| 1 | A bill to be entitled |
| 2 | An act relating to unlawful use of personal identification |
| 3 | information; amending s. 817.568, F.S.; including other |
| 4 | information within the definition of the term "personal |
| 5 | identification information"; defining the term |
| 6 | "counterfeit or fictitious personal identification |
| 7 | information"; revising criminal penalties relating to the |
| 8 | offense of fraudulently using, or possessing with intent |
| 9 | to fraudulently use, personal identification information; |
| 10 | providing minimum mandatory terms of imprisonment; |
| 11 | creating the offenses of willfully and fraudulently using, |
| 12 | or possessing with intent to fraudulently use, personal |
| 13 | identification information concerning a deceased |
| 14 | individual; providing criminal penalties; providing for |
| 15 | minimum mandatory terms of imprisonment; creating the |
| 16 | offense of willfully and fraudulently creating or using, |
| 17 | or possessing with intent to fraudulently use, counterfeit |
| 18 | or fictitious personal identification information; |
| 19 | providing criminal penalties; providing for |
| 20 | reclassification of offenses under certain circumstances; |
| 21 | providing for reduction or suspension of sentences under |
| 22 | certain circumstances; creating s. 817.5681, F.S.; |
| 23 | requiring business persons maintaining computerized data |
| 24 | that includes personal information to provide notice of |
| 25 | breaches of system security under certain circumstances; |
| 26 | providing requirements; providing for administrative |
| 27 | fines; providing exceptions and limitations; authorizing |
| 28 | delays of such disclosures under certain circumstances; |
| 29 | providing definitions; providing for alternative notice |
| 30 | methods; specifying conditions of compliance for persons |
| 31 | maintaining certain alternative notification procedures; |
| 32 | specifying conditions under which notification is not |
| 33 | required; providing requirements for documentation and |
| 34 | maintenance of documentation; providing an administrative |
| 35 | fine for failing to document certain failures to comply; |
| 36 | providing for application of administrative sanctions to |
| 37 | certain persons under certain circumstances; authorizing |
| 38 | the Department of Legal Affairs to institute proceedings |
| 39 | to assess and collect fines; requiring notification of |
| 40 | consumer reporting agencies of breaches of system security |
| 41 | under certain circumstances; providing an effective date. |
| 42 |
|
| 43 | Be It Enacted by the Legislature of the State of Florida: |
| 44 |
|
| 45 | Section 1. Section 817.568, Florida Statutes, is amended |
| 46 | to read: |
| 47 | 817.568 Criminal use of personal identification |
| 48 | information.-- |
| 49 | (1) As used in this section, the term: |
| 50 | (a) "Access device" means any card, plate, code, account |
| 51 | number, electronic serial number, mobile identification number, |
| 52 | personal identification number, or other telecommunications |
| 53 | service, equipment, or instrument identifier, or other means of |
| 54 | account access that can be used, alone or in conjunction with |
| 55 | another access device, to obtain money, goods, services, or any |
| 56 | other thing of value, or that can be used to initiate a transfer |
| 57 | of funds, other than a transfer originated solely by paper |
| 58 | instrument. |
| 59 | (b) "Authorization" means empowerment, permission, or |
| 60 | competence to act. |
| 61 | (c) "Harass" means to engage in conduct directed at a |
| 62 | specific person that is intended to cause substantial emotional |
| 63 | distress to such person and serves no legitimate purpose. |
| 64 | "Harass" does not mean to use personal identification |
| 65 | information for accepted commercial purposes. The term does not |
| 66 | include constitutionally protected conduct such as organized |
| 67 | protests or the use of personal identification information for |
| 68 | accepted commercial purposes. |
| 69 | (d) "Individual" means a single human being and does not |
| 70 | mean a firm, association of individuals, corporation, |
| 71 | partnership, joint venture, sole proprietorship, or any other |
| 72 | entity. |
