Senate Bill sb0978c2
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
By the Committees on Commerce and Consumer Services;
Judiciary; and Senators Campbell and Aronberg
577-2281-05
1 A bill to be entitled
2 An act relating to unlawful use of personal
3 identification information; amending s.
4 817.568, F.S.; including other information
5 within the definition of the term "personal
6 identification information"; defining the term
7 "counterfeit or fictitious personal
8 identification information"; revising criminal
9 penalties relating to the offense of
10 fraudulently using, or possessing with intent
11 to fraudulently use, personal identification
12 information; providing minimum mandatory terms
13 of imprisonment; creating the offenses of
14 willfully and fraudulently using, or possessing
15 with intent to fraudulently use, personal
16 identification information concerning a
17 deceased individual; providing criminal
18 penalties; providing for minimum mandatory
19 terms of imprisonment; creating the offense of
20 willfully and fraudulently creating or using,
21 or possessing with intent to fraudulently use,
22 counterfeit or fictitious personal
23 identification information; providing criminal
24 penalties; providing for reclassification of
25 offenses under certain circumstances; providing
26 for reduction or suspension of sentences under
27 certain circumstances; creating s. 817.5681,
28 F.S.; requiring business persons maintaining
29 computerized data that includes personal
30 information to provide notice of breaches of
31 system security under certain circumstances;
1
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 providing requirements; providing for
2 administrative fines; providing exceptions and
3 limitations; authorizing delays of such
4 disclosures under certain circumstances;
5 providing definitions; providing for
6 alternative notice methods; specifying
7 conditions of compliance for persons
8 maintaining certain alternative notification
9 procedures; specifying conditions under which
10 notification is not required; providing
11 requirements for documentation and maintenance
12 of documentation; providing an administrative
13 fine for failing to document certain failures
14 to comply; providing for application of
15 administrative sanctions to certain persons
16 under certain circumstances; authorizing the
17 Department of Legal Affairs to institute
18 proceedings to assess and collect fines;
19 requiring notification of consumer reporting
20 agencies of breaches of security under certain
21 circumstances; providing an effective date.
22
23 Be It Enacted by the Legislature of the State of Florida:
24
25 Section 1. Section 817.568, Florida Statutes, is
26 amended to read:
27 817.568 Criminal use of personal identification
28 information.--
29 (1) As used in this section, the term:
30 (a) "Access device" means any card, plate, code,
31 account number, electronic serial number, mobile
2
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 identification number, personal identification number, or
2 other telecommunications service, equipment, or instrument
3 identifier, or other means of account access that can be used,
4 alone or in conjunction with another access device, to obtain
5 money, goods, services, or any other thing of value, or that
6 can be used to initiate a transfer of funds, other than a
7 transfer originated solely by paper instrument.
8 (b) "Authorization" means empowerment, permission, or
9 competence to act.
10 (c) "Harass" means to engage in conduct directed at a
11 specific person that is intended to cause substantial
12 emotional distress to such person and serves no legitimate
13 purpose. "Harass" does not mean to use personal identification
14 information for accepted commercial purposes. The term does
15 not include constitutionally protected conduct such as
16 organized protests or the use of personal identification
17 information for accepted commercial purposes.
18 (d) "Individual" means a single human being and does
19 not mean a firm, association of individuals, corporation,
20 partnership, joint venture, sole proprietorship, or any other
21 entity.
22 (e) "Person" means a "person" as defined in s.
23 1.01(3).
24 (f) "Personal identification information" means any
25 name or number that may be used, alone or in conjunction with
26 any other information, to identify a specific individual,
27 including any:
28 1. Name, postal or electronic mail address, telephone
29 number, social security number, date of birth, mother's maiden
30 name, official state-issued or United States-issued driver's
31 license or identification number, alien registration number,
3
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 government passport number, employer or taxpayer
2 identification number, Medicaid or food stamp account number,
3 or bank account number, or credit or debit card number, or
4 personal identification number or code assigned to the holder
5 of a debit card by the issuer to permit authorized electronic
6 use of such card;
7 2. Unique biometric data, such as fingerprint, voice
8 print, retina or iris image, or other unique physical
9 representation;
10 3. Unique electronic identification number, address,
11 or routing code; or
12 4. Medical records;
13 5.4. Telecommunication identifying information or
14 access device; or.
15 6. Other number or information that can be used to
16 access a person's financial resources.
