| 1 | The Justice Appropriations Committee recommends the following: |
| 2 |
|
| 3 | Council/Committee Substitute |
| 4 | Remove the entire bill and insert: |
| 5 |
|
| 6 | A bill to be entitled |
| 7 | An act relating to consumer protection; creating s. |
| 8 | 501.165, F.S.; prohibiting the use of deception to obtain |
| 9 | certain personal information for commercial solicitation |
| 10 | purposes; providing that such acts are deceptive trade |
| 11 | practices or unfair methods of competition; providing |
| 12 | penalties; amending s. 501.2075, F.S.; providing an |
| 13 | exception to a civil penalty; creating s. 501.2076, F.S.; |
| 14 | prohibiting falsely representing oneself as being |
| 15 | affiliated with a law enforcement or firefighting agency or |
| 16 | public utility; providing a penalty; providing that a |
| 17 | violation of s. 817.568, F.S., relating to the criminal use |
| 18 | of personal identification information, is an unfair or |
| 19 | deceptive act or practice or unfair method of competition |
| 20 | in violation of part II of ch. 501, F.S.; providing |
| 21 | penalties; amending ss. 501.203 and 501.204, F.S.; changing |
| 22 | obsolete dates; reenacting and amending s. 501.207, F.S., |
| 23 | relating to remedies of the enforcing authority under the |
| 24 | Florida Deceptive and Unfair Trade Practices Act; providing |
| 25 | that the court may order actions brought under that act on |
| 26 | behalf of an enterprise; amending s. 817.568, F.S.; |
| 27 | including other information within the definition of the |
| 28 | term "personal identification information"; defining the |
| 29 | term "counterfeit or fictitious personal identification |
| 30 | information"; revising criminal penalties relating to the |
| 31 | offense of fraudulently using, or possessing with intent to |
| 32 | fraudulently use, personal identification information; |
| 33 | providing minimum mandatory terms of imprisonment; creating |
| 34 | the offenses of willfully and fraudulently using, or |
| 35 | possessing with intent to fraudulently use, personal |
| 36 | identification information concerning a deceased |
| 37 | individual; providing criminal penalties; providing for |
| 38 | minimum mandatory terms of imprisonment; creating the |
| 39 | offense of willfully and fraudulently creating or using, or |
| 40 | possessing with intent to fraudulently use, counterfeit or |
| 41 | fictitious personal identification information; providing |
| 42 | criminal penalties; providing for reclassification of |
| 43 | offenses under certain circumstances; providing for |
| 44 | reduction or suspension of sentences under certain |
| 45 | circumstances; creating s. 817.5681, F.S.; requiring |
| 46 | business persons maintaining computerized data that |
| 47 | includes personal information to provide notice of breaches |
| 48 | of system security under certain circumstances; providing |
| 49 | requirements; providing for administrative fines; providing |
| 50 | exceptions and limitations; authorizing delays of such |
| 51 | disclosures under certain circumstances; providing |
| 52 | definitions; providing for alternative notice methods; |
| 53 | specifying conditions of compliance for persons maintaining |
| 54 | certain alternative notification procedures; specifying |
| 55 | conditions under which notification is not required; |
| 56 | providing requirements for documentation and maintenance of |
| 57 | documentation; providing an administrative fine for failing |
| 58 | to document certain failures to comply; providing for |
| 59 | application of administrative sanctions to certain persons |
| 60 | under certain circumstances; authorizing the Department of |
| 61 | Legal Affairs to institute proceedings to assess and |
| 62 | collect fines; providing that no entity may accumulate or |
| 63 | report a consumer's drug test results with any of their |
| 64 | other personal data; providing exceptions; providing for |
| 65 | severability; providing an effective date. |
| 66 |
|
| 67 | Be It Enacted by the Legislature of the State of Florida: |
| 68 |
|
| 69 | Section 1. Section 501.165, Florida Statutes, is created |
| 70 | to read: |
| 71 | 501.165 Obtaining personal information for commercial |
| 72 | solicitation.--Any person who intentionally uses deceptive |
| 73 | practices or means to obtain another person's address, telephone |
| 74 | number, or social security number and uses it to engage in |
| 75 | commercial solicitation, or provides it to another person for |
| 76 | purposes of commercial solicitation, commits an unfair or |
| 77 | deceptive act or practice or unfair method of competition in |
| 78 | violation of part II of this chapter, and is subject to the |
| 79 | penalties and remedies provided for such violation, in addition |
| 80 | to remedies otherwise available for such conduct. |
| 81 | Section 2. Section 501.2075, Florida Statutes, is amended |
| 82 | to read: |
| 83 | 501.2075 Civil penalty.--Except as provided in s. 501.2076 |
| 84 | or s. 501.2077, any person, firm, corporation, association, or |
| 85 | entity, or any agent or employee of the foregoing, who is |
| 86 | willfully using, or has willfully used, a method, act, or |
| 87 | practice declared unlawful under s. 501.204, or who is willfully |
| 88 | violating any of the rules of the department adopted under this |
| 89 | part, is liable for a civil penalty of not more than $10,000 for |