| 73 | (e) "Person" means a "person" as defined in s. 1.01(3). |
| 74 | (f) "Personal identification information" means any name |
| 75 | or number that may be used, alone or in conjunction with any |
| 76 | other information, to identify a specific individual, including |
| 77 | any: |
| 78 | 1. Name, postal or electronic mail address, telephone |
| 79 | number, social security number, date of birth, mother's maiden |
| 80 | name, official state-issued or United States-issued driver's |
| 81 | license or identification number, alien registration number, |
| 82 | government passport number, employer or taxpayer identification |
| 83 | number, Medicaid or food stamp account number, or bank account |
| 84 | number, or credit or debit card number, or personal |
| 85 | identification number or code assigned to the holder of a debit |
| 86 | card by the issuer to permit authorized electronic use of such |
| 87 | card; |
| 88 | 2. Unique biometric data, such as fingerprint, voice |
| 89 | print, retina or iris image, or other unique physical |
| 90 | representation; |
| 91 | 3. Unique electronic identification number, address, or |
| 92 | routing code; or |
| 93 | 4. Medical records; |
| 94 | 5.4. Telecommunication identifying information or access |
| 95 | device; or. |
| 96 | 6. Other number or information that can be used to access |
| 97 | a person's financial resources. |
| 98 | (g) "Counterfeit or fictitious personal identification |
| 99 | information" means any counterfeit, fictitious, or fabricated |
| 100 | information in the similitude of the data outlined in paragraph |
| 101 | (f) that, although not truthful or accurate, would in context |
| 102 | lead a reasonably prudent person to credit its truthfulness and |
| 103 | accuracy. |
| 104 | (2)(a) Any person who willfully and without authorization |
| 105 | fraudulently uses, or possesses with intent to fraudulently use, |
| 106 | personal identification information concerning an individual |
| 107 | without first obtaining that individual's consent, commits the |
| 108 | offense of fraudulent use of personal identification |
| 109 | information, which is a felony of the third degree, punishable |
| 110 | as provided in s. 775.082, s. 775.083, or s. 775.084. |
| 111 | (b) Any person who willfully and without authorization |
| 112 | fraudulently uses personal identification information concerning |
| 113 | an individual without first obtaining that individual's consent |
| 114 | commits a felony of the second degree, punishable as provided in |
| 115 | s. 775.082, s. 775.083, or s. 775.084, if the pecuniary benefit, |
| 116 | the value of the services received, the payment sought to be |
| 117 | avoided, or the amount of the injury or fraud perpetrated is |
| 118 | $5,000 or more or if the person fraudulently uses the personal |
| 119 | identification information of 10 or more individuals, but fewer |
| 120 | than 20 individuals, without their consent. Notwithstanding any |
| 121 | other provision of law, the court shall sentence any person |
| 122 | convicted of committing the offense described in this paragraph |
| 123 | to a mandatory minimum sentence of 3 years' imprisonment. |
| 124 | (c) Any person who willfully and without authorization |
| 125 | fraudulently uses personal identification information concerning |
| 126 | an individual without first obtaining that individual's consent |
| 127 | commits a felony of the first degree, punishable as provided in |
| 128 | s. 775.082, s. 775.083, or s. 775.084, if the pecuniary benefit, |
| 129 | the value of the services received, the payment sought to be |
| 130 | avoided, or the amount of the injury or fraud perpetrated is |
| 131 | $50,000 or more or if the person fraudulently uses the personal |
| 132 | identification information of 20 or more individuals, but fewer |
| 133 | than 30 individuals, without their consent. Notwithstanding any |
| 134 | other provision of law, the court shall sentence any person |
| 135 | convicted of committing the offense described in this paragraph: |
| 136 | 1. to a mandatory minimum sentence of 5 years' |
| 137 | imprisonment. If the pecuniary benefit, the value of the |
| 138 | services received, the payment sought to be avoided, or the |
| 139 | amount of the injury or fraud perpetrated is $100,000 or more, |