17 (g) "Counterfeit or fictitious personal identification
18 information" means any counterfeit, fictitious, or fabricated
19 information in the similitude of the data outlined in
20 paragraph (f) which, although not truthful or accurate, would
21 in context lead a reasonably prudent person to credit its
22 truthfulness and accuracy.
23 (2)(a) Any person who willfully and without
24 authorization fraudulently uses, or possesses with intent to
25 fraudulently use, personal identification information
26 concerning an individual without first obtaining that
27 individual's consent, commits the offense of fraudulent use of
28 personal identification information, which is a felony of the
29 third degree, punishable as provided in s. 775.082, s.
30 775.083, or s. 775.084.
31
4
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 (b) Any person who willfully and without authorization
2 fraudulently uses personal identification information
3 concerning an individual without first obtaining that
4 individual's consent commits a felony of the second degree,
5 punishable as provided in s. 775.082, s. 775.083, or s.
6 775.084, if the pecuniary benefit, the value of the services
7 received, the payment sought to be avoided, or the amount of
8 the injury or fraud perpetrated is $5,000 or more or if the
9 person fraudulently uses the personal identification
10 information of 10 or more individuals, but fewer than 20
11 individuals, without their consent. Notwithstanding any other
12 provision of law, the court shall sentence any person
13 convicted of committing the offense described in this
14 paragraph to a mandatory minimum sentence of 3 years'
15 imprisonment.
16 (c) Any person who willfully and without authorization
17 fraudulently uses personal identification information
18 concerning an individual without first obtaining that
19 individual's consent commits a felony of the first degree,
20 punishable as provided in s. 775.082, s. 775.083, or s.
21 775.084, if the pecuniary benefit, the value of the services
22 received, the payment sought to be avoided, or the amount of
23 the injury or fraud perpetrated is $50,000 or more or if the
24 person fraudulently uses the personal identification
25 information of 20 or more individuals, but fewer than 30
26 individuals, without their consent. Notwithstanding any other
27 provision of law, the court shall sentence any person
28 convicted of committing the offense described in this
29 paragraph:
30 1. to a mandatory minimum sentence of 5 years'
31 imprisonment. If the pecuniary benefit, the value of the
5
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 services received, the payment sought to be avoided, or the
2 amount of the injury or fraud perpetrated is $100,000 or more,
3 or if the person fraudulently uses the personal identification
4 information of 30 or more individuals without their consent,
5 notwithstanding any other provision of law, the court shall
6 sentence any person convicted of committing the offense
7 described in this paragraph
8 2. to a mandatory minimum sentence of 10 years'
9 imprisonment, if the pecuniary benefit, the value of the
10 services received, the payment sought to be avoided, or the
11 amount of the injury or fraud perpetrated is $100,000 or more
12 or if the person fraudulently uses the personal identification
13 information of 30 or more individuals without their consent.
14 (3) Neither paragraph (2)(b) nor paragraph (2)(c)
15 prevents a court from imposing a greater sentence of
16 incarceration as authorized by law. If the minimum mandatory
17 terms of imprisonment imposed under paragraph (2)(b) or
18 paragraph (2)(c) exceed the maximum sentences authorized under
19 s. 775.082, s. 775.084, or the Criminal Punishment Code under
20 chapter 921, the mandatory minimum sentence must be imposed.
21 If the mandatory minimum terms of imprisonment under paragraph
22 (2)(b) or paragraph (2)(c) are less than the sentence that
23 could be imposed under s. 775.082, s. 775.084, or the Criminal
24 Punishment Code under chapter 921, the sentence imposed by the
25 court must include the mandatory minimum term of imprisonment
26 as required by paragraph (2)(b) or paragraph (2)(c).
27 (4) Any person who willfully and without authorization
28 possesses, uses, or attempts to use personal identification
29 information concerning an individual without first obtaining
30 that individual's consent, and who does so for the purpose of
31 harassing that individual, commits the offense of harassment
6
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 by use of personal identification information, which is a
2 misdemeanor of the first degree, punishable as provided in s.
3 775.082 or s. 775.083.
4 (5) If an offense prohibited under this section was
5 facilitated or furthered by the use of a public record, as
6 defined in s. 119.011, the offense is reclassified to the next
7 higher degree as follows:
8 (a) A misdemeanor of the first degree is reclassified
9 as a felony of the third degree.
10 (b) A felony of the third degree is reclassified as a
11 felony of the second degree.
12 (c) A felony of the second degree is reclassified as a
13 felony of the first degree.