| 90 | each such violation. Willful violations occur when the person |
| 91 | knew or should have known that his or her conduct was unfair or |
| 92 | deceptive or prohibited by rule. This civil penalty may be |
| 93 | recovered in any action brought under this part by the enforcing |
| 94 | authority; or the enforcing authority may terminate any |
| 95 | investigation or action upon agreement by the person, firm, |
| 96 | corporation, association, or entity, or the agent or employee of |
| 97 | the foregoing, to pay a stipulated civil penalty. The |
| 98 | department or the court may waive any such civil penalty if the |
| 99 | person, firm, corporation, association, or entity, or the agent |
| 100 | or employee of the foregoing, has previously made full |
| 101 | restitution or reimbursement or has paid actual damages to the |
| 102 | consumers or governmental entities who have been injured by the |
| 103 | unlawful act or practice or rule violation. If civil penalties |
| 104 | are assessed in any litigation, the enforcing authority is |
| 105 | entitled to reasonable attorney's fees and costs. A civil |
| 106 | penalty so collected shall accrue to the state and shall be |
| 107 | deposited as received into the General Revenue Fund unallocated. |
| 108 | Section 3. Section 501.2076, Florida Statutes, is created |
| 109 | to read: |
| 110 | 501.2076 Misrepresentations; law enforcement, |
| 111 | firefighters, or public utilities.--Any person who engages in a |
| 112 | deceptive and unfair trade practice with the intent to deceive |
| 113 | another person into believing that he or she is affiliated with |
| 114 | a law enforcement agency, firefighting agency, or public utility |
| 115 | is subject to a civil penalty not to exceed $15,000 for each |
| 116 | violation. |
| 117 | Section 4. A person who violates or fails to comply with |
| 118 | any provision of section 817.568, Florida Statutes, commits an |
| 119 | unfair or deceptive act or practice or unfair method of |
| 120 | competition in violation of part II of chapter 501, Florida |
| 121 | Statutes, and is subject to the penalties and remedies provided |
| 122 | for such violation, in addition to remedies otherwise available |
| 123 | for such conduct. |
| 124 | Section 5. Subsection (3) of section 501.203, Florida |
| 125 | Statutes, is amended to read: |
| 126 | 501.203 Definitions.--As used in this chapter, unless the |
| 127 | context otherwise requires, the term: |
| 128 | (3) "Violation of this part" means any violation of this |
| 129 | act or the rules adopted under this act and may be based upon |
| 130 | any of the following as of July 1, 2005 2001: |
| 131 | (a) Any rules promulgated pursuant to the Federal Trade |
| 132 | Commission Act, 15 U.S.C. ss. 41 et seq.; |
| 133 | (b) The standards of unfairness and deception set forth |
| 134 | and interpreted by the Federal Trade Commission or the federal |
| 135 | courts; |
| 136 | (c) Any law, statute, rule, regulation, or ordinance which |
| 137 | proscribes unfair methods of competition, or unfair, deceptive, |
| 138 | or unconscionable acts or practices. |
| 139 | Section 6. Subsection (2) of section 501.204, Florida |
| 140 | Statutes, is amended to read: |
| 141 | 501.204 Unlawful acts and practices.-- |
| 142 | (2) It is the intent of the Legislature that, in |
| 143 | construing subsection (1), due consideration and great weight |
| 144 | shall be given to the interpretations of the Federal Trade |
| 145 | Commission and the federal courts relating to s. 5(a)(1) of the |
| 146 | Federal Trade Commission Act, 15 U.S.C. s. 45(a)(1) as of July |
| 147 | 1, 2005 2001. |
| 148 | Section 7. Subsection (1) of section 501.207, Florida |
| 149 | Statutes, is reenacted, and subsection (3) of that section is |
| 150 | amended to read: |
| 151 | 501.207 Remedies of enforcing authority.-- |
| 152 | (1) The enforcing authority may bring: |
| 153 | (a) An action to obtain a declaratory judgment that an act |
| 154 | or practice violates this part. |
| 155 | (b) An action to enjoin any person who has violated, is |
| 156 | violating, or is otherwise likely to violate, this part. |
| 157 | (c) An action on behalf of one or more consumers or |
| 158 | governmental entities for the actual damages caused by an act or |
| 159 | practice in violation of this part. However, damages are not |
| 160 | recoverable under this section against a retailer who has in |
| 161 | good faith engaged in the dissemination of claims of a |
| 162 | manufacturer or wholesaler without actual knowledge that it |
| 163 | violated this part. |
| 164 | (3) Upon motion of the enforcing authority or any |
| 165 | interested party in any action brought under subsection (1), the |
| 166 | court may make appropriate orders, including, but not limited |
| 167 | to, appointment of a general or special magistrate or receiver |
| 168 | or sequestration or freezing of assets, to reimburse consumers |
| 169 | or governmental entities found to have been damaged; to carry |
| 170 | out a transaction in accordance with the reasonable expectations |
| 171 | of consumers or governmental entities; to strike or limit the |
| 172 | application of clauses of contracts to avoid an unconscionable |
| 173 | result; to bring actions in the name of and on behalf of the |
| 174 | defendant enterprise; to order any defendant to divest herself |