| 140 | or if the person fraudulently uses the personal identification |
| 141 | information of 30 or more individuals without their consent, |
| 142 | notwithstanding any other provision of law, the court shall |
| 143 | sentence any person convicted of committing the offense |
| 144 | described in this paragraph |
| 145 | 2. to a mandatory minimum sentence of 10 years' |
| 146 | imprisonment, if the pecuniary benefit, the value of the |
| 147 | services received, the payment sought to be avoided, or the |
| 148 | amount of the injury or fraud perpetrated is $100,000 or more or |
| 149 | if the person fraudulently uses the personal identification |
| 150 | information of 30 or more individuals without their consent. |
| 151 | (3) Neither paragraph (2)(b) nor paragraph (2)(c) prevents |
| 152 | a court from imposing a greater sentence of incarceration as |
| 153 | authorized by law. If the minimum mandatory terms of |
| 154 | imprisonment imposed under paragraph (2)(b) or paragraph (2)(c) |
| 155 | exceed the maximum sentences authorized under s. 775.082, s. |
| 156 | 775.084, or the Criminal Punishment Code under chapter 921, the |
| 157 | mandatory minimum sentence must be imposed. If the mandatory |
| 158 | minimum terms of imprisonment under paragraph (2)(b) or |
| 159 | paragraph (2)(c) are less than the sentence that could be |
| 160 | imposed under s. 775.082, s. 775.084, or the Criminal Punishment |
| 161 | Code under chapter 921, the sentence imposed by the court must |
| 162 | include the mandatory minimum term of imprisonment as required |
| 163 | by paragraph (2)(b) or paragraph (2)(c). |
| 164 | (4) Any person who willfully and without authorization |
| 165 | possesses, uses, or attempts to use personal identification |
| 166 | information concerning an individual without first obtaining |
| 167 | that individual's consent, and who does so for the purpose of |
| 168 | harassing that individual, commits the offense of harassment by |
| 169 | use of personal identification information, which is a |
| 170 | misdemeanor of the first degree, punishable as provided in s. |
| 171 | 775.082 or s. 775.083. |
| 172 | (5) If an offense prohibited under this section was |
| 173 | facilitated or furthered by the use of a public record, as |
| 174 | defined in s. 119.011, the offense is reclassified to the next |
| 175 | higher degree as follows: |
| 176 | (a) A misdemeanor of the first degree is reclassified as a |
| 177 | felony of the third degree. |
| 178 | (b) A felony of the third degree is reclassified as a |
| 179 | felony of the second degree. |
| 180 | (c) A felony of the second degree is reclassified as a |
| 181 | felony of the first degree. |
| 182 |
|
| 183 | For purposes of sentencing under chapter 921 and incentive gain- |
| 184 | time eligibility under chapter 944, a felony offense that is |
| 185 | reclassified under this subsection is ranked one level above the |
| 186 | ranking under s. 921.0022 of the felony offense committed, and a |
| 187 | misdemeanor offense that is reclassified under this subsection |
| 188 | is ranked in level 2 of the offense severity ranking chart in s. |
| 189 | 921.0022. |
| 190 | (6) Any person who willfully and without authorization |
| 191 | fraudulently uses personal identification information concerning |
| 192 | an individual who is less than 18 years of age without first |
| 193 | obtaining the consent of that individual or of his or her legal |
| 194 | guardian commits a felony of the second degree, punishable as |
| 195 | provided in s. 775.082, s. 775.083, or s. 775.084. |
| 196 | (7) Any person who is in the relationship of parent or |
| 197 | legal guardian, or who otherwise exercises custodial authority |
| 198 | over an individual who is less than 18 years of age, who |
| 199 | willfully and fraudulently uses personal identification |
| 200 | information of that individual commits a felony of the second |
| 201 | degree, punishable as provided in s. 775.082, s. 775.083, or s. |
| 202 | 775.084. |
| 203 | (8)(a) Any person who willfully and fraudulently uses, or |
| 204 | possesses with intent to fraudulently use, personal |
| 205 | identification information concerning a deceased individual |
| 206 | commits the offense of fraudulent use or possession with intent |
| 207 | to use personal identification information of a deceased |
