Florida Senate - 2005                      COMMITTEE AMENDMENT
    Bill No. SB 284
                        Barcode 272564
                            CHAMBER ACTION
              Senate                               House
                                   .                    
                                   .                    
 1                                 .                    
                                   .                    
 2                                 .                    
                                   .                    
 3                                 .                    
                                   .                    
 4  ______________________________________________________________
 5  
 6  
 7  
 8  
 9  
10  ______________________________________________________________
11  The Committee on Judiciary (Aronberg) recommended the
12  following amendment:
13  
14         Senate Amendment (with title amendment) 
15         On page 2, between lines 19 and 20,
16  
17  insert:  
18         Section 2.  Section 501.167, Florida Statutes, is
19  created to read:
20         501.167  Computerized information; breach of security;
21  procedure upon discovery.--
22         (1)  Any person or business that conducts business in
23  this state and that maintains computerized data that includes
24  personal information shall disclose any breach of the security
25  of the system following discovery or notification of the
26  breach of the security of the data to any resident of the
27  state whose unencrypted personal information was, or is
28  reasonably believed to have been, acquired by an unauthorized
29  person. For purposes of this section, a resident of this state
30  may be determined to be an individual whose principal mailing
31  address as reflected in the records of the person or business
                                  1
    10:27 AM   03/15/05                            s0284c-ju27-bz2

Florida Senate - 2005 COMMITTEE AMENDMENT Bill No. SB 284 Barcode 272564 1 is in Florida. The disclosure shall be made in the most 2 expedient time possible and without unreasonable delay, 3 subject to the legitimate needs of law enforcement, as 4 provided in subsection (3) and the completion of an 5 investigation by the person or business to determine the 6 nature and scope of the incident, to identify the individuals 7 affected, or to restore the reasonable integrity of the data 8 system. 9 (2) Any person or business that maintains computerized 10 data on behalf of another business or person which includes 11 personal information that the person or business does not own 12 shall notify the business or person of the information of any 13 breach of the security of the data immediately following 14 discovery, if the personal information was, or is reasonably 15 believed to have been, acquired by an unauthorized person. 16 (3) The notification required by this section shall be 17 delayed if a law enforcement agency determines that the 18 notification will impede a criminal investigation. If 19 notification is required by this section, it shall be made 20 after the law enforcement agency determines that it will not 21 compromise the investigation. 22 (4) For purposes fo this section, the term "breach of 23 the security of the system" means unauthorized acquisition of 24 computerized data which materially compromises the security, 25 confidentiality, or integrity of personal information 26 maintained by the person or business and causes or is 27 reasonably believed to cause loss or injury to the state 28 resident. Good faith acquisition of personal information by an 29 employee or agent of the person or business for the purposes 30 of the person or business is not a breach of the security of 31 the system, provided that the personal information is not used 2 10:27 AM 03/15/05 s0284c-ju27-bz2
Florida Senate - 2005 COMMITTEE AMENDMENT Bill No. SB 284 Barcode 272564 1 for a purpose unrelated to the business or subject to further 2 unauthorized disclosure. 3 (5)(a) For purposes of this section, the term 4 "personal information" means an individual's first name or 5 first initial and last name in combination with any one or 6 more of the following data elements, when the data elements 7 are not encrypted: 8 1. Social security number. 9 2. Driver's license number or Florida identification 10 card number. 11 3. Account number, credit card number, or debit card 12 number, in combination with any required security code, access 13 code, or password that would permit access to an individual's 14 financial account. 15 (b) For purposes of this section, the term "personal 16 information" does not include publicly available information 17 that is lawfully made available to the general public from 18 federal, state, or local government records or widely 19 distributed media. 20 (6) For purposes of this section, notice may be 21 provided by one of the following methods: 22 (a) Written notice. 23 (b) Electronic notice, if the notice provided is 24 consistent with the provisions regarding electronic records 25 and signatures set forth in 15 U.S.C. s. 7001. 26 (c) Substitute notice, if the person or business 27 demonstrates that the cost of providing notice would exceed 28 $250,000, or that the affected class of subject persons to be 29 notified exceeds 500,000, or the person or business does not 30 have sufficient contact information. Substitute notice shall 31 consist of all of the following: 3 10:27 AM 03/15/05 s0284c-ju27-bz2
Florida Senate - 2005 COMMITTEE AMENDMENT Bill No. SB 284 Barcode 272564 1 1. E-mail notice when the person or business has an 2 e-mail address for the subject persons; 3 2. Conspicuous posting of the notice on the Internet 4 website page of the person or business, if the person or 5 business maintains one; and 6 3. Notification to major statewide media. 7 (7) For purposes of this section, the term 8 "unauthorized person" means any person that is not the person 9 to whom the personal information belongs and that does not 10 have permission from or a password issued by the person or 11 business that stores the computerized data to acquire it. 12 (8) Notwithstanding subsection (6), a person or 13 business that maintains its own notification procedures as 14 part of an information security policy for the treatment of 15 personal information and is otherwise consistent with the 16 timing requirements of this part shall be deemed to be in 17 compliance with the notification requirements of this section 18 if the person or business notifies subject persons in 19 accordance with its policies in the event of a breach of 20 security of the system. 21 (9) Notwithstanding subsection (6), notification is 22 not required if, after an appropriate investigation and after 23 consultation with relevant federal or state agencies 24 responsible for law enforcement, the person or business 25 reasonably determines that the breach has not resulted, and 26 will not result, in harm to the individuals whose personal 27 information has been acquired and accessed. Such a 28 determination must be documented in writing, and the 29 documentation maintained for 5 years. 30 (10) Not less than 2 business days prior to making the 31 notification required by subsection (1), the person or 4 10:27 AM 03/15/05 s0284c-ju27-bz2
Florida Senate - 2005 COMMITTEE AMENDMENT Bill No. SB 284 Barcode 272564 1 business making the notification shall notify all consumer 2 reporting agencies that compile and maintain files on 3 consumers on a nationwide basis of the pending notification 4 and shall provide a copy of the notification. Any consumer 5 reporting agency receiving a notification under this 6 subsection shall transmit the information to any person or 7 entity that reports information to or receives consumer report 8 information from such consumer reporting agency in a timely 9 manner, separate from any regular communication of information 10 to such person or entity. 11 (11) A violation of this section is a deceptive and 12 unfair trade practice and constitutes a violation of the 13 Florida Deceptive and Unfair Trade Practices Act. 14 15 (Redesignate subsequent sections.) 16 17 18 ================ T I T L E A M E N D M E N T =============== 19 And the title is amended as follows: 20 On page 1, line 14, following the semicolon 21 22 insert: 23 creating s. 501.167, F.S.; prescribing duties 24 of persons and businesses holding computerized 25 personal information upon discovery of a breach 26 of security of the system on which such data 27 are maintained; defining terms; prescribing 28 forms that notification of the breach must 29 take; providing exceptions; providing remedies; 30 31 5 10:27 AM 03/15/05 s0284c-ju27-bz2