| 175 | or himself of any interest in any enterprise, including real |
| 176 | estate; to impose reasonable restrictions upon the future |
| 177 | activities of any defendant to impede her or him from engaging |
| 178 | in or establishing the same type of endeavor; to order the |
| 179 | dissolution or reorganization of any enterprise; or to grant |
| 180 | legal, equitable, or other appropriate relief. The court may |
| 181 | assess the expenses of a general or special magistrate or |
| 182 | receiver against a person who has violated, is violating, or is |
| 183 | otherwise likely to violate this part. Any injunctive order, |
| 184 | whether temporary or permanent, issued by the court shall be |
| 185 | effective throughout the state unless otherwise provided in the |
| 186 | order. |
| 187 | Section 8. Section 817.568, Florida Statutes, is amended |
| 188 | to read: |
| 189 | 817.568 Criminal use of personal identification |
| 190 | information.-- |
| 191 | (1) As used in this section, the term: |
| 192 | (a) "Access device" means any card, plate, code, account |
| 193 | number, electronic serial number, mobile identification number, |
| 194 | personal identification number, or other telecommunications |
| 195 | service, equipment, or instrument identifier, or other means of |
| 196 | account access that can be used, alone or in conjunction with |
| 197 | another access device, to obtain money, goods, services, or any |
| 198 | other thing of value, or that can be used to initiate a transfer |
| 199 | of funds, other than a transfer originated solely by paper |
| 200 | instrument. |
| 201 | (b) "Authorization" means empowerment, permission, or |
| 202 | competence to act. |
| 203 | (c) "Harass" means to engage in conduct directed at a |
| 204 | specific person that is intended to cause substantial emotional |
| 205 | distress to such person and serves no legitimate purpose. |
| 206 | "Harass" does not mean to use personal identification |
| 207 | information for accepted commercial purposes. The term does not |
| 208 | include constitutionally protected conduct such as organized |
| 209 | protests or the use of personal identification information for |
| 210 | accepted commercial purposes. |
| 211 | (d) "Individual" means a single human being and does not |
| 212 | mean a firm, association of individuals, corporation, |
| 213 | partnership, joint venture, sole proprietorship, or any other |
| 214 | entity. |
| 215 | (e) "Person" means a "person" as defined in s. 1.01(3). |
| 216 | (f) "Personal identification information" means any name |
| 217 | or number that may be used, alone or in conjunction with any |
| 218 | other information, to identify a specific individual, including |
| 219 | any: |
| 220 | 1. Name, postal or electronic mail address, telephone |
| 221 | number, social security number, date of birth, mother's maiden |
| 222 | name, official state-issued or United States-issued driver's |
| 223 | license or identification number, alien registration number, |
| 224 | government passport number, employer or taxpayer identification |
| 225 | number, Medicaid or food stamp account number, or bank account |
| 226 | number, or credit or debit card number, or personal |
| 227 | identification number or code assigned to the holder of a debit |
| 228 | card by the issuer to permit authorized electronic use of such |
| 229 | card; |
| 230 | 2. Unique biometric data, such as fingerprint, voice |
| 231 | print, retina or iris image, or other unique physical |
| 232 | representation; |
| 233 | 3. Unique electronic identification number, address, or |
| 234 | routing code; or |
| 235 | 4. Medical records; |
| 236 | 5.4. Telecommunication identifying information or access |
| 237 | device; or. |
| 238 | 6. Other number or information that can be used to access |
| 239 | a person's financial resources. |
| 240 | (g) "Counterfeit or fictitious personal identification |
| 241 | information" means any counterfeit, fictitious, or fabricated |
| 242 | information in the similitude of the data outlined in paragraph |
| 243 | (f) that, although not truthful or accurate, would in context |
| 244 | lead a reasonably prudent person to credit its truthfulness and |
| 245 | accuracy. |
| 246 | (2)(a) Any person who willfully and without authorization |
| 247 | fraudulently uses, or possesses with intent to fraudulently use, |
| 248 | personal identification information concerning an individual |
| 249 | without first obtaining that individual's consent, commits the |
| 250 | offense of fraudulent use of personal identification |
| 251 | information, which is a felony of the third degree, punishable |
| 252 | as provided in s. 775.082, s. 775.083, or s. 775.084. |
| 253 | (b) Any person who willfully and without authorization |
| 254 | fraudulently uses personal identification information concerning |
| 255 | an individual without first obtaining that individual's consent |
| 256 | commits a felony of the second degree, punishable as provided in |
| 257 | s. 775.082, s. 775.083, or s. 775.084, if the pecuniary benefit, |
| 258 | the value of the services received, the payment sought to be |
| 259 | avoided, or the amount of the injury or fraud perpetrated is |
| 260 | $5,000 or more or if the person fraudulently uses the personal |
| 261 | identification information of 10 or more individuals, but fewer |