| 208 | individual, a felony of the third degree, punishable as provided |
| 209 | in s. 775.082, s. 775.083, or s. 775.084. |
| 210 | (b) Any person who willfully and fraudulently uses |
| 211 | personal identification information concerning a deceased |
| 212 | individual commits a felony of the second degree, punishable as |
| 213 | provided in s. 775.082, s. 775.083, or s. 775.084, if the |
| 214 | pecuniary benefit, the value of the services received, the |
| 215 | payment sought to be avoided, or the amount of injury or fraud |
| 216 | perpetrated is $5,000 or more, or if the person fraudulently |
| 217 | uses the personal identification information of 10 or more but |
| 218 | fewer than 20 deceased individuals. Notwithstanding any other |
| 219 | provision of law, the court shall sentence any person convicted |
| 220 | of committing the offense described in this paragraph to a |
| 221 | mandatory minimum sentence of 3 years' imprisonment. |
| 222 | (c) Any person who willfully and fraudulently uses |
| 223 | personal identification information concerning a deceased |
| 224 | individual commits the offense of aggravated fraudulent use of |
| 225 | the personal identification information of multiple deceased |
| 226 | individuals, a felony of the first degree, punishable as |
| 227 | provided in s. 775.082, s. 775.083, or s. 775.084, if the |
| 228 | pecuniary benefit, the value of the services received, the |
| 229 | payment sought to be avoided, or the amount of injury or fraud |
| 230 | perpetrated is $50,000 or more, or if the person fraudulently |
| 231 | uses the personal identification information of 20 or more but |
| 232 | fewer than 30 deceased individuals. Notwithstanding any other |
| 233 | provision of law, the court shall sentence any person convicted |
| 234 | of the offense described in this paragraph to a minimum |
| 235 | mandatory sentence of 5 years' imprisonment. If the pecuniary |
| 236 | benefit, the value of the services received, the payment sought |
| 237 | to be avoided, or the amount of the injury or fraud perpetrated |
| 238 | is $100,000 or more, or if the person fraudulently uses the |
| 239 | personal identification information of 30 or more deceased |
| 240 | individuals, notwithstanding any other provision of law, the |
| 241 | court shall sentence any person convicted of an offense |
| 242 | described in this paragraph to a mandatory minimum sentence of |
| 243 | 10 years' imprisonment. |
| 244 | (9) Any person who willfully and fraudulently creates or |
| 245 | uses, or possesses with intent to fraudulently use, counterfeit |
| 246 | or fictitious personal identification information concerning a |
| 247 | fictitious individual, or concerning a real individual without |
| 248 | first obtaining that real individual's consent, with intent to |
| 249 | use such counterfeit or fictitious personal identification |
| 250 | information for the purpose of committing or facilitating the |
| 251 | commission of a fraud on another person, commits the offense of |
| 252 | fraudulent creation or use, or possession with intent to |
| 253 | fraudulently use, counterfeit or fictitious personal |
| 254 | identification information, a felony of the third degree, |
| 255 | punishable as provided in s. 775.082, s. 775.083, or s. 775.084. |
| 256 | (10) Any person who commits an offense described in this |
| 257 | section and for the purpose of obtaining or using personal |
| 258 | identification information misrepresents himself or herself to |
| 259 | be a law enforcement officer; an employee or representative of a |
| 260 | bank, credit card company, credit counseling company, or credit |
| 261 | reporting agency; or any person who wrongfully represents that |
| 262 | he or she is seeking to assist the victim with a problem with |
| 263 | the victim's credit history shall have the offense reclassified |
| 264 | as follows: |
| 265 | (a) In the case of a misdemeanor, the offense is |
| 266 | reclassified as a felony of the third degree. |
| 267 | (b) In the case of a felony of the third degree, the |
| 268 | offense is reclassified as a felony of the second degree. |
| 269 | (c) In the case of a felony of the second degree, the |
| 270 | offense is reclassified as a felony of the first degree. |
| 271 | (d) In the case of a felony of the first degree or a |