14
15 For purposes of sentencing under chapter 921 and incentive
16 gain-time eligibility under chapter 944, a felony offense that
17 is reclassified under this subsection is ranked one level
18 above the ranking under s. 921.0022 of the felony offense
19 committed, and a misdemeanor offense that is reclassified
20 under this subsection is ranked in level 2 of the offense
21 severity ranking chart in s. 921.0022.
22 (6) Any person who willfully and without authorization
23 fraudulently uses personal identification information
24 concerning an individual who is less than 18 years of age
25 without first obtaining the consent of that individual or of
26 his or her legal guardian commits a felony of the second
27 degree, punishable as provided in s. 775.082, s. 775.083, or
28 s. 775.084.
29 (7) Any person who is in the relationship of parent or
30 legal guardian, or who otherwise exercises custodial authority
31 over an individual who is less than 18 years of age, who
7
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 willfully and fraudulently uses personal identification
2 information of that individual commits a felony of the second
3 degree, punishable as provided in s. 775.082, s. 775.083, or
4 s. 775.084.
5 (8)(a) Any person who willfully and fraudulently uses,
6 or possesses with intent to fraudulently use, personal
7 identification information concerning a deceased individual
8 commits the offense of fraudulent use or possession with
9 intent to use personal identification information of a
10 deceased individual, a felony of the third degree, punishable
11 as provided in s. 775.082, s. 775.083, or s. 775.084.
12 (b) Any person who willfully and fraudulently uses
13 personal identification information concerning a deceased
14 individual commits a felony of the second degree, punishable
15 as provided in s. 775.082, s. 775.083, or s. 775.084, if the
16 pecuniary benefit, the value of the services received, the
17 payment sought to be avoided, or the amount of injury or fraud
18 perpetrated is $5,000 or more, or if the person fraudulently
19 uses the personal identification information of 10 or more but
20 fewer than 20 deceased individuals. Notwithstanding any other
21 provision of law, the court shall sentence any person
22 convicted of committing the offense described in this
23 paragraph to a mandatory minimum sentence of 3 years'
24 imprisonment.
25 (c) Any person who willfully and fraudulently uses
26 personal identification information concerning a deceased
27 individual commits the offense of aggravated fraudulent use of
28 the personal identification information of multiple deceased
29 individuals, a felony of the first degree, punishable as
30 provided in s. 775.082, s. 775.083, or s. 775.084, if the
31 pecuniary benefit, the value of the services received, the
8
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 payment sought to be avoided, or the amount of injury or fraud
2 perpetrated is $50,000 or more, or if the person fraudulently
3 uses the personal identification information of 20 or more but
4 fewer than 30 deceased individuals. Notwithstanding any other
5 provision of law, the court shall sentence any person
6 convicted of the offense described in this paragraph to a
7 minimum mandatory sentence of 5 years' imprisonment. If the
8 pecuniary benefit, the value of the services received, the
9 payment sought to be avoided, or the amount of the injury or
10 fraud perpetrated is $100,000 or more, or if the person
11 fraudulently uses the personal identification information of
12 30 or more deceased individuals, notwithstanding any other
13 provision of law, the court shall sentence any person
14 convicted of an offense described in this paragraph to a
15 mandatory minimum sentence of 10 years' imprisonment.
16 (9) Any person who willfully and fraudulently creates
17 or uses, or possesses with intent to fraudulently use,
18 counterfeit or fictitious personal identification information
19 concerning a fictitious individual, or concerning a real
20 individual without first obtaining that real individual's
21 consent, with intent to use such counterfeit or fictitious
22 personal identification information for the purpose of
23 committing or facilitating the commission of a fraud on
24 another person, commits the offense of fraudulent creation or
25 use, or possession with intent to fraudulently use,
26 counterfeit or fictitious personal identification information,
27 a felony of the third degree, punishable as provided in s.
28 775.082, s. 775.083, or s. 775.084.
29 (10) Any person who commits an offense described in
30 this section and for the purpose of obtaining or using
31 personal identification information misrepresents himself or
9
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 herself to be a law enforcement officer; an employee or
2 representative of a bank, credit card company, credit
3 counseling company, or credit reporting agency; or any person
4 who wrongfully represents that he or she is seeking to assist
5 the victim with a problem with the victim's credit history
6 shall have the offense reclassified as follows:
7 (a) In the case of a misdemeanor, the offense is
8 reclassified as a felony of the third degree.
9 (b) In the case of a felony of the third degree, the
10 offense is reclassified as a felony of the second degree.
11 (c) In the case of a felony of the second degree, the
12 offense is reclassified as a felony of the first degree.
