Florida Senate - 2005 SENATOR AMENDMENT
Bill No. CS for SB 284
Barcode 670940
CHAMBER ACTION
Senate House
.
.
1 1/AD/2R .
04/28/2005 04:14 PM .
2 .
.
3 .
.
4 ______________________________________________________________
5
6
7
8
9
10 ______________________________________________________________
11 Senator Aronberg moved the following amendment:
12
13 Senate Amendment (with title amendment)
14 On page 3, line 3, through
15 page 11, line 20, delete those lines
16
17 and insert:
18 Section 1. Section 817.5681, Florida Statutes, is
19 created to read:
20 817.5681 Breach of security concerning confidential
21 personal information in third-party possession; administrative
22 penalties.--
23 (1)(a) Any person who conducts business in this state
24 and maintains computerized data in a system that includes
25 personal information shall provide notice of any breach of the
26 security of the system, following a determination of the
27 breach, to any resident of this state whose unencrypted
28 personal information was, or is reasonably believed to have
29 been, acquired by an unauthorized person. The notification
30 shall be made without unreasonable delay, consistent with the
31 legitimate needs of law enforcement, as provided in subsection
1
2:47 PM 04/28/05 s0284c1c-27-taq
Florida Senate - 2005 SENATOR AMENDMENT
Bill No. CS for SB 284
Barcode 670940
1 (3) and paragraph (10)(a), or subject to any measures
2 necessary to determine the presence, nature, and scope of the
3 breach and restore the reasonable integrity of the system.
4 Notification must be made no later than 45 days following the
5 determination of the breach unless otherwise provided in this
6 section.
7 (b) Any person required to make notification under
8 paragraph (a) who fails to do so within 45 days following the
9 determination of a breach or receipt of notice from law
10 enforcement as provided in subsection (3) is liable for an
11 administrative fine not to exceed $500,000, as follows:
12 1. In the amount of $1,000 for each day the breach
13 goes undisclosed for up to 30 days and, thereafter, $50,000
14 for each 30-day period or portion thereof for up to 180 days.
15 2. If notification is not made within 180 days, any
16 person required to make notification under paragraph (a) who
17 fails to do so is subject to an administrative fine of up to
18 $500,000.
19 (c) The administrative sanctions for failure to notify
20 in paragraph (b) apply per breach, and not per individual
21 affected by the breach. Such sanctions do not apply in the
22 case of personal information in the custody of any
23 governmental agency or subdivision, unless that governmental
24 agency or subdivision has entered into a contract with a
25 contractor or third-party administrator to provide
26 governmental services. In such case, the contractor or
27 third-party administrator is the person to whom such sanctions
28 apply and such contractor or third-party administrator found
29 in violation of such notification requirements has no right to
30 any contribution or set-off that may otherwise be available
31 against the employing agency or subdivision.
2
2:47 PM 04/28/05 s0284c1c-27-taq
Florida Senate - 2005 SENATOR AMENDMENT
Bill No. CS for SB 284
Barcode 670940
1 (2)(a) Any person who maintains computerized data that
2 includes personal information on behalf of another business
3 entity shall disclose to the business entity for which the
4 information is maintained any breach of the security of the
5 system as soon as practicable, but no later than 10 days
6 following the determination, if the personal information was,
7 or is reasonably believed to have been, acquired by an
8 unauthorized person. The person who maintains the data on
9 behalf of another business entity and the business entity on
10 whose behalf the data is maintained may agree who will provide
11 the notice, if any is required, as provided in paragraph
12 (1)(a); however, only a single notice for each breach of the
13 security of the system is required. If agreement regarding
14 notification cannot be reached, the person who has the direct
15 business relationship with the resident of this state must
16 provide the notice required under paragraph (1)(a).
17 (b) Any person required to disclose to a business
18 entity under paragraph (a) who fails to do so within 10 days
19 after the determination of a breach or receipt of notification
20 from law enforcement as provided in subsection (3) is liable
21 for an administrative fine not to exceed $500,000, as follows:
22 1. In the amount of $1,000 for each day the breach
23 goes undisclosed for up to 30 days and, thereafter, $50,000
24 for each 30-day period or portion thereof for up to 180 days.