| 262 | than 20 individuals, without their consent. Notwithstanding any |
| 263 | other provision of law, the court shall sentence any person |
| 264 | convicted of committing the offense described in this paragraph |
| 265 | to a mandatory minimum sentence of 3 years' imprisonment. |
| 266 | (c) Any person who willfully and without authorization |
| 267 | fraudulently uses personal identification information concerning |
| 268 | an individual without first obtaining that individual's consent |
| 269 | commits a felony of the first degree, punishable as provided in |
| 270 | s. 775.082, s. 775.083, or s. 775.084, if the pecuniary benefit, |
| 271 | the value of the services received, the payment sought to be |
| 272 | avoided, or the amount of the injury or fraud perpetrated is |
| 273 | $50,000 or more or if the person fraudulently uses the personal |
| 274 | identification information of 20 or more individuals, but fewer |
| 275 | than 30 individuals, without their consent. Notwithstanding any |
| 276 | other provision of law, the court shall sentence any person |
| 277 | convicted of committing the offense described in this paragraph: |
| 278 | 1. to a mandatory minimum sentence of 5 years' |
| 279 | imprisonment. If the pecuniary benefit, the value of the |
| 280 | services received, the payment sought to be avoided, or the |
| 281 | amount of the injury or fraud perpetrated is $100,000 or more, |
| 282 | or if the person fraudulently uses the personal identification |
| 283 | information of 30 or more individuals without their consent, |
| 284 | notwithstanding any other provision of law, the court shall |
| 285 | sentence any person convicted of committing the offense |
| 286 | described in this paragraph |
| 287 | 2. to a mandatory minimum sentence of 10 years' |
| 288 | imprisonment, if the pecuniary benefit, the value of the |
| 289 | services received, the payment sought to be avoided, or the |
| 290 | amount of the injury or fraud perpetrated is $100,000 or more or |
| 291 | if the person fraudulently uses the personal identification |
| 292 | information of 30 or more individuals without their consent. |
| 293 | (3) Neither paragraph (2)(b) nor paragraph (2)(c) prevents |
| 294 | a court from imposing a greater sentence of incarceration as |
| 295 | authorized by law. If the minimum mandatory terms of |
| 296 | imprisonment imposed under paragraph (2)(b) or paragraph (2)(c) |
| 297 | exceed the maximum sentences authorized under s. 775.082, s. |
| 298 | 775.084, or the Criminal Punishment Code under chapter 921, the |
| 299 | mandatory minimum sentence must be imposed. If the mandatory |
| 300 | minimum terms of imprisonment under paragraph (2)(b) or |
| 301 | paragraph (2)(c) are less than the sentence that could be |
| 302 | imposed under s. 775.082, s. 775.084, or the Criminal Punishment |
| 303 | Code under chapter 921, the sentence imposed by the court must |
| 304 | include the mandatory minimum term of imprisonment as required |
| 305 | by paragraph (2)(b) or paragraph (2)(c). |
| 306 | (4) Any person who willfully and without authorization |
| 307 | possesses, uses, or attempts to use personal identification |
| 308 | information concerning an individual without first obtaining |
| 309 | that individual's consent, and who does so for the purpose of |
| 310 | harassing that individual, commits the offense of harassment by |
| 311 | use of personal identification information, which is a |
| 312 | misdemeanor of the first degree, punishable as provided in s. |
| 313 | 775.082 or s. 775.083. |
| 314 | (5) If an offense prohibited under this section was |
| 315 | facilitated or furthered by the use of a public record, as |
| 316 | defined in s. 119.011, the offense is reclassified to the next |
| 317 | higher degree as follows: |
| 318 | (a) A misdemeanor of the first degree is reclassified as a |
| 319 | felony of the third degree. |
| 320 | (b) A felony of the third degree is reclassified as a |
| 321 | felony of the second degree. |
| 322 | (c) A felony of the second degree is reclassified as a |
| 323 | felony of the first degree. |
| 324 |
|
| 325 | For purposes of sentencing under chapter 921 and incentive gain- |
| 326 | time eligibility under chapter 944, a felony offense that is |
| 327 | reclassified under this subsection is ranked one level above the |
| 328 | ranking under s. 921.0022 of the felony offense committed, and a |
| 329 | misdemeanor offense that is reclassified under this subsection |
| 330 | is ranked in level 2 of the offense severity ranking chart in s. |
| 331 | 921.0022. |
| 332 | (6) Any person who willfully and without authorization |
| 333 | fraudulently uses personal identification information concerning |
| 334 | an individual who is less than 18 years of age without first |
| 335 | obtaining the consent of that individual or of his or her legal |
| 336 | guardian commits a felony of the second degree, punishable as |
| 337 | provided in s. 775.082, s. 775.083, or s. 775.084. |
| 338 | (7) Any person who is in the relationship of parent or |
| 339 | legal guardian, or who otherwise exercises custodial authority |
| 340 | over an individual who is less than 18 years of age, who |
| 341 | willfully and fraudulently uses personal identification |
| 342 | information of that individual commits a felony of the second |
| 343 | degree, punishable as provided in s. 775.082, s. 775.083, or s. |
| 344 | 775.084. |