| 272 | felony of the first degree punishable by a term of imprisonment |
| 273 | not exceeding life, the offense is reclassified as a life |
| 274 | felony. |
| 275 |
|
| 276 | For purposes of sentencing under chapter 921, a felony offense |
| 277 | that is reclassified under this subsection is ranked one level |
| 278 | above the ranking under s. 921.0022 or s. 921.0023 of the felony |
| 279 | offense committed, and a misdemeanor offense that is |
| 280 | reclassified under this subsection is ranked in level 2 of the |
| 281 | offense severity ranking chart. |
| 282 | (11) The prosecutor may move the sentencing court to |
| 283 | reduce or suspend the sentence of any person who is convicted of |
| 284 | a violation of this section and who provides substantial |
| 285 | assistance in the identification, arrest, or conviction of any |
| 286 | of that person's accomplices, accessories, coconspirators, or |
| 287 | principals or of any other person engaged in fraudulent |
| 288 | possession or use of personal identification information. The |
| 289 | arresting agency shall be given an opportunity to be heard in |
| 290 | aggravation or mitigation in reference to any such motion. Upon |
| 291 | good cause shown, the motion may be filed and heard in camera. |
| 292 | The judge hearing the motion may reduce or suspend the sentence |
| 293 | if the judge finds that the defendant rendered such substantial |
| 294 | assistance. |
| 295 | (12)(8) This section does not prohibit any lawfully |
| 296 | authorized investigative, protective, or intelligence activity |
| 297 | of a law enforcement agency of this state or any of its |
| 298 | political subdivisions, of any other state or its political |
| 299 | subdivisions, or of the Federal Government or its political |
| 300 | subdivisions. |
| 301 | (13)(9)(a) In sentencing a defendant convicted of an |
| 302 | offense under this section, the court may order that the |
| 303 | defendant make restitution under pursuant to s. 775.089 to any |
| 304 | victim of the offense. In addition to the victim's out-of-pocket |
| 305 | costs, such restitution may include payment of any other costs, |
| 306 | including attorney's fees incurred by the victim in clearing the |
| 307 | victim's credit history or credit rating, or any costs incurred |
| 308 | in connection with any civil or administrative proceeding to |
| 309 | satisfy any debt, lien, or other obligation of the victim |
| 310 | arising as the result of the actions of the defendant. |
| 311 | (b) The sentencing court may issue such orders as are |
| 312 | necessary to correct any public record that contains false |
| 313 | information given in violation of this section. |
| 314 | (14)(10) Prosecutions for violations of this section may |
| 315 | be brought on behalf of the state by any state attorney or by |
| 316 | the statewide prosecutor. |
| 317 | (15)(11) The Legislature finds that, in the absence of |
| 318 | evidence to the contrary, the location where a victim gives or |
| 319 | fails to give consent to the use of personal identification |
| 320 | information is the county where the victim generally resides. |
| 321 | (16)(12) Notwithstanding any other provision of law, venue |
| 322 | for the prosecution and trial of violations of this section may |
| 323 | be commenced and maintained in any county in which an element of |
| 324 | the offense occurred, including the county where the victim |
| 325 | generally resides. |
| 326 | (17)(13) A prosecution of an offense prohibited under |
| 327 | subsection (2), subsection (6), or subsection (7) must be |
| 328 | commenced within 3 years after the offense occurred. However, a |
| 329 | prosecution may be commenced within 1 year after discovery of |
| 330 | the offense by an aggrieved party, or by a person who has a |
| 331 | legal duty to represent the aggrieved party and who is not a |
| 332 | party to the offense, if such prosecution is commenced within 5 |
| 333 | years after the violation occurred. |
| 334 | Section 2. Section 817.5681, Florida Statutes, is created |
| 335 | to read: |
| 336 | 817.5681 Breach of security concerning confidential |
| 337 | personal information in third-party possession; administrative |
| 338 | penalties.-- |
| 339 | (1)(a) Any person who conducts business in this state and |