13 (d) In the case of a felony of the first degree or a
14 felony of the first degree punishable by a term of
15 imprisonment not exceeding life, the offense is reclassified
16 as a life felony.
17
18 For purposes of sentencing under chapter 921, a felony offense
19 that is reclassified under this subsection is ranked one level
20 above the ranking under s. 921.0022 or s. 921.0023 of the
21 felony offense committed, and a misdemeanor offense that is
22 reclassified under this subsection is ranked in level 2 of the
23 offense severity ranking chart.
24 (11) The prosecutor may move the sentencing court to
25 reduce or suspend the sentence of any person who is convicted
26 of a violation of this section and who provides substantial
27 assistance in the identification, arrest, or conviction of any
28 of that person's accomplices, accessories, coconspirators, or
29 principals or of any other person engaged in fraudulent
30 possession or use of personal identification information. The
31 arresting agency shall be given an opportunity to be heard in
10
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 aggravation or mitigation in reference to any such motion.
2 Upon good cause shown, the motion may be filed and heard in
3 camera. The judge hearing the motion may reduce or suspend the
4 sentence if the judge finds that the defendant rendered such
5 substantial assistance.
6 (12)(8) This section does not prohibit any lawfully
7 authorized investigative, protective, or intelligence activity
8 of a law enforcement agency of this state or any of its
9 political subdivisions, of any other state or its political
10 subdivisions, or of the Federal Government or its political
11 subdivisions.
12 (13)(9)(a) In sentencing a defendant convicted of an
13 offense under this section, the court may order that the
14 defendant make restitution under pursuant to s. 775.089 to any
15 victim of the offense. In addition to the victim's
16 out-of-pocket costs, such restitution may include payment of
17 any other costs, including attorney's fees incurred by the
18 victim in clearing the victim's credit history or credit
19 rating, or any costs incurred in connection with any civil or
20 administrative proceeding to satisfy any debt, lien, or other
21 obligation of the victim arising as the result of the actions
22 of the defendant.
23 (b) The sentencing court may issue such orders as are
24 necessary to correct any public record that contains false
25 information given in violation of this section.
26 (14)(10) Prosecutions for violations of this section
27 may be brought on behalf of the state by any state attorney or
28 by the statewide prosecutor.
29 (15)(11) The Legislature finds that, in the absence of
30 evidence to the contrary, the location where a victim gives or
31
11
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 fails to give consent to the use of personal identification
2 information is the county where the victim generally resides.
3 (16)(12) Notwithstanding any other provision of law,
4 venue for the prosecution and trial of violations of this
5 section may be commenced and maintained in any county in which
6 an element of the offense occurred, including the county where
7 the victim generally resides.
8 (17)(13) A prosecution of an offense prohibited under
9 subsection (2), subsection (6), or subsection (7) must be
10 commenced within 3 years after the offense occurred. However,
11 a prosecution may be commenced within 1 year after discovery
12 of the offense by an aggrieved party, or by a person who has a
13 legal duty to represent the aggrieved party and who is not a
14 party to the offense, if such prosecution is commenced within
15 5 years after the violation occurred.
16 Section 2. Section 817.5681, Florida Statutes, is
17 created to read:
18 817.5681 Breach of security concerning confidential
19 personal information in third-party possession; administrative
20 penalties.--
21 (1)(a) Any person who conducts business in this state
22 and maintains computerized data in a system that includes
23 personal information shall provide notice of any breach of the
24 security of the system, following a determination of the
25 breach, to any resident of this state whose unencrypted
26 personal information was, or is reasonably believed to have
27 been, acquired by an unauthorized person. The notification
28 shall be made without unreasonable delay, consistent with the
29 legitimate needs of law enforcement, as provided in subsection
30 (3) and paragraph (10)(a), or subject to any measures
31 necessary to determine the presence, nature, and scope of the
12
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 breach and restore the reasonable integrity of the system.
2 Notification must be made no later than 45 days following the
3 determination of the breach unless otherwise provided in this
4 section.
5 (b) Any person required to make notification under
6 paragraph (a) who fails to do so within 45 days following the
7 determination of a breach or receipt of notice from law
8 enforcement as provided in subsection (3) is liable for an
9 administrative fine not to exceed $500,000, as follows:
10 1. In the amount of $1,000 for each day the breach
11 goes undisclosed for up to 30 days and, thereafter, $50,000
12 for each 30-day period or portion thereof for up to 180 days.
13 2. If notification is not made within 180 days, any
14 person required to make notification under paragraph (a) who
15 fails to do so is subject to an administrative fine of up to
16 $500,000.
