HB 481

1
A bill to be entitled
2An act relating to unlawful use of personal identification
3information; amending s. 817.568, F.S.; including other
4information within the definition of the term "personal
5identification information"; defining the term
6"counterfeit or fictitious personal identification
7information"; revising criminal penalties relating to the
8offense of fraudulently using, or possessing with intent
9to fraudulently use, personal identification information;
10providing minimum mandatory terms of imprisonment;
11creating the offenses of willfully and fraudulently using,
12or possessing with intent to fraudulently use, personal
13identification information concerning a deceased
14individual; providing criminal penalties; providing for
15minimum mandatory terms of imprisonment; creating the
16offense of willfully and fraudulently creating or using,
17or possessing with intent to fraudulently use, counterfeit
18or fictitious personal identification information;
19providing criminal penalties; providing for
20reclassification of offenses under certain circumstances;
21providing for reduction or suspension of sentences under
22certain circumstances; creating s. 817.5681, F.S.;
23requiring business persons maintaining computerized data
24that includes personal information to provide notice of
25breaches of system security under certain circumstances;
26providing requirements; providing for administrative
27fines; providing exceptions and limitations; authorizing
28delays of such disclosures under certain circumstances;
29providing definitions; providing for alternative notice
30methods; specifying conditions of compliance for persons
31maintaining certain alternative notification procedures;
32specifying conditions under which notification is not
33required; providing requirements for documentation and
34maintenance of documentation; providing an administrative
35fine for failing to document certain failures to comply;
36providing for application of administrative sanctions to
37certain persons under certain circumstances; authorizing
38the Department of Legal Affairs to institute proceedings
39to assess and collect fines; requiring notification of
40consumer reporting agencies of breaches of system security
41under certain circumstances; providing an effective date.
42
43Be It Enacted by the Legislature of the State of Florida:
44
45     Section 1.  Section 817.568, Florida Statutes, is amended
46to read:
47     817.568  Criminal use of personal identification
48information.--
49     (1)  As used in this section, the term:
50     (a)  "Access device" means any card, plate, code, account
51number, electronic serial number, mobile identification number,
52personal identification number, or other telecommunications
53service, equipment, or instrument identifier, or other means of
54account access that can be used, alone or in conjunction with
55another access device, to obtain money, goods, services, or any
56other thing of value, or that can be used to initiate a transfer
57of funds, other than a transfer originated solely by paper
58instrument.
59     (b)  "Authorization" means empowerment, permission, or
60competence to act.
61     (c)  "Harass" means to engage in conduct directed at a
62specific person that is intended to cause substantial emotional
63distress to such person and serves no legitimate purpose.
64"Harass" does not mean to use personal identification
65information for accepted commercial purposes. The term does not
66include constitutionally protected conduct such as organized
67protests or the use of personal identification information for
68accepted commercial purposes.
69     (d)  "Individual" means a single human being and does not
70mean a firm, association of individuals, corporation,
71partnership, joint venture, sole proprietorship, or any other
72entity.
73     (e)  "Person" means a "person" as defined in s. 1.01(3).
74     (f)  "Personal identification information" means any name
75or number that may be used, alone or in conjunction with any
76other information, to identify a specific individual, including
77any:
78     1.  Name, postal or electronic mail address, telephone
79number, social security number, date of birth, mother's maiden
80name, official state-issued or United States-issued driver's
81license or identification number, alien registration number,
82government passport number, employer or taxpayer identification
83number, Medicaid or food stamp account number, or bank account
84number, or credit or debit card number, or personal
85identification number or code assigned to the holder of a debit
86card by the issuer to permit authorized electronic use of such
87card;
88     2.  Unique biometric data, such as fingerprint, voice
89print, retina or iris image, or other unique physical
90representation;
91     3.  Unique electronic identification number, address, or
92routing code; or
93     4.  Medical records;
94     5.4.  Telecommunication identifying information or access
95device; or.
96     6.  Other number or information that can be used to access
97a person's financial resources.
98     (g)  "Counterfeit or fictitious personal identification
99information" means any counterfeit, fictitious, or fabricated
100information in the similitude of the data outlined in paragraph
101(f) that, although not truthful or accurate, would in context
102lead a reasonably prudent person to credit its truthfulness and
103accuracy.