| 340 | maintains computerized data in a system that includes personal |
| 341 | information shall provide notice of any breach of the security |
| 342 | of the system, following a determination of the breach, to any |
| 343 | resident of this state whose unencrypted personal information |
| 344 | was, or is reasonably believed to have been, acquired by an |
| 345 | unauthorized person. The notification shall be made without |
| 346 | unreasonable delay, consistent with the legitimate needs of law |
| 347 | enforcement, as provided in subsection (3) and paragraph |
| 348 | (10)(a), or subject to any measures necessary to determine the |
| 349 | presence, nature, and scope of the breach and restore the |
| 350 | reasonable integrity of the system. Notification must be made no |
| 351 | later than 45 days following the determination of the breach |
| 352 | unless otherwise provided in this section. |
| 353 | (b) Any person required to make notification under |
| 354 | paragraph (a) who fails to do so within 45 days following the |
| 355 | determination of a breach or receipt of notice from law |
| 356 | enforcement as provided in subsection (3) is liable for an |
| 357 | administrative fine not to exceed $500,000, as follows: |
| 358 | 1. In the amount of $1,000 for each day the breach goes |
| 359 | undisclosed for up to 30 days and, thereafter, $50,000 for each |
| 360 | 30-day period or portion thereof for up to 180 days. |
| 361 | 2. If notification is not made within 180 days, any person |
| 362 | required to make notification under paragraph (a) who fails to |
| 363 | do so is subject to an administrative fine of up to $500,000. |
| 364 | (c) The administrative sanctions for failure to notify |
| 365 | provided in this subsection shall apply per breach and not per |
| 366 | individual affected by the breach. |
| 367 | (d) The administrative sanctions for failure to notify |
| 368 | provided in this subsection shall not apply in the case of |
| 369 | personal information in the custody of any governmental agency |
| 370 | or subdivision, unless that governmental agency or subdivision |
| 371 | has entered into a contract with a contractor or third-party |
| 372 | administrator to provide governmental services. In such case, |
| 373 | the contractor or third-party administrator shall be a person to |
| 374 | whom the administrative sanctions provided in this subsection |
| 375 | would apply, although such contractor or third-party |
| 376 | administrator found in violation of the notification |
| 377 | requirements provided in this subsection would not have an |
| 378 | action for contribution or set-off available against the |
| 379 | employing agency or subdivision. |
| 380 | (2)(a) Any person who maintains computerized data that |
| 381 | includes personal information on behalf of another business |
| 382 | entity shall disclose to the business entity for which the |
| 383 | information is maintained any breach of the security of the |
| 384 | system as soon as practicable, but no later than 10 days |
| 385 | following the determination, if the personal information was, or |
| 386 | is reasonably believed to have been, acquired by an unauthorized |
| 387 | person. The person who maintains the data on behalf of another |
| 388 | business entity and the business entity on whose behalf the data |
| 389 | is maintained may agree who will provide the notice, if any is |
| 390 | required, as provided in paragraph (1)(a), provided only a |
| 391 | single notice for each breach of the security of the system |
| 392 | shall be required. If agreement regarding notification cannot be |
| 393 | reached, the person who has the direct business relationship |
| 394 | with the resident of this state shall be subject to the |
| 395 | provisions of paragraph (1)(a). |
| 396 | (b) Any person required to disclose to a business entity |
| 397 | under paragraph (a) who fails to do so within 10 days after the |
| 398 | determination of a breach or receipt of notification from law |
| 399 | enforcement as provided in subsection (3) is liable for an |
| 400 | administrative fine not to exceed $500,000, as follows: |
| 401 | 1. In the amount of $1,000 for each day the breach goes |
| 402 | undisclosed for up to 30 days and, thereafter, $50,000 for each |