17 (c) The administrative sanctions for failure to notify
18 provided in this subsection shall not apply in the case of
19 personal information in the custody of any governmental agency
20 or subdivision, unless that governmental agency or subdivision
21 has entered into a contract with a contractor or third-party
22 administrator to provide governmental services. In such case,
23 the contractor or third-party administrator shall be a person
24 to whom the administrative sanctions provided in this
25 subsection would apply, although such contractor or
26 third-party administrator found in violation of the
27 notification requirements provided in this subsection would
28 not have an action for contribution or set-off available
29 against the employing agency or subdivision.
30 (2)(a) Any person who maintains computerized data that
31 includes personal information on behalf of another business
13
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 entity shall disclose to the business entity for which the
2 information is maintained any breach of the security of the
3 system as soon as practicable, but no later than 10 days
4 following the determination, if the personal information was,
5 or is reasonably believed to have been, acquired by an
6 unauthorized person. The person who maintains the data on
7 behalf of another business entity and the business entity on
8 whose behalf the data is maintained may agree who will provide
9 the notice, if any is required, as provided in paragraph
10 (1)(a), provided only a single notice for each breach of the
11 security of the system shall be required. If agreement
12 regarding notification cannot be reached, the person who has
13 the direct business relationship with the resident of this
14 state shall be subject to the provisions of paragraph (1)(a).
15 (b) Any person required to disclose to a business
16 entity under paragraph (a) who fails to do so within 10 days
17 after the determination of a breach or receipt of notification
18 from law enforcement as provided in subsection (3) is liable
19 for an administrative fine not to exceed $500,000, as follows:
20 1. In the amount of $1,000 for each day the breach
21 goes undisclosed for up to 30 days and, thereafter, $50,000
22 for each 30-day period or portion thereof for up to 180 days.
23 2. If disclosure is not made within 180 days, any
24 person required to make disclosures under paragraph (a) who
25 fails to do so is subject to an administrative fine of up to
26 $500,000.
27 (c) The administrative sanctions for nondisclosure
28 provided in this subsection shall not apply in the case of
29 personal information in the custody of any governmental agency
30 or subdivision unless that governmental agency or subdivision
31 has entered into a contract with a contractor or third-party
14
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 administrator to provide governmental services. In such case,
2 the contractor or third-party administrator shall be a person
3 to whom the administrative sanctions provided in this
4 subsection would apply, although such contractor or
5 third-party administrator found in violation of the
6 nondisclosure restrictions in this subsection would not have
7 an action for contribution or set-off available against the
8 employing agency or subdivision.
9 (3) The notification required by this section may be
10 delayed upon a request by law enforcement if a law enforcement
11 agency determines that the notification will impede a criminal
12 investigation. The notification time period required by this
13 section shall commence after the person receives notice from
14 the law enforcement agency that the notification will not
15 compromise the investigation.
16 (4) For purposes of this section, the terms "breach"
17 and "breach of the security of the system" mean unlawful and
18 unauthorized acquisition of computerized data that materially
19 compromises the security, confidentiality, or integrity of
20 personal information maintained by the person. Good faith
21 acquisition of personal information by an employee or agent of
22 the person is not a breach or breach of the security of the
23 system, provided the information is not used for a purpose
24 unrelated to the business or subject to further unauthorized
25 use.
26 (5) For purposes of this section, the term "personal
27 information" means an individual's first name, first initial
28 and last name, or any middle name and last name, in
29 combination with any one or more of the following data
30 elements when the data elements are not encrypted:
31 (a) Social security number.
15
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 (b) Driver's license number or Florida Identification
2 Card number.
3 (c) Account number, credit card number, or debit card
4 number, in combination with any required security code, access
5 code, or password that would permit access to an individual's
6 financial account.
7
8 For purposes of this section, the term "personal information"
9 does not include publicly available information that is
10 lawfully made available to the general public from federal,
11 state, or local government records or widely distributed
12 media.
13 (6) For purposes of this section, notice may be
14 provided by one of the following methods:
15 (a) Written notice;
16 (b) Electronic notice, if the notice provided is
17 consistent with the provisions regarding electronic records
18 and signatures set forth in 15 U.S.C. s. 7001, or electronic
19 notice when the person or business providing the notice has a
20 valid e-mail address for the subject person and the subject
21 person has agreed to accept communications electronically; or
22 (c) Substitute notice, if the person demonstrates that
23 the cost of providing notice would exceed $250,000, the
24 affected class of subject persons to be notified exceeds
25 500,000, or the person does not have sufficient contact
26 information. Substitute notice shall consist of all of the
27 following:
28 1. Electronic mail or e-mail notice when the person
29 has an electronic mail or e-mail address for the subject
30 persons.