25 2. If disclosure is not made within 180 days, such
26 person is subject to an administrative fine of up to $500,000.
27 (c) The administrative sanctions for nondisclosure
28 provided in paragraph (b) apply per breach, and not per
29 individual affected by the breach. Such sanctions do not
30 apply in the case of personal information in the custody of
31 any governmental agency or subdivision unless that
3
2:47 PM 04/28/05 s0284c1c-27-taq
Florida Senate - 2005 SENATOR AMENDMENT
Bill No. CS for SB 284
Barcode 670940
1 governmental agency or subdivision has entered into a contract
2 with a contractor or third-party administrator to provide
3 governmental services. In such case, the contractor or
4 third-party administrator is the person to whom such sanctions
5 apply and such contractor or third-party administrator found
6 in violation of such nondisclosure restrictions has no right
7 to any contribution or set-off that may otherwise be available
8 against the employing agency or subdivision.
9 (3) The notification required by this section may be
10 delayed upon a request by law enforcement if a law enforcement
11 agency determines that the notification will impede a criminal
12 investigation. The notification time period required by this
13 section shall commence after the person receives notice from
14 the law enforcement agency that the notification will not
15 compromise the investigation.
16 (4) For purposes of this section, the terms "breach"
17 and "breach of the security of the system" mean unlawful and
18 unauthorized acquisition of computerized data that materially
19 compromises the security, confidentiality, or integrity of
20 personal information maintained by the person. Good faith
21 acquisition of personal information by an employee or agent of
22 the person is not a breach or breach of the security of the
23 system, provided the information is not used for a purpose
24 unrelated to the business or subject to further unauthorized
25 use.
26 (5) For purposes of this section, the term "personal
27 information" means an individual's first name, first initial
28 and last name, or any middle name and last name, in
29 combination with any one or more of the following data
30 elements when the data elements are not encrypted:
31 (a) Social security number.
4
2:47 PM 04/28/05 s0284c1c-27-taq
Florida Senate - 2005 SENATOR AMENDMENT
Bill No. CS for SB 284
Barcode 670940
1 (b) Driver's license number or Florida Identification
2 Card number.
3 (c) Account number, credit card number, or debit card
4 number, in combination with any required security code, access
5 code, or password that would permit access to an individual's
6 financial account.
7
8 The term does not include publicly available information that
9 is lawfully made available to the general public from federal,
10 state, or local government records or widely distributed
11 media.
12 (6) For purposes of this section, notice may be
13 provided by one of the following methods:
14 (a) Written notice;
15 (b) Electronic notice, if the notice provided is
16 consistent with the provisions regarding electronic records
17 and signatures in 15 U.S.C. s. 7001 or if the person or
18 business providing the notice has a valid e-mail address for
19 the subject person and the subject person has agreed to accept
20 communications electronically; or
21 (c) Substitute notice, if the person demonstrates that
22 the cost of providing notice would exceed $250,000, the
23 affected class of subject persons to be notified exceeds
24 500,000, or the person does not have sufficient contact
25 information. Substitute notice shall consist of all of the
26 following:
27 1. Electronic mail or e-mail notice when the person
28 has an electronic mail or e-mail address for the subject
29 persons.
30 2. Conspicuous posting of the notice on the web page
31 of the person, if the person maintains a web page.
5
2:47 PM 04/28/05 s0284c1c-27-taq
Florida Senate - 2005 SENATOR AMENDMENT
Bill No. CS for SB 284
Barcode 670940
1 3. Notification to major statewide media.
2 (7) For purposes of this section, the term
3 "unauthorized person" means any person who does not have
4 permission from, or a password issued by, the person who
5 stores the computerized data to acquire such data, but does
6 not include any individual to whom the personal information
7 pertains.
8 (8) For purposes of this section, the term "person"
9 means a person as defined in s. 1.01. For purposes of this
10 section, the State of Florida, as well as any of its agencies
11 or political subdivisions, and any of the agencies of its
12 political subdivisions, is a person.