104     (2)(a)  Any person who willfully and without authorization
105fraudulently uses, or possesses with intent to fraudulently use,
106personal identification information concerning an individual
107without first obtaining that individual's consent, commits the
108offense of fraudulent use of personal identification
109information, which is a felony of the third degree, punishable
110as provided in s. 775.082, s. 775.083, or s. 775.084.
111     (b)  Any person who willfully and without authorization
112fraudulently uses personal identification information concerning
113an individual without first obtaining that individual's consent
114commits a felony of the second degree, punishable as provided in
115s. 775.082, s. 775.083, or s. 775.084, if the pecuniary benefit,
116the value of the services received, the payment sought to be
117avoided, or the amount of the injury or fraud perpetrated is
118$5,000 or more or if the person fraudulently uses the personal
119identification information of 10 or more individuals, but fewer
120than 20 individuals, without their consent. Notwithstanding any
121other provision of law, the court shall sentence any person
122convicted of committing the offense described in this paragraph
123to a mandatory minimum sentence of 3 years' imprisonment.
124     (c)  Any person who willfully and without authorization
125fraudulently uses personal identification information concerning
126an individual without first obtaining that individual's consent
127commits a felony of the first degree, punishable as provided in
128s. 775.082, s. 775.083, or s. 775.084, if the pecuniary benefit,
129the value of the services received, the payment sought to be
130avoided, or the amount of the injury or fraud perpetrated is
131$50,000 or more or if the person fraudulently uses the personal
132identification information of 20 or more individuals, but fewer
133than 30 individuals, without their consent. Notwithstanding any
134other provision of law, the court shall sentence any person
135convicted of committing the offense described in this paragraph:
136     1.  to a mandatory minimum sentence of 5 years'
137imprisonment. If the pecuniary benefit, the value of the
138services received, the payment sought to be avoided, or the
139amount of the injury or fraud perpetrated is $100,000 or more,
140or if the person fraudulently uses the personal identification
141information of 30 or more individuals without their consent,
142notwithstanding any other provision of law, the court shall
143sentence any person convicted of committing the offense
144described in this paragraph
145     2.  to a mandatory minimum sentence of 10 years'
146imprisonment, if the pecuniary benefit, the value of the
147services received, the payment sought to be avoided, or the
148amount of the injury or fraud perpetrated is $100,000 or more or
149if the person fraudulently uses the personal identification
150information of 30 or more individuals without their consent.
151     (3)  Neither paragraph (2)(b) nor paragraph (2)(c) prevents
152a court from imposing a greater sentence of incarceration as
153authorized by law. If the minimum mandatory terms of
154imprisonment imposed under paragraph (2)(b) or paragraph (2)(c)
155exceed the maximum sentences authorized under s. 775.082, s.
156775.084, or the Criminal Punishment Code under chapter 921, the
157mandatory minimum sentence must be imposed. If the mandatory
158minimum terms of imprisonment under paragraph (2)(b) or
159paragraph (2)(c) are less than the sentence that could be
160imposed under s. 775.082, s. 775.084, or the Criminal Punishment
161Code under chapter 921, the sentence imposed by the court must
162include the mandatory minimum term of imprisonment as required
163by paragraph (2)(b) or paragraph (2)(c).
164     (4)  Any person who willfully and without authorization
165possesses, uses, or attempts to use personal identification
166information concerning an individual without first obtaining
167that individual's consent, and who does so for the purpose of
168harassing that individual, commits the offense of harassment by
169use of personal identification information, which is a
170misdemeanor of the first degree, punishable as provided in s.
171775.082 or s. 775.083.
172     (5)  If an offense prohibited under this section was
173facilitated or furthered by the use of a public record, as
174defined in s. 119.011, the offense is reclassified to the next
175higher degree as follows:
176     (a)  A misdemeanor of the first degree is reclassified as a
177felony of the third degree.
178     (b)  A felony of the third degree is reclassified as a
179felony of the second degree.
180     (c)  A felony of the second degree is reclassified as a
181felony of the first degree.
