |
| 179 | notification required by subsection (1), the person or business |
| 180 | making the notification shall notify all consumer reporting |
| 181 | agencies that compile and maintain files on consumers on a |
| 182 | nationwide basis of the pending notification and shall provide a |
| 183 | copy of the notification. Any consumer reporting agency |
| 184 | receiving a notification under this subsection shall transmit |
| 185 | the information to any person or entity that reports information |
| 186 | to or receives consumer report information from such consumer |
| 187 | reporting agency in a timely manner, separate from any regular |
| 188 | communication of information to such person or entity. |
| 189 | (11) A violation of this section is a deceptive and unfair |
| 190 | trade practice and constitutes a violation of the Florida |
| 191 | Deceptive and Unfair Trade Practices Act. |
| 192 | Section 4. Section 501.2075, Florida Statutes, is amended |
| 193 | to read: |
| 194 | 501.2075 Civil penalty.--Except as provided in s. 501.2076 |
| 195 | or s. 501.2077, any person, firm, corporation, association, or |
| 196 | entity, or any agent or employee of the foregoing, who is |
| 197 | willfully using, or has willfully used, a method, act, or |
| 198 | practice declared unlawful under s. 501.204, or who is willfully |
| 199 | violating any of the rules of the department adopted under this |
| 200 | part, is liable for a civil penalty of not more than $10,000 for |
| 201 | each such violation. Willful violations occur when the person |
| 202 | knew or should have known that his or her conduct was unfair or |
| 203 | deceptive or prohibited by rule. This civil penalty may be |
| 204 | recovered in any action brought under this part by the enforcing |
| 205 | authority; or the enforcing authority may terminate any |
| 206 | investigation or action upon agreement by the person, firm, |
| 207 | corporation, association, or entity, or the agent or employee of |
| 208 | the foregoing, to pay a stipulated civil penalty. The |
| 209 | department or the court may waive any such civil penalty if the |
| 210 | person, firm, corporation, association, or entity, or the agent |
| 211 | or employee of the foregoing, has previously made full |
| 212 | restitution or reimbursement or has paid actual damages to the |
| 213 | consumers or governmental entities who have been injured by the |
| 214 | unlawful act or practice or rule violation. If civil penalties |
| 215 | are assessed in any litigation, the enforcing authority is |
| 216 | entitled to reasonable attorney's fees and costs. A civil |
| 217 | penalty so collected shall accrue to the state and shall be |
| 218 | deposited as received into the General Revenue Fund unallocated. |
| 219 | Section 5. Section 501.2076, Florida Statutes, is created |
| 220 | to read: |
| 221 | 501.2076 Misrepresentations; law enforcement, |
| 222 | firefighters, or public utilities.--Any person who engages in a |
| 223 | deceptive and unfair trade practice with the intent to deceive |
| 224 | another person into believing that he or she is affiliated with |
| 225 | a law enforcement agency, firefighting agency, or public utility |
| 226 | is subject to a civil penalty not to exceed $15,000 for each |
| 227 | violation. |
| 228 | Section 6. A person who violates or fails to comply with |
| 229 | any provision of section 817.568, Florida Statutes, commits an |
| 230 | unfair or deceptive act or practice or unfair method of |
| 231 | competition in violation of part II of chapter 501, Florida |
| 232 | Statutes, and is subject to the penalties and remedies provided |
| 233 | for such violation, in addition to remedies otherwise available |
| 234 | for such conduct. |
| 235 | Section 7. Subsection (3) of section 501.203, Florida |
| 236 | Statutes, is amended to read: |
| 237 | 501.203 Definitions.--As used in this chapter, unless the |
| 238 | context otherwise requires, the term: |
| 239 | (3) "Violation of this part" means any violation of this |
| 240 | act or the rules adopted under this act and may be based upon |
| 241 | any of the following as of July 1, 2005 2001: |
| 242 | (a) Any rules promulgated pursuant to the Federal Trade |
| 243 | Commission Act, 15 U.S.C. ss. 41 et seq.; |
| 244 | (b) The standards of unfairness and deception set forth |
| 245 | and interpreted by the Federal Trade Commission or the federal |
| 246 | courts; or |
| 247 | (c) Any law, statute, rule, regulation, or ordinance which |
| 248 | proscribes unfair methods of competition, or unfair, deceptive, |
| 249 | or unconscionable acts or practices. |
| 250 | Section 8. Subsection (2) of section 501.204, Florida |
| 251 | Statutes, is amended to read: |
| 252 | 501.204 Unlawful acts and practices.-- |
| 253 | (2) It is the intent of the Legislature that, in |
| 254 | construing subsection (1), due consideration and great weight |
| 255 | shall be given to the interpretations of the Federal Trade |
| 256 | Commission and the federal courts relating to s. 5(a)(1) of the |
| 257 | Federal Trade Commission Act, 15 U.S.C. s. 45(a)(1) as of July |
| 258 | 1, 2005 2001. |
| 259 | Section 9. Subsection (1) of section 501.207, Florida |
| 260 | Statutes, is reenacted, and subsection (3) of that section is |
| 261 | amended to read: |
| 262 | 501.207 Remedies of enforcing authority.-- |
| 263 | (1) The enforcing authority may bring: |
| 264 | (a) An action to obtain a declaratory judgment that an act |
| 265 | or practice violates this part. |
| 266 | (b) An action to enjoin any person who has violated, is |
| 267 | violating, or is otherwise likely to violate, this part. |
| 268 | (c) An action on behalf of one or more consumers or |
| 269 | governmental entities for the actual damages caused by an act or |
| 270 | practice in violation of this part. However, damages are not |
| 271 | recoverable under this section against a retailer who has in |
| 272 | good faith engaged in the dissemination of claims of a |
| 273 | manufacturer or wholesaler without actual knowledge that it |
| 274 | violated this part. |
| 275 | (3) Upon motion of the enforcing authority or any |
| 276 | interested party in any action brought under subsection (1), the |
| 277 | court may make appropriate orders, including, but not limited |
| 278 | to, appointment of a general or special magistrate or receiver |
| 279 | or sequestration or freezing of assets, to reimburse consumers |
| 280 | or governmental entities found to have been damaged; to carry |
| 281 | out a transaction in accordance with the reasonable expectations |
| 282 | of consumers or governmental entities; to strike or limit the |
| 283 | application of clauses of contracts to avoid an unconscionable |
| 284 | result; to bring actions in the name of and on behalf of the |
| 285 | defendant enterprise; to order any defendant to divest herself |
| 286 | or himself of any interest in any enterprise, including real |
| 287 | estate; to impose reasonable restrictions upon the future |
| 288 | activities of any defendant to impede her or him from engaging |
| 289 | in or establishing the same type of endeavor; to order the |
| 290 | dissolution or reorganization of any enterprise; or to grant |
| 291 | legal, equitable, or other appropriate relief. The court may |
| 292 | assess the expenses of a general or special magistrate or |
| 293 | receiver against a person who has violated, is violating, or is |
| 294 | otherwise likely to violate this part. Any injunctive order, |
| 295 | whether temporary or permanent, issued by the court shall be |
| 296 | effective throughout the state unless otherwise provided in the |
| 297 | order. |
| 298 | Section 10. If any provision of this act or its |
| 299 | application to any person or circumstance is held invalid, the |
| 300 | invalidity does not affect other provisions or applications of |
| 301 | the act which can be given effect without the invalid provision |
| 302 | or application, and to this end the provisions of this act are |
| 303 | severable. |
| 304 | Section 11. This act shall take effect July 1, 2005. |