13 (9) Notwithstanding subsection (6), a person who
14 maintains:
15 (a) The person's own notification procedures as part
16 of an information security or privacy policy for the treatment
17 of personal information, which procedures are otherwise
18 consistent with the timing requirements of this part; or
19 (b) A notification procedure pursuant to the rules,
20 regulations, procedures, or guidelines established by the
21 person's primary or functional federal regulator,
22
23 shall be deemed to be in compliance with the notification
24 requirements of this section if the person notifies subject
25 persons in accordance with the person's policies or the rules,
26 regulations, procedures, or guidelines established by the
27 primary or functional federal regulator in the event of a
28 breach of security of the system.
29 (10)(a) Notwithstanding subsection (2), disclosure is
30 not required if, after an appropriate investigation or after
31 consultation with relevant federal, state, and local agencies
6
2:47 PM 04/28/05 s0284c1c-27-taq
Florida Senate - 2005 SENATOR AMENDMENT
Bill No. CS for SB 284
Barcode 670940
1 responsible for law enforcement, the person reasonably
2 determines that the breach has not and will not likely result
3 in harm to the individuals whose personal information has been
4 acquired and accessed. Such a determination must be documented
5 in writing and the documentation must be maintained for 5
6 years.
7 (b) Any person required to document a failure to
8 notify affected persons who fails to document the failure as
9 required in paragraph (a) or who, if documentation was
10 created, fails to maintain the documentation as required in
11 paragraph (a) is liable for an administrative fine of up to
12 $50,000 for such failure.
13 (c) The administrative sanctions in paragraph (b) do
14 not apply in the case of personal information in the custody
15 of any governmental agency or subdivision, unless that
16 governmental agency or subdivision has entered into a contract
17 with a contractor or third-party administrator to provide
18 governmental services. In such case the contractor or
19 third-party administrator is the person to whom such sanctions
20 apply and such contractor or third-party administrator found
21 in violation of the documentation and maintenance of
22 documentation requirements has no right to any contribution or
23 set-off that may otherwise be available against the employing
24 agency or subdivision.
25 (11) The Department of Legal Affairs may institute
26 proceedings to assess and collect the fines authorized in this
27 section.
28 (12) If a person discovers circumstances requiring
29 notification pursuant to this section of more than 1,000
30 persons at a single time, the person shall also notify,
31 without unreasonable delay, all consumer reporting agencies
7
2:47 PM 04/28/05 s0284c1c-27-taq
Florida Senate - 2005 SENATOR AMENDMENT
Bill No. CS for SB 284
Barcode 670940
1 that compile and maintain files on consumers on a nationwide
2 basis, as defined in 15 U.S.C. s. 1681a(p), of the timing,
3 distribution, and content of the notices.
4
5 (Redesignate subsequent sections.)
6
7
8 ================ T I T L E A M E N D M E N T ===============
9 And the title is amended as follows:
10 On page 1, line 3, through
11 page 2, line 7, delete those lines
12
13 and insert:
14 creating s. 817.5681, F.S.; requiring business
15 persons maintaining computerized data that
16 includes personal information to provide notice
17 of breaches of system security under certain
18 circumstances; providing requirements;
19 providing for administrative fines; providing
20 exceptions and limitations; authorizing delays
21 of such disclosures under certain
22 circumstances; providing definitions; providing
23 for alternative notice methods; specifying
24 conditions of compliance for persons
25 maintaining certain alternative notification
26 procedures; specifying conditions under which
27 notification is not required; providing
28 requirements for documentation and maintenance
29 of documentation; providing an administrative
30 fine for failing to document certain failures
31 to comply; providing for application of
8
2:47 PM 04/28/05 s0284c1c-27-taq
Florida Senate - 2005 SENATOR AMENDMENT
Bill No. CS for SB 284
Barcode 670940
1 administrative sanctions to certain persons
2 under certain circumstances; authorizing the
3 Department of Legal Affairs to institute
4 proceedings to assess and collect fines;
5 requiring notification of consumer reporting
6 agencies of breaches of system security under
7 certain circumstances; amending s.
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
9
2:47 PM 04/28/05 s0284c1c-27-taq