Florida Senate - 2005 COMMITTEE AMENDMENT
Bill No. SB 284
Barcode 272564
CHAMBER ACTION
Senate House
.
.
1 .
.
2 .
.
3 .
.
4 ______________________________________________________________
5
6
7
8
9
10 ______________________________________________________________
11 The Committee on Judiciary (Aronberg) recommended the
12 following amendment:
13
14 Senate Amendment (with title amendment)
15 On page 2, between lines 19 and 20,
16
17 insert:
18 Section 2. Section 501.167, Florida Statutes, is
19 created to read:
20 501.167 Computerized information; breach of security;
21 procedure upon discovery.--
22 (1) Any person or business that conducts business in
23 this state and that maintains computerized data that includes
24 personal information shall disclose any breach of the security
25 of the system following discovery or notification of the
26 breach of the security of the data to any resident of the
27 state whose unencrypted personal information was, or is
28 reasonably believed to have been, acquired by an unauthorized
29 person. For purposes of this section, a resident of this state
30 may be determined to be an individual whose principal mailing
31 address as reflected in the records of the person or business
1
10:27 AM 03/15/05 s0284c-ju27-bz2
Florida Senate - 2005 COMMITTEE AMENDMENT
Bill No. SB 284
Barcode 272564
1 is in Florida. The disclosure shall be made in the most
2 expedient time possible and without unreasonable delay,
3 subject to the legitimate needs of law enforcement, as
4 provided in subsection (3) and the completion of an
5 investigation by the person or business to determine the
6 nature and scope of the incident, to identify the individuals
7 affected, or to restore the reasonable integrity of the data
8 system.
9 (2) Any person or business that maintains computerized
10 data on behalf of another business or person which includes
11 personal information that the person or business does not own
12 shall notify the business or person of the information of any
13 breach of the security of the data immediately following
14 discovery, if the personal information was, or is reasonably
15 believed to have been, acquired by an unauthorized person.
16 (3) The notification required by this section shall be
17 delayed if a law enforcement agency determines that the
18 notification will impede a criminal investigation. If
19 notification is required by this section, it shall be made
20 after the law enforcement agency determines that it will not
21 compromise the investigation.
22 (4) For purposes fo this section, the term "breach of
23 the security of the system" means unauthorized acquisition of
24 computerized data which materially compromises the security,
25 confidentiality, or integrity of personal information
26 maintained by the person or business and causes or is
27 reasonably believed to cause loss or injury to the state
28 resident. Good faith acquisition of personal information by an
29 employee or agent of the person or business for the purposes
30 of the person or business is not a breach of the security of
31 the system, provided that the personal information is not used
2
10:27 AM 03/15/05 s0284c-ju27-bz2
Florida Senate - 2005 COMMITTEE AMENDMENT
Bill No. SB 284
Barcode 272564
1 for a purpose unrelated to the business or subject to further
2 unauthorized disclosure.
3 (5)(a) For purposes of this section, the term
4 "personal information" means an individual's first name or
5 first initial and last name in combination with any one or
6 more of the following data elements, when the data elements
7 are not encrypted:
8 1. Social security number.
9 2. Driver's license number or Florida identification
10 card number.
11 3. Account number, credit card number, or debit card
12 number, in combination with any required security code, access
13 code, or password that would permit access to an individual's
14 financial account.
15 (b) For purposes of this section, the term "personal
16 information" does not include publicly available information
17 that is lawfully made available to the general public from
18 federal, state, or local government records or widely
19 distributed media.
20 (6) For purposes of this section, notice may be
21 provided by one of the following methods:
22 (a) Written notice.
23 (b) Electronic notice, if the notice provided is
24 consistent with the provisions regarding electronic records
25 and signatures set forth in 15 U.S.C. s. 7001.
26 (c) Substitute notice, if the person or business
27 demonstrates that the cost of providing notice would exceed
28 $250,000, or that the affected class of subject persons to be
29 notified exceeds 500,000, or the person or business does not
30 have sufficient contact information. Substitute notice shall
31 consist of all of the following:
3
10:27 AM 03/15/05 s0284c-ju27-bz2
Florida Senate - 2005 COMMITTEE AMENDMENT
Bill No. SB 284
Barcode 272564
1 1. E-mail notice when the person or business has an
2 e-mail address for the subject persons;
3 2. Conspicuous posting of the notice on the Internet
4 website page of the person or business, if the person or
5 business maintains one; and
6 3. Notification to major statewide media.
7 (7) For purposes of this section, the term
8 "unauthorized person" means any person that is not the person
9 to whom the personal information belongs and that does not
10 have permission from or a password issued by the person or
11 business that stores the computerized data to acquire it.
12 (8) Notwithstanding subsection (6), a person or
13 business that maintains its own notification procedures as
14 part of an information security policy for the treatment of
15 personal information and is otherwise consistent with the
16 timing requirements of this part shall be deemed to be in
17 compliance with the notification requirements of this section
18 if the person or business notifies subject persons in
19 accordance with its policies in the event of a breach of
20 security of the system.
21 (9) Notwithstanding subsection (6), notification is
22 not required if, after an appropriate investigation and after
23 consultation with relevant federal or state agencies
24 responsible for law enforcement, the person or business
25 reasonably determines that the breach has not resulted, and
26 will not result, in harm to the individuals whose personal
27 information has been acquired and accessed. Such a
28 determination must be documented in writing, and the
29 documentation maintained for 5 years.
30 (10) Not less than 2 business days prior to making the
31 notification required by subsection (1), the person or
4
10:27 AM 03/15/05 s0284c-ju27-bz2
Florida Senate - 2005 COMMITTEE AMENDMENT
Bill No. SB 284
Barcode 272564
1 business making the notification shall notify all consumer
2 reporting agencies that compile and maintain files on
3 consumers on a nationwide basis of the pending notification
4 and shall provide a copy of the notification. Any consumer
5 reporting agency receiving a notification under this
6 subsection shall transmit the information to any person or
7 entity that reports information to or receives consumer report
8 information from such consumer reporting agency in a timely
9 manner, separate from any regular communication of information
10 to such person or entity.
11 (11) A violation of this section is a deceptive and
12 unfair trade practice and constitutes a violation of the
13 Florida Deceptive and Unfair Trade Practices Act.
14
15 (Redesignate subsequent sections.)
16
17
18 ================ T I T L E A M E N D M E N T ===============
19 And the title is amended as follows:
20 On page 1, line 14, following the semicolon
21
22 insert:
23 creating s. 501.167, F.S.; prescribing duties
24 of persons and businesses holding computerized
25 personal information upon discovery of a breach
26 of security of the system on which such data
27 are maintained; defining terms; prescribing
28 forms that notification of the breach must
29 take; providing exceptions; providing remedies;
30
31
5
10:27 AM 03/15/05 s0284c-ju27-bz2