Florida Senate - 2014                        COMMITTEE AMENDMENT
       Bill No. CS for SB 1524
                              LEGISLATIVE ACTION                        
                    Senate             .             House              
                  Comm: RCS            .                                
                  04/02/2014           .                                

    1         Senate Amendment (with title amendment)
    3         Delete everything after the enacting clause
    4  and insert:
    5         Section 1. This act may be cited as the “Florida
    6  Information Protection Act of 2014.”
    7         Section 2. Section 817.5681, Florida Statutes, is repealed.
    8         Section 3. Section 501.171, Florida Statutes, is created to
    9  read:
   10         501.171 Security of confidential personal information.—
   11         (1) DEFINITIONS.—As used in this section, the term:
   12         (a) “Breach of security” or “breach” means unauthorized
   13  access of data in electronic form containing personal
   14  information. Good faith access of personal information by an
   15  employee or agent of the covered entity does not constitute a
   16  breach of security, provided that the information is not used
   17  for a purpose unrelated to the business or subject to further
   18  unauthorized use.
   19         (b) “Covered entity” means a sole proprietorship,
   20  partnership, corporation, trust, estate, cooperative,
   21  association, or other commercial entity that acquires,
   22  maintains, stores, or uses personal information. For purposes of
   23  the notice requirements in subsections (3)-(6), the term
   24  includes a governmental entity.
   25         (c) “Customer records” means any material, regardless of
   26  the physical form, on which personal information is recorded or
   27  preserved by any means, including, but not limited to, written
   28  or spoken words, graphically depicted, printed, or
   29  electromagnetically transmitted that are provided by an
   30  individual in this state to a covered entity for the purpose of
   31  purchasing or leasing a product or obtaining a service.
   32         (d) “Data in electronic form” means any data stored
   33  electronically or digitally on any computer system or other
   34  database and includes recordable tapes and other mass storage
   35  devices.
   36         (e) “Department” means the Department of Legal Affairs.
   37         (f) “Governmental entity” means any department, division,
   38  bureau, commission, regional planning agency, board, district,
   39  authority, agency, or other instrumentality of this state that
   40  acquires, maintains, stores, or uses data in electronic form
   41  containing personal information.
   42         (g)1. “Personal information” means either of the following:
   43         a. An individual’s first name or first initial and last
   44  name in combination with any one or more of the following data
   45  elements for that individual:
   46         (I) A social security number.
   47         (II) A driver license or identification card number,
   48  passport number, military identification number, or other
   49  similar number issued on a government document used to verify
   50  identity.
   51         (III) A financial account number or credit or debit card
   52  number, in combination with any required security code, access
   53  code, or password that is necessary to permit access to an
   54  individual’s financial account.
   55         (IV) Any information regarding an individual’s medical
   56  history, mental or physical condition, or medical treatment or
   57  diagnosis by a health care professional; or
   58         (V) An individual’s health insurance policy number or
   59  subscriber identification number and any unique identifier used
   60  by a health insurer to identify the individual.
   61         b. A user name or e-mail address, in combination with a
   62  password or security question and answer that would permit
   63  access to an online account.
   64         2. The term does not include information about an
   65  individual that has been made publicly available by a federal,
   66  state, or local governmental entity. The term also does not
   67  include information that is encrypted, secured, or modified by
   68  any other method or technology that removes elements that
   69  personally identify an individual or that otherwise renders the
   70  information unusable.
   71         (h) “Third-party agent” means an entity that has been
   72  contracted to maintain, store, or process personal information
   73  on behalf of a covered entity or governmental entity.
   74         (2) REQUIREMENTS FOR DATA SECURITY.—Each covered entity,
   75  governmental entity, or third-party agent shall take reasonable
   76  measures to protect and secure data in electronic form
   77  containing personal information.
   79         (a) A covered entity shall provide notice to the department
   80  of any breach of security affecting 500 or more individuals in
   81  this state. Such notice must be provided to the department as
   82  expeditiously as practicable, but no later than 30 days after
   83  the determination of the breach or reason to believe a breach
   84  occurred. A covered entity may receive 15 additional days to
   85  provide notice if good cause for delay is provided in writing to
   86  the department within 30 days after determination of the breach
   87  or reason to believe a breach occurred.