182
183For purposes of sentencing under chapter 921 and incentive gain-
184time eligibility under chapter 944, a felony offense that is
185reclassified under this subsection is ranked one level above the
186ranking under s. 921.0022 of the felony offense committed, and a
187misdemeanor offense that is reclassified under this subsection
188is ranked in level 2 of the offense severity ranking chart in s.
189921.0022.
190     (6)  Any person who willfully and without authorization
191fraudulently uses personal identification information concerning
192an individual who is less than 18 years of age without first
193obtaining the consent of that individual or of his or her legal
194guardian commits a felony of the second degree, punishable as
195provided in s. 775.082, s. 775.083, or s. 775.084.
196     (7)  Any person who is in the relationship of parent or
197legal guardian, or who otherwise exercises custodial authority
198over an individual who is less than 18 years of age, who
199willfully and fraudulently uses personal identification
200information of that individual commits a felony of the second
201degree, punishable as provided in s. 775.082, s. 775.083, or s.
202775.084.
203     (8)(a)  Any person who willfully and fraudulently uses, or
204possesses with intent to fraudulently use, personal
205identification information concerning a deceased individual
206commits the offense of fraudulent use or possession with intent
207to use personal identification information of a deceased
208individual, a felony of the third degree, punishable as provided
209in s. 775.082, s. 775.083, or s. 775.084.
210     (b)  Any person who willfully and fraudulently uses
211personal identification information concerning a deceased
212individual commits a felony of the second degree, punishable as
213provided in s. 775.082, s. 775.083, or s. 775.084, if the
214pecuniary benefit, the value of the services received, the
215payment sought to be avoided, or the amount of injury or fraud
216perpetrated is $5,000 or more, or if the person fraudulently
217uses the personal identification information of 10 or more but
218fewer than 20 deceased individuals. Notwithstanding any other
219provision of law, the court shall sentence any person convicted
220of committing the offense described in this paragraph to a
221mandatory minimum sentence of 3 years' imprisonment.
222     (c)  Any person who willfully and fraudulently uses
223personal identification information concerning a deceased
224individual commits the offense of aggravated fraudulent use of
225the personal identification information of multiple deceased
226individuals, a felony of the first degree, punishable as
227provided in s. 775.082, s. 775.083, or s. 775.084, if the
228pecuniary benefit, the value of the services received, the
229payment sought to be avoided, or the amount of injury or fraud
230perpetrated is $50,000 or more, or if the person fraudulently
231uses the personal identification information of 20 or more but
232fewer than 30 deceased individuals. Notwithstanding any other
233provision of law, the court shall sentence any person convicted
234of the offense described in this paragraph to a minimum
235mandatory sentence of 5 years' imprisonment. If the pecuniary
236benefit, the value of the services received, the payment sought
237to be avoided, or the amount of the injury or fraud perpetrated
238is $100,000 or more, or if the person fraudulently uses the
239personal identification information of 30 or more deceased
240individuals, notwithstanding any other provision of law, the
241court shall sentence any person convicted of an offense
242described in this paragraph to a mandatory minimum sentence of
24310 years' imprisonment.
244     (9)  Any person who willfully and fraudulently creates or
245uses, or possesses with intent to fraudulently use, counterfeit
246or fictitious personal identification information concerning a
247fictitious individual, or concerning a real individual without
248first obtaining that real individual's consent, with intent to
249use such counterfeit or fictitious personal identification
250information for the purpose of committing or facilitating the
251commission of a fraud on another person, commits the offense of
252fraudulent creation or use, or possession with intent to
253fraudulently use, counterfeit or fictitious personal
254identification information, a felony of the third degree,
255punishable as provided in s. 775.082, s. 775.083, or s. 775.084.
256     (10)  Any person who commits an offense described in this
257section and for the purpose of obtaining or using personal
258identification information misrepresents himself or herself to
259be a law enforcement officer; an employee or representative of a
260bank, credit card company, credit counseling company, or credit
261reporting agency; or any person who wrongfully represents that
262he or she is seeking to assist the victim with a problem with
263the victim's credit history shall have the offense reclassified
264as follows:
265     (a)  In the case of a misdemeanor, the offense is
266reclassified as a felony of the third degree.