31
16
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 2. Conspicuous posting of the notice on the web page
2 of the person, if the person maintains a web page.
3 3. Notification to major statewide media.
4 (7) For purposes of this section, the term
5 "unauthorized person" means any person who does not have
6 permission from, or a password issued by, the person who
7 stores the computerized data to acquire such data, but does
8 not include any individual to whom the personal information
9 pertains.
10 (8) For purposes of this section, the term "person"
11 means a person as defined in s. 1.01(3). For purposes of this
12 section, the State of Florida, as well as any of its agencies
13 or political subdivisions, and any of the agencies of its
14 political subdivisions, constitutes a person.
15 (9) Notwithstanding subsection (6), a person who
16 maintains:
17 (a) The person's own notification procedures as part
18 of an information security or privacy policy for the treatment
19 of personal information, which procedures are otherwise
20 consistent with the timing requirements of this part; or
21 (b) A notification procedure pursuant to the rules,
22 regulations, procedures, or guidelines established by the
23 person's primary or functional federal regulator,
24
25 shall be deemed to be in compliance with the notification
26 requirements of this section if the person notifies subject
27 persons in accordance with the person's policies or the rules,
28 regulations, procedures, or guidelines established by the
29 primary or functional federal regulator in the event of a
30 breach of security of the system.
31
17
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 (10)(a) Notwithstanding subsection (2), notification
2 is not required if, after an appropriate investigation or
3 after consultation with relevant federal, state, and local
4 agencies responsible for law enforcement, the person
5 reasonably determines that the breach has not and will not
6 likely result in harm to the individuals whose personal
7 information has been acquired and accessed. Such a
8 determination must be documented in writing and the
9 documentation must be maintained for 5 years.
10 (b) Any person required to document a failure to
11 notify affected persons who fails to document the failure as
12 required in this subsection or who, if documentation was
13 created, fails to maintain the documentation for the full 5
14 years as required in this subsection is liable for an
15 administrative fine in the amount of up to $50,000 for such
16 failure.
17 (c) The administrative sanctions outlined in this
18 subsection shall not apply in the case of personal information
19 in the custody of any governmental agency or subdivision,
20 unless that governmental agency or subdivision has entered
21 into a contract with a contractor or third-party administrator
22 to provide governmental services. In such case the contractor
23 or third-party administrator shall be a person to whom the
24 administrative sanctions outlined in this subsection would
25 apply, although such contractor or third-party administrator
26 found in violation of the documentation and maintenance of
27 documentation requirements in this subsection would not have
28 an action for contribution or set-off available against the
29 employing agency or subdivision.
30
31
18
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2005 CS for CS for SB 978
577-2281-05
1 (11) The Department of Legal Affairs may institute
2 proceedings to assess and collect the fines provided in this
3 section.
4 (12) In the event that a person discovers
5 circumstances requiring notification pursuant to this section
6 of more than 1,000 persons at one time, the person shall also
7 notify, without unreasonable delay, all consumer reporting
8 agencies that compile and maintain files on consumers on a
9 nationwide basis, as defined by 15 U.S.C. s. 1681a(p), of the
10 timing, distribution, and content of the notices.
11 Section 3. This act shall take effect July 1, 2005.
12
13 STATEMENT OF SUBSTANTIAL CHANGES CONTAINED IN
COMMITTEE SUBSTITUTE FOR
14 CS/SB 978
15
16 This committee substitute differs from the committee
substitute as filed in that it:
17
- Changes the time frame in which a person who maintains
18 computerized data that has been breached must disclose to
a business entity that there has been a breach from 72
19 hours to "as soon as practicable" but no later than 10
days;
20
- Adds a definition for "person" and provides that the
21 definition for "personal information" does not include
publicly available information;
22
- Provides that notice may be provided by electronic notice
23 when the person or business providing the notice has a
valid email address for the subject person as long as the
24 subject person has agreed to accept communication
electronically; and
25
- Provides that when a person discovers a circumstance
26 requiring notification to 1,000 or more people at one
time, the person must immediately notify all consumer
27 reporting agencies that compile and maintain files on
consumers on a nationwide basis of the timing,
28 distribution and content of the notices.
29
30
31
19
CODING: Words stricken are deletions; words underlined are additions.