| 345 | (8)(a) Any person who willfully and fraudulently uses, or |
| 346 | possesses with intent to fraudulently use, personal |
| 347 | identification information concerning a deceased individual |
| 348 | commits the offense of fraudulent use or possession with intent |
| 349 | to use personal identification information of a deceased |
| 350 | individual, a felony of the third degree, punishable as provided |
| 351 | in s. 775.082, s. 775.083, or s. 775.084. |
| 352 | (b) Any person who willfully and fraudulently uses |
| 353 | personal identification information concerning a deceased |
| 354 | individual commits a felony of the second degree, punishable as |
| 355 | provided in s. 775.082, s. 775.083, or s. 775.084, if the |
| 356 | pecuniary benefit, the value of the services received, the |
| 357 | payment sought to be avoided, or the amount of injury or fraud |
| 358 | perpetrated is $5,000 or more, or if the person fraudulently |
| 359 | uses the personal identification information of 10 or more but |
| 360 | fewer than 20 deceased individuals. Notwithstanding any other |
| 361 | provision of law, the court shall sentence any person convicted |
| 362 | of committing the offense described in this paragraph to a |
| 363 | mandatory minimum sentence of 3 years' imprisonment. |
| 364 | (c) Any person who willfully and fraudulently uses |
| 365 | personal identification information concerning a deceased |
| 366 | individual commits the offense of aggravated fraudulent use of |
| 367 | the personal identification information of multiple deceased |
| 368 | individuals, a felony of the first degree, punishable as |
| 369 | provided in s. 775.082, s. 775.083, or s. 775.084, if the |
| 370 | pecuniary benefit, the value of the services received, the |
| 371 | payment sought to be avoided, or the amount of injury or fraud |
| 372 | perpetrated is $50,000 or more, or if the person fraudulently |
| 373 | uses the personal identification information of 20 or more but |
| 374 | fewer than 30 deceased individuals. Notwithstanding any other |
| 375 | provision of law, the court shall sentence any person convicted |
| 376 | of the offense described in this paragraph to a minimum |
| 377 | mandatory sentence of 5 years' imprisonment. If the pecuniary |
| 378 | benefit, the value of the services received, the payment sought |
| 379 | to be avoided, or the amount of the injury or fraud perpetrated |
| 380 | is $100,000 or more, or if the person fraudulently uses the |
| 381 | personal identification information of 30 or more deceased |
| 382 | individuals, notwithstanding any other provision of law, the |
| 383 | court shall sentence any person convicted of an offense |
| 384 | described in this paragraph to a mandatory minimum sentence of |
| 385 | 10 years' imprisonment. |
| 386 | (9) Any person who willfully and fraudulently creates or |
| 387 | uses, or possesses with intent to fraudulently use, counterfeit |
| 388 | or fictitious personal identification information concerning a |
| 389 | fictitious individual, or concerning a real individual without |
| 390 | first obtaining that real individual's consent, with intent to |
| 391 | use such counterfeit or fictitious personal identification |
| 392 | information for the purpose of committing or facilitating the |
| 393 | commission of a fraud on another person, commits the offense of |
| 394 | fraudulent creation or use, or possession with intent to |
| 395 | fraudulently use, counterfeit or fictitious personal |
| 396 | identification information, a felony of the third degree, |
| 397 | punishable as provided in s. 775.082, s. 775.083, or s. 775.084. |
| 398 | (10) Any person who commits an offense described in this |
| 399 | section and for the purpose of obtaining or using personal |
| 400 | identification information misrepresents himself or herself to |
| 401 | be a law enforcement officer; an employee or representative of a |
| 402 | bank, credit card company, credit counseling company, or credit |
| 403 | reporting agency; or any person who wrongfully represents that |
| 404 | he or she is seeking to assist the victim with a problem with |
| 405 | the victim's credit history shall have the offense reclassified |
| 406 | as follows: |
| 407 | (a) In the case of a misdemeanor, the offense is |
| 408 | reclassified as a felony of the third degree. |
| 409 | (b) In the case of a felony of the third degree, the |
| 410 | offense is reclassified as a felony of the second degree. |
| 411 | (c) In the case of a felony of the second degree, the |
| 412 | offense is reclassified as a felony of the first degree. |
| 413 | (d) In the case of a felony of the first degree or a |
| 414 | felony of the first degree punishable by a term of imprisonment |
| 415 | not exceeding life, the offense is reclassified as a life |
| 416 | felony. |
| 417 |
|
| 418 | For purposes of sentencing under chapter 921, a felony offense |
| 419 | that is reclassified under this subsection is ranked one level |
| 420 | above the ranking under s. 921.0022 or s. 921.0023 of the felony |
| 421 | offense committed, and a misdemeanor offense that is |
| 422 | reclassified under this subsection is ranked in level 2 of the |
| 423 | offense severity ranking chart. |
| 424 | (11) The prosecutor may move the sentencing court to |
| 425 | reduce or suspend the sentence of any person who is convicted of |