267     (b)  In the case of a felony of the third degree, the
268offense is reclassified as a felony of the second degree.
269     (c)  In the case of a felony of the second degree, the
270offense is reclassified as a felony of the first degree.
271     (d)  In the case of a felony of the first degree or a
272felony of the first degree punishable by a term of imprisonment
273not exceeding life, the offense is reclassified as a life
274felony.
275
276For purposes of sentencing under chapter 921, a felony offense
277that is reclassified under this subsection is ranked one level
278above the ranking under s. 921.0022 or s. 921.0023 of the felony
279offense committed, and a misdemeanor offense that is
280reclassified under this subsection is ranked in level 2 of the
281offense severity ranking chart.
282     (11)  The prosecutor may move the sentencing court to
283reduce or suspend the sentence of any person who is convicted of
284a violation of this section and who provides substantial
285assistance in the identification, arrest, or conviction of any
286of that person's accomplices, accessories, coconspirators, or
287principals or of any other person engaged in fraudulent
288possession or use of personal identification information. The
289arresting agency shall be given an opportunity to be heard in
290aggravation or mitigation in reference to any such motion. Upon
291good cause shown, the motion may be filed and heard in camera.
292The judge hearing the motion may reduce or suspend the sentence
293if the judge finds that the defendant rendered such substantial
294assistance.
295     (12)(8)  This section does not prohibit any lawfully
296authorized investigative, protective, or intelligence activity
297of a law enforcement agency of this state or any of its
298political subdivisions, of any other state or its political
299subdivisions, or of the Federal Government or its political
300subdivisions.
301     (13)(9)(a)  In sentencing a defendant convicted of an
302offense under this section, the court may order that the
303defendant make restitution under pursuant to s. 775.089 to any
304victim of the offense. In addition to the victim's out-of-pocket
305costs, such restitution may include payment of any other costs,
306including attorney's fees incurred by the victim in clearing the
307victim's credit history or credit rating, or any costs incurred
308in connection with any civil or administrative proceeding to
309satisfy any debt, lien, or other obligation of the victim
310arising as the result of the actions of the defendant.
311     (b)  The sentencing court may issue such orders as are
312necessary to correct any public record that contains false
313information given in violation of this section.
314     (14)(10)  Prosecutions for violations of this section may
315be brought on behalf of the state by any state attorney or by
316the statewide prosecutor.
317     (15)(11)  The Legislature finds that, in the absence of
318evidence to the contrary, the location where a victim gives or
319fails to give consent to the use of personal identification
320information is the county where the victim generally resides.
321     (16)(12)  Notwithstanding any other provision of law, venue
322for the prosecution and trial of violations of this section may
323be commenced and maintained in any county in which an element of
324the offense occurred, including the county where the victim
325generally resides.
326     (17)(13)  A prosecution of an offense prohibited under
327subsection (2), subsection (6), or subsection (7) must be
328commenced within 3 years after the offense occurred. However, a
329prosecution may be commenced within 1 year after discovery of
330the offense by an aggrieved party, or by a person who has a
331legal duty to represent the aggrieved party and who is not a
332party to the offense, if such prosecution is commenced within 5
333years after the violation occurred.
334     Section 2.  Section 817.5681, Florida Statutes, is created
335to read:
336     817.5681  Breach of security concerning confidential
337personal information in third-party possession; administrative
338penalties.--
339     (1)(a)  Any person who conducts business in this state and
340maintains computerized data in a system that includes personal
341information shall provide notice of any breach of the security
342of the system, following a determination of the breach, to any
343resident of this state whose unencrypted personal information
344was, or is reasonably believed to have been, acquired by an
345unauthorized person. The notification shall be made without
346unreasonable delay, consistent with the legitimate needs of law
347enforcement, as provided in subsection (3) and paragraph
348(10)(a), or subject to any measures necessary to determine the
349presence, nature, and scope of the breach and restore the
350reasonable integrity of the system. Notification must be made no
351later than 45 days following the determination of the breach
352unless otherwise provided in this section.