| 403 | 30-day period or portion thereof for up to 180 days. |
| 404 | 2. If disclosure is not made within 180 days, any person |
| 405 | required to make disclosures under paragraph (a) who fails to do |
| 406 | so is subject to an administrative fine of up to $500,000. |
| 407 | (c) The administrative sanctions for nondisclosure |
| 408 | provided in this subsection shall apply per breach and not per |
| 409 | individual affected by the breach. |
| 410 | (d) The administrative sanctions for nondisclosure |
| 411 | provided in this subsection shall not apply in the case of |
| 412 | personal information in the custody of any governmental agency |
| 413 | or subdivision unless that governmental agency or subdivision |
| 414 | has entered into a contract with a contractor or third-party |
| 415 | administrator to provide governmental services. In such case, |
| 416 | the contractor or third-party administrator shall be a person to |
| 417 | whom the administrative sanctions provided in this subsection |
| 418 | would apply, although such contractor or third-party |
| 419 | administrator found in violation of the nondisclosure |
| 420 | restrictions in this subsection would not have an action for |
| 421 | contribution or set-off available against the employing agency |
| 422 | or subdivision. |
| 423 | (3) The notification required by this section may be |
| 424 | delayed upon a request by law enforcement if a law enforcement |
| 425 | agency determines that the notification will impede a criminal |
| 426 | investigation. The notification time period required by this |
| 427 | section shall commence after the person receives notice from the |
| 428 | law enforcement agency that the notification will not compromise |
| 429 | the investigation. |
| 430 | (4) For purposes of this section, the terms "breach" and |
| 431 | "breach of the security of the system" mean unlawful and |
| 432 | unauthorized acquisition of computerized data that materially |
| 433 | compromises the security, confidentiality, or integrity of |
| 434 | personal information maintained by the person. Good faith |
| 435 | acquisition of personal information by an employee or agent of |
| 436 | the person is not a breach or breach of the security of the |
| 437 | system, provided the information is not used for a purpose |
| 438 | unrelated to the business or subject to further unauthorized |
| 439 | use. |
| 440 | (5) For purposes of this section, the term "personal |
| 441 | information" means an individual's first name, first initial and |
| 442 | last name, or any middle name and last name, in combination with |
| 443 | any one or more of the following data elements when the data |
| 444 | elements are not encrypted: |
| 445 | (a) Social security number. |
| 446 | (b) Driver's license number or Florida Identification Card |
| 447 | number. |
| 448 | (c) Account number, credit card number, or debit card |
| 449 | number, in combination with any required security code, access |
| 450 | code, or password that would permit access to an individual's |
| 451 | financial account. |
| 452 |
|
| 453 | For purposes of this section, the term "personal information" |
| 454 | does not include publicly available information that is lawfully |
| 455 | made available to the general public from federal, state, or |
| 456 | local government records or widely distributed media. |
| 457 | (6) For purposes of this section, notice may be provided |
| 458 | by one of the following methods: |
| 459 | (a) Written notice; |
| 460 | (b) Electronic notice, if the notice provided is |
| 461 | consistent with the provisions regarding electronic records and |
| 462 | signatures set forth in 15 U.S.C. s. 7001 or if the person or |
| 463 | business providing the notice has a valid email address for the |
| 464 | subject person and the subject person has agreed to accept |
| 465 | communications electronically; or |
| 466 | (c) Substitute notice, if the person demonstrates that the |
| 467 | cost of providing notice would exceed $250,000, the affected |
| 468 | class of subject persons to be notified exceeds 500,000, or the |
| 469 | person does not have sufficient contact information. Substitute |
| 470 | notice shall consist of all of the following: |
| 471 | 1. Electronic mail or email notice when the person has an |