| 426 | a violation of this section and who provides substantial |
| 427 | assistance in the identification, arrest, or conviction of any |
| 428 | of that person's accomplices, accessories, coconspirators, or |
| 429 | principals or of any other person engaged in fraudulent |
| 430 | possession or use of personal identification information. The |
| 431 | arresting agency shall be given an opportunity to be heard in |
| 432 | aggravation or mitigation in reference to any such motion. Upon |
| 433 | good cause shown, the motion may be filed and heard in camera. |
| 434 | The judge hearing the motion may reduce or suspend the sentence |
| 435 | if the judge finds that the defendant rendered such substantial |
| 436 | assistance. |
| 437 | (12)(8) This section does not prohibit any lawfully |
| 438 | authorized investigative, protective, or intelligence activity |
| 439 | of a law enforcement agency of this state or any of its |
| 440 | political subdivisions, of any other state or its political |
| 441 | subdivisions, or of the Federal Government or its political |
| 442 | subdivisions. |
| 443 | (13)(9)(a) In sentencing a defendant convicted of an |
| 444 | offense under this section, the court may order that the |
| 445 | defendant make restitution under pursuant to s. 775.089 to any |
| 446 | victim of the offense. In addition to the victim's out-of-pocket |
| 447 | costs, such restitution may include payment of any other costs, |
| 448 | including attorney's fees incurred by the victim in clearing the |
| 449 | victim's credit history or credit rating, or any costs incurred |
| 450 | in connection with any civil or administrative proceeding to |
| 451 | satisfy any debt, lien, or other obligation of the victim |
| 452 | arising as the result of the actions of the defendant. |
| 453 | (b) The sentencing court may issue such orders as are |
| 454 | necessary to correct any public record that contains false |
| 455 | information given in violation of this section. |
| 456 | (14)(10) Prosecutions for violations of this section may |
| 457 | be brought on behalf of the state by any state attorney or by |
| 458 | the statewide prosecutor. |
| 459 | (15)(11) The Legislature finds that, in the absence of |
| 460 | evidence to the contrary, the location where a victim gives or |
| 461 | fails to give consent to the use of personal identification |
| 462 | information is the county where the victim generally resides. |
| 463 | (16)(12) Notwithstanding any other provision of law, venue |
| 464 | for the prosecution and trial of violations of this section may |
| 465 | be commenced and maintained in any county in which an element of |
| 466 | the offense occurred, including the county where the victim |
| 467 | generally resides. |
| 468 | (17)(13) A prosecution of an offense prohibited under |
| 469 | subsection (2), subsection (6), or subsection (7) must be |
| 470 | commenced within 3 years after the offense occurred. However, a |
| 471 | prosecution may be commenced within 1 year after discovery of |
| 472 | the offense by an aggrieved party, or by a person who has a |
| 473 | legal duty to represent the aggrieved party and who is not a |
| 474 | party to the offense, if such prosecution is commenced within 5 |
| 475 | years after the violation occurred. |
| 476 | Section 9. Section 817.5681, Florida Statutes, is created |
| 477 | to read: |
| 478 | 817.5681 Breach of security concerning confidential |
| 479 | personal information in third-party possession; administrative |
| 480 | penalties.-- |
| 481 | (1)(a) Any person who conducts business in this state and |
| 482 | maintains computerized data in a system that includes personal |
| 483 | information shall provide notice of any breach of the security |
| 484 | of the system, following a determination of the breach, to any |
| 485 | resident of this state whose unencrypted personal information |
| 486 | was, or is reasonably believed to have been, acquired by an |
| 487 | unauthorized person. The notification shall be made without |
| 488 | unreasonable delay, consistent with the legitimate needs of law |
| 489 | enforcement, as provided in subsection (3) and paragraph |
| 490 | (10)(a), or subject to any measures necessary to determine the |
| 491 | presence, nature, and scope of the breach and restore the |
| 492 | reasonable integrity of the system. Notification must be made no |
| 493 | later than 45 days following the determination of the breach |
| 494 | unless otherwise provided in this section. |
| 495 | (b) Any person required to make notification under |
| 496 | paragraph (a) who fails to do so within 45 days following the |
| 497 | determination of a breach or receipt of notice from law |
| 498 | enforcement as provided in subsection (3) is liable for an |
| 499 | administrative fine not to exceed $500,000, as follows: |
| 500 | 1. In the amount of $1,000 for each day the breach goes |
| 501 | undisclosed for up to 30 days and, thereafter, $50,000 for each |
| 502 | 30-day period or portion thereof for up to 180 days. |
| 503 | 2. If notification is not made within 180 days, any person |
| 504 | required to make notification under paragraph (a) who fails to |
| 505 | do so is subject to an administrative fine of up to $500,000. |
| 506 | (c) The administrative sanctions for failure to notify |
| 507 | provided in this subsection shall not apply in the case of |