353     (b)  Any person required to make notification under
354paragraph (a) who fails to do so within 45 days following the
355determination of a breach or receipt of notice from law
356enforcement as provided in subsection (3) is liable for an
357administrative fine not to exceed $500,000, as follows:
358     1.  In the amount of $1,000 for each day the breach goes
359undisclosed for up to 30 days and, thereafter, $50,000 for each
36030-day period or portion thereof for up to 180 days.
361     2.  If notification is not made within 180 days, any person
362required to make notification under paragraph (a) who fails to
363do so is subject to an administrative fine of up to $500,000.
364     (c)  The administrative sanctions for failure to notify
365provided in this subsection shall apply per breach and not per
366individual affected by the breach.
367     (d)  The administrative sanctions for failure to notify
368provided in this subsection shall not apply in the case of
369personal information in the custody of any governmental agency
370or subdivision, unless that governmental agency or subdivision
371has entered into a contract with a contractor or third-party
372administrator to provide governmental services. In such case,
373the contractor or third-party administrator shall be a person to
374whom the administrative sanctions provided in this subsection
375would apply, although such contractor or third-party
376administrator found in violation of the notification
377requirements provided in this subsection would not have an
378action for contribution or set-off available against the
379employing agency or subdivision.
380     (2)(a)  Any person who maintains computerized data that
381includes personal information on behalf of another business
382entity shall disclose to the business entity for which the
383information is maintained any breach of the security of the
384system as soon as practicable, but no later than 10 days
385following the determination, if the personal information was, or
386is reasonably believed to have been, acquired by an unauthorized
387person. The person who maintains the data on behalf of another
388business entity and the business entity on whose behalf the data
389is maintained may agree who will provide the notice, if any is
390required, as provided in paragraph (1)(a), provided only a
391single notice for each breach of the security of the system
392shall be required. If agreement regarding notification cannot be
393reached, the person who has the direct business relationship
394with the resident of this state shall be subject to the
395provisions of paragraph (1)(a).
396     (b)  Any person required to disclose to a business entity
397under paragraph (a) who fails to do so within 10 days after the
398determination of a breach or receipt of notification from law
399enforcement as provided in subsection (3) is liable for an
400administrative fine not to exceed $500,000, as follows:
401     1.  In the amount of $1,000 for each day the breach goes
402undisclosed for up to 30 days and, thereafter, $50,000 for each
40330-day period or portion thereof for up to 180 days.
404     2.  If disclosure is not made within 180 days, any person
405required to make disclosures under paragraph (a) who fails to do
406so is subject to an administrative fine of up to $500,000.
407     (c)  The administrative sanctions for nondisclosure
408provided in this subsection shall apply per breach and not per
409individual affected by the breach.
410     (d)  The administrative sanctions for nondisclosure
411provided in this subsection shall not apply in the case of
412personal information in the custody of any governmental agency
413or subdivision unless that governmental agency or subdivision
414has entered into a contract with a contractor or third-party
415administrator to provide governmental services. In such case,
416the contractor or third-party administrator shall be a person to
417whom the administrative sanctions provided in this subsection
418would apply, although such contractor or third-party
419administrator found in violation of the nondisclosure
420restrictions in this subsection would not have an action for
421contribution or set-off available against the employing agency
422or subdivision.
423     (3)  The notification required by this section may be
424delayed upon a request by law enforcement if a law enforcement
425agency determines that the notification will impede a criminal
426investigation. The notification time period required by this
427section shall commence after the person receives notice from the
428law enforcement agency that the notification will not compromise
429the investigation.
430     (4)  For purposes of this section, the terms "breach" and
431"breach of the security of the system" mean unlawful and
432unauthorized acquisition of computerized data that materially
433compromises the security, confidentiality, or integrity of
434personal information maintained by the person. Good faith
435acquisition of personal information by an employee or agent of
436the person is not a breach or breach of the security of the
437system, provided the information is not used for a purpose
438unrelated to the business or subject to further unauthorized
439use.
440     (5)  For purposes of this section, the term "personal
441information" means an individual's first name, first initial and
442last name, or any middle name and last name, in combination with
443any one or more of the following data elements when the data
444elements are not encrypted:
445     (a)  Social security number.