| 472 | electronic mail or email address for the subject persons. |
| 473 | 2. Conspicuous posting of the notice on the web page of |
| 474 | the person, if the person maintains a web page. |
| 475 | 3. Notification to major statewide media. |
| 476 | (7) For purposes of this section, the term "unauthorized |
| 477 | person" means any person who does not have permission from, or a |
| 478 | password issued by, the person who stores the computerized data |
| 479 | to acquire such data, but does not include any individual to |
| 480 | whom the personal information pertains. |
| 481 | (8) For purposes of this section, the term "person" means |
| 482 | a person as defined in s. 1.01(3). For purposes of this section, |
| 483 | the State of Florida, as well as any of its agencies or |
| 484 | political subdivisions, and any of the agencies of its political |
| 485 | subdivisions, constitutes a person. |
| 486 | (9) Notwithstanding subsection (6), a person who |
| 487 | maintains: |
| 488 | (a) The person's own notification procedures as part of an |
| 489 | information security or privacy policy for the treatment of |
| 490 | personal information, which procedures are otherwise consistent |
| 491 | with the timing requirements of this part; or |
| 492 | (b) A notification procedure pursuant to the rules, |
| 493 | regulations, procedures, or guidelines established by the |
| 494 | person's primary or functional federal regulator, |
| 495 |
|
| 496 | shall be deemed to be in compliance with the notification |
| 497 | requirements of this section if the person notifies subject |
| 498 | persons in accordance with the person's policies or the rules, |
| 499 | regulations, procedures, or guidelines established by the |
| 500 | primary or functional federal regulator in the event of a breach |
| 501 | of security of the system. |
| 502 | (10)(a) Notwithstanding subsection (2), notification is |
| 503 | not required if, after an appropriate investigation or after |
| 504 | consultation with relevant federal, state, and local agencies |
| 505 | responsible for law enforcement, the person reasonably |
| 506 | determines that the breach has not and will not likely result in |
| 507 | harm to the individuals whose personal information has been |
| 508 | acquired and accessed. Such a determination must be documented |
| 509 | in writing and the documentation must be maintained for 5 years. |
| 510 | (b) Any person required to document a failure to notify |
| 511 | affected persons who fails to document the failure as required |
| 512 | in this subsection or who, if documentation was created, fails |
| 513 | to maintain the documentation for the full 5 years as required |
| 514 | in this subsection is liable for an administrative fine in the |
| 515 | amount of up to $50,000 for such failure. |
| 516 | (c) The administrative sanctions outlined in this |
| 517 | subsection shall not apply in the case of personal information |
| 518 | in the custody of any governmental agency or subdivision, unless |
| 519 | that governmental agency or subdivision has entered into a |
| 520 | contract with a contractor or third-party administrator to |
| 521 | provide governmental services. In such case the contractor or |
| 522 | third-party administrator shall be a person to whom the |
| 523 | administrative sanctions outlined in this subsection would |
| 524 | apply, although such contractor or third-party administrator |
| 525 | found in violation of the documentation and maintenance of |
| 526 | documentation requirements in this subsection would not have an |
| 527 | action for contribution or set-off available against the |
| 528 | employing agency or subdivision. |
| 529 | (11) The Department of Legal Affairs may institute |
| 530 | proceedings to assess and collect the fines provided in this |
| 531 | section. |
| 532 | (12) If a person discovers circumstances requiring |
| 533 | notification pursuant to this section of more than 1,000 persons |
| 534 | at a single time, the person shall also notify, without |
| 535 | unreasonable delay, all consumer reporting agencies that compile |
| 536 | and maintain files on consumers on a nationwide basis, as |
| 537 | defined in 15 U.S.C. s. 1681a(p), of the timing, distribution, |
| 538 | and content of the notices. |
| 539 | Section 3. This act shall take effect July 1, 2005. |