| 508 | personal information in the custody of any governmental agency |
| 509 | or subdivision, unless that governmental agency or subdivision |
| 510 | has entered into a contract with a contractor or third-party |
| 511 | administrator to provide governmental services. In such case, |
| 512 | the contractor or third-party administrator shall be a person to |
| 513 | whom the administrative sanctions provided in this subsection |
| 514 | would apply, although such contractor or third-party |
| 515 | administrator found in violation of the notification |
| 516 | requirements provided in this subsection would not have an |
| 517 | action for contribution or set-off available against the |
| 518 | employing agency or subdivision. |
| 519 | (2)(a) Any person who maintains computerized data that |
| 520 | includes personal information on behalf of another business |
| 521 | entity shall disclose to the business entity for which the |
| 522 | information is maintained any breach of the security of the |
| 523 | system as soon as practicable, but no later than 10 days |
| 524 | following the determination, if the personal information was, or |
| 525 | is reasonably believed to have been, acquired by an unauthorized |
| 526 | person. The person who maintains the data on behalf of another |
| 527 | business entity and the business entity on whose behalf the data |
| 528 | is maintained may agree who will provide the notice, if any is |
| 529 | required, as provided in paragraph (1)(a), provided only a |
| 530 | single notice for each breach of the security of the system |
| 531 | shall be required. If agreement regarding notification cannot be |
| 532 | reached, the person who has the direct business relationship |
| 533 | with the resident of this state shall be subject to the |
| 534 | provisions of paragraph (1)(a). |
| 535 | (b) Any person required to disclose to a business entity |
| 536 | under paragraph (a) who fails to do so within 10 days after the |
| 537 | determination of a breach or receipt of notification from law |
| 538 | enforcement as provided in subsection (3) is liable for an |
| 539 | administrative fine not to exceed $500,000, as follows: |
| 540 | 1. In the amount of $1,000 for each day the breach goes |
| 541 | undisclosed for up to 30 days and, thereafter, $50,000 for each |
| 542 | 30-day period or portion thereof for up to 180 days. |
| 543 | 2. If disclosure is not made within 180 days, any person |
| 544 | required to make disclosures under paragraph (a) who fails to do |
| 545 | so is subject to an administrative fine of up to $500,000. |
| 546 | (c) The administrative sanctions for nondisclosure |
| 547 | provided in this subsection shall not apply in the case of |
| 548 | personal information in the custody of any governmental agency |
| 549 | or subdivision unless that governmental agency or subdivision |
| 550 | has entered into a contract with a contractor or third-party |
| 551 | administrator to provide governmental services. In such case, |
| 552 | the contractor or third-party administrator shall be a person to |
| 553 | whom the administrative sanctions provided in this subsection |
| 554 | would apply, although such contractor or third-party |
| 555 | administrator found in violation of the nondisclosure |
| 556 | restrictions in this subsection would not have an action for |
| 557 | contribution or set-off available against the employing agency |
| 558 | or subdivision. |
| 559 | (3) The notification required by this section may be |
| 560 | delayed upon a request by law enforcement if a law enforcement |
| 561 | agency determines that the notification will impede a criminal |
| 562 | investigation. The notification time period required by this |
| 563 | section shall commence after the person receives notice from the |
| 564 | law enforcement agency that the notification will not compromise |
| 565 | the investigation. |
| 566 | (4) For purposes of this section, the terms "breach" and |
| 567 | "breach of the security of the system" mean unlawful and |
| 568 | unauthorized acquisition of computerized data that materially |
| 569 | compromises the security, confidentiality, or integrity of |
| 570 | personal information maintained by the person. Good faith |
| 571 | acquisition of personal information by an employee or agent of |
| 572 | the person is not a breach or breach of the security of the |
| 573 | system, provided the information is not used for a purpose |
| 574 | unrelated to the business or subject to further unauthorized |
| 575 | use. |
| 576 | (5) For purposes of this section, the term "personal |
| 577 | information" means an individual's first name, first initial and |
| 578 | last name, or any middle name and last name, in combination with |
| 579 | any one or more of the following data elements when the data |
| 580 | elements are not encrypted: |
| 581 | (a) Social security number. |
| 582 | (b) Driver's license number or Florida Identification Card |
| 583 | number. |
| 584 | (c) Account number, credit card number, or debit card |
| 585 | number, in combination with any required security code, access |
| 586 | code, or password that would permit access to an individual's |
| 587 | financial account. |
| 588 |
|
| 589 | For purposes of this section, the term "personal information" |
| 590 | does not include publicly available information that is lawfully |
| 591 | made available to the general public from federal, state, or |