446     (b)  Driver's license number or Florida Identification Card
447number.
448     (c)  Account number, credit card number, or debit card
449number, in combination with any required security code, access
450code, or password that would permit access to an individual's
451financial account.
452
453For purposes of this section, the term "personal information"
454does not include publicly available information that is lawfully
455made available to the general public from federal, state, or
456local government records or widely distributed media.
457     (6)  For purposes of this section, notice may be provided
458by one of the following methods:
459     (a)  Written notice;
460     (b)  Electronic notice, if the notice provided is
461consistent with the provisions regarding electronic records and
462signatures set forth in 15 U.S.C. s. 7001 or if the person or
463business providing the notice has a valid email address for the
464subject person and the subject person has agreed to accept
465communications electronically; or
466     (c)  Substitute notice, if the person demonstrates that the
467cost of providing notice would exceed $250,000, the affected
468class of subject persons to be notified exceeds 500,000, or the
469person does not have sufficient contact information. Substitute
470notice shall consist of all of the following:
471     1.  Electronic mail or email notice when the person has an
472electronic mail or email address for the subject persons.
473     2.  Conspicuous posting of the notice on the web page of
474the person, if the person maintains a web page.
475     3.  Notification to major statewide media.
476     (7)  For purposes of this section, the term "unauthorized
477person" means any person who does not have permission from, or a
478password issued by, the person who stores the computerized data
479to acquire such data, but does not include any individual to
480whom the personal information pertains.
481     (8)  For purposes of this section, the term "person" means
482a person as defined in s. 1.01(3). For purposes of this section,
483the State of Florida, as well as any of its agencies or
484political subdivisions, and any of the agencies of its political
485subdivisions, constitutes a person.
486     (9)  Notwithstanding subsection (6), a person who
487maintains:
488     (a)  The person's own notification procedures as part of an
489information security or privacy policy for the treatment of
490personal information, which procedures are otherwise consistent
491with the timing requirements of this part; or
492     (b)  A notification procedure pursuant to the rules,
493regulations, procedures, or guidelines established by the
494person's primary or functional federal regulator,
495
496shall be deemed to be in compliance with the notification
497requirements of this section if the person notifies subject
498persons in accordance with the person's policies or the rules,
499regulations, procedures, or guidelines established by the
500primary or functional federal regulator in the event of a breach
501of security of the system.
502     (10)(a)  Notwithstanding subsection (2), notification is
503not required if, after an appropriate investigation or after
504consultation with relevant federal, state, and local agencies
505responsible for law enforcement, the person reasonably
506determines that the breach has not and will not likely result in
507harm to the individuals whose personal information has been
508acquired and accessed. Such a determination must be documented
509in writing and the documentation must be maintained for 5 years.
510     (b)  Any person required to document a failure to notify
511affected persons who fails to document the failure as required
512in this subsection or who, if documentation was created, fails
513to maintain the documentation for the full 5 years as required
514in this subsection is liable for an administrative fine in the
515amount of up to $50,000 for such failure.
516     (c)  The administrative sanctions outlined in this
517subsection shall not apply in the case of personal information
518in the custody of any governmental agency or subdivision, unless
519that governmental agency or subdivision has entered into a
520contract with a contractor or third-party administrator to
521provide governmental services. In such case the contractor or
522third-party administrator shall be a person to whom the
523administrative sanctions outlined in this subsection would
524apply, although such contractor or third-party administrator
525found in violation of the documentation and maintenance of
526documentation requirements in this subsection would not have an
527action for contribution or set-off available against the
528employing agency or subdivision.
529     (11)  The Department of Legal Affairs may institute
530proceedings to assess and collect the fines provided in this
531section.
532     (12)  If a person discovers circumstances requiring
533notification pursuant to this section of more than 1,000 persons
534at a single time, the person shall also notify, without
535unreasonable delay, all consumer reporting agencies that compile
536and maintain files on consumers on a nationwide basis, as
537defined in 15 U.S.C. s. 1681a(p), of the timing, distribution,
538and content of the notices.
539     Section 3.  This act shall take effect July 1, 2005.


CODING: Words stricken are deletions; words underlined are additions.