| 592 | local government records or widely distributed media. |
| 593 | (6) For purposes of this section, notice may be provided |
| 594 | by one of the following methods: |
| 595 | (a) Written notice; |
| 596 | (b) Electronic notice, if the notice provided is |
| 597 | consistent with the provisions regarding electronic records and |
| 598 | signatures set forth in 15 U.S.C. s. 7001; or |
| 599 | (c) Substitute notice, if the person demonstrates that the |
| 600 | cost of providing notice would exceed $250,000, the affected |
| 601 | class of subject persons to be notified exceeds 500,000, or the |
| 602 | person does not have sufficient contact information. Substitute |
| 603 | notice shall consist of all of the following: |
| 604 | 1. Electronic mail or email notice when the person has an |
| 605 | electronic mail or email address for the subject persons. |
| 606 | 2. Conspicuous posting of the notice on the web page of |
| 607 | the person, if the person maintains a web page. |
| 608 | 3. Notification to major statewide media. |
| 609 | (7) For purposes of this section, the term "unauthorized |
| 610 | person" means any person who does not have permission from, or a |
| 611 | password issued by, the person who stores the computerized data |
| 612 | to acquire such data, but does not include any individual to |
| 613 | whom the personal information pertains. |
| 614 | (8) For purposes of this section, the term "person" means |
| 615 | a person as defined in s. 1.01(3). For purposes of this section, |
| 616 | the State of Florida, as well as any of its agencies or |
| 617 | political subdivisions, and any of the agencies of its political |
| 618 | subdivisions, constitutes a person. |
| 619 | (9) Notwithstanding subsection (6), a person who |
| 620 | maintains: |
| 621 | (a) The person's own notification procedures as part of an |
| 622 | information security or privacy policy for the treatment of |
| 623 | personal information, which procedures are otherwise consistent |
| 624 | with the timing requirements of this part; or |
| 625 | (b) A notification procedure pursuant to the rules, |
| 626 | regulations, procedures, or guidelines established by the |
| 627 | person's primary or functional federal regulator, |
| 628 |
|
| 629 | shall be deemed to be in compliance with the notification |
| 630 | requirements of this section if the person notifies subject |
| 631 | persons in accordance with the person's policies or the rules, |
| 632 | regulations, procedures, or guidelines established by the |
| 633 | primary or functional federal regulator in the event of a breach |
| 634 | of security of the system. |
| 635 | (10)(a) Notwithstanding subsection (2), notification is |
| 636 | not required if, after an appropriate investigation and after |
| 637 | consultation with relevant federal, state, and local agencies |
| 638 | responsible for law enforcement, the person reasonably |
| 639 | determines that the breach has not and will not likely result in |
| 640 | harm to the individuals whose personal information has been |
| 641 | acquired and accessed. Such a determination must be documented |
| 642 | in writing and the documentation must be maintained for 5 years. |
| 643 | (b) Any person required to document a failure to notify |
| 644 | affected persons who fails to document the failure as required |
| 645 | in this subsection or who, if documentation was created, fails |
| 646 | to maintain the documentation for the full 5 years as required |
| 647 | in this subsection is liable for an administrative fine in the |
| 648 | amount of up to $50,000 for such failure. |
| 649 | (c) The administrative sanctions outlined in this |
| 650 | subsection shall not apply in the case of personal information |
| 651 | in the custody of any governmental agency or subdivision, unless |
| 652 | that governmental agency or subdivision has entered into a |
| 653 | contract with a contractor or third-party administrator to |
| 654 | provide governmental services. In such case the contractor or |
| 655 | third-party administrator shall be a person to whom the |
| 656 | administrative sanctions outlined in this subsection would |
| 657 | apply, although such contractor or third-party administrator |
| 658 | found in violation of the documentation and maintenance of |
| 659 | documentation requirements in this subsection would not have an |
| 660 | action for contribution or set-off available against the |
| 661 | employing agency or subdivision. |
| 662 | (11) The Department of Legal Affairs may institute |
| 663 | proceedings to assess and collect the fines provided in this |
| 664 | section. |
| 665 | Section 10. No entity may accumulate or report a |
| 666 | consumer's drug test results with any of their other personal |
| 667 | data except for the name and social security number or driver's |
| 668 | license number or Florida identification card number of the |
| 669 | consumer. |
| 670 | Section 11. If any provision of this act or its |
| 671 | application to any person or circumstance is held invalid, the |
| 672 | invalidity does not affect other provisions or applications of |
| 673 | the act which can be given effect without the invalid provision |
| 674 | or application, and to this end the provisions of this act are |
| 675 | severable. |
| 676 | Section 12. This act shall take effect July 1, 2005. |