   88         (b) The written notice to the department must include:
   89         1. A synopsis of the events surrounding the breach at the
   90  time notice is provided.
   91         2. The number of individuals in this state who were or
   92  potentially have been affected by the breach.
   93         3. Any services related to the breach being offered or
   94  scheduled to be offered, without charge, by the covered entity
   95  to individuals, and instructions as to how to use such services.
   96         4. A copy of the notice required under subsection (4) or an
   97  explanation of the other actions taken pursuant to subsection
   98  (4).
   99         5. The name, address, telephone number, and e-mail address
  100  of the employee or agent of the covered entity from whom
  101  additional information may be obtained about the breach.
  102         (c) The covered entity must provide the following
  103  information to the department upon its request:
  104         1. A police report, incident report, or computer forensics
  105  report.
  106         2. A copy of the policies in place regarding breaches.
  107         3. Steps that have been taken to rectify the breach.
  108         (d) A covered entity may provide the department with
  109  supplemental information regarding a breach at any time.
  110         (e) For a covered entity that is the judicial branch, the
  111  Executive Office of the Governor, the Department of Financial
  112  Services, or the Department of Agriculture and Consumer
  113  Services, in lieu of providing the written notice to the
  114  department, the covered entity may post the information
  115  described in subparagraphs (b)1.-4. on an agency-managed
  116  website.
  118         (a) A covered entity shall give notice to each individual
  119  in this state whose personal information was, or the covered
  120  entity reasonably believes to have been, accessed as a result of
  121  the breach. Notice to individuals shall be made as expeditiously
  122  as practicable and without unreasonable delay, taking into
  123  account the time necessary to allow the covered entity to
  124  determine the scope of the breach of security, to identify
  125  individuals affected by the breach, and to restore the
  126  reasonable integrity of the data system that was breached, but
  127  no later than 30 days after the determination of a breach or
  128  reason to believe a breach occurred unless subject to a delay
  129  authorized under paragraph (b) or waiver under paragraph (c).
  130         (b) If a federal, state, or local law enforcement agency
  131  determines that notice to individuals required under this
  132  subsection would interfere with a criminal investigation, the
  133  notice shall be delayed upon the written request of the law
  134  enforcement agency for a specified period that the law
  135  enforcement agency determines is reasonably necessary. A law
  136  enforcement agency may, by a subsequent written request, revoke
  137  such delay as of a specified date or extend the period set forth
  138  in the original request made under this paragraph to a specified
  139  date if further delay is necessary.
  140         (c) Notwithstanding paragraph (a), notice to the affected
  141  individuals is not required if, after an appropriate
  142  investigation and consultation with relevant federal, state, or
  143  local law enforcement agencies, the covered entity reasonably
  144  determines that the breach has not and will not likely result in
  145  identity theft or any other financial harm to the individuals
  146  whose personal information has been accessed. Such a
  147  determination must be documented in writing and maintained for
  148  at least 5 years. The covered entity shall provide the written
  149  determination to the department within 30 days after the
  150  determination.
  151         (d) The notice to an affected individual shall be by one of
  152  the following methods:
  153         1. Written notice sent to the mailing address of the
  154  individual in the records of the covered entity; or
  155         2. E-mail notice sent to the e-mail address of the
  156  individual in the records of the covered entity.
  157         (e) The notice to an individual with respect to a breach of
  158  security shall include, at a minimum:
  159         1. The date, estimated date, or estimated date range of the
  160  breach of security.
  161         2. A description of the personal information that was
  162  accessed or reasonably believed to have been accessed as a part
  163  of the breach of security.
  164         3. Information that the individual can use to contact the
  165  covered entity to inquire about the breach of security and the
  166  personal information that the covered entity maintained about
  167  the individual.
  168         (f) A covered entity required to provide notice to an
  169  individual may provide substitute notice in lieu of direct
  170  notice if such direct notice is not feasible because the cost of
  171  providing notice would exceed $250,000, because the affected
  172  individuals exceed 500,000 persons, or because the covered
  173  entity does not have an e-mail address or mailing address for
  174  the affected individuals. Such substitute notice shall include
  175  the following:
  176         1. A conspicuous notice on the Internet website of the
  177  covered entity if the covered entity maintains a website; and
  178         2. Notice in print and to broadcast media, including major
  179  media in urban and rural areas where the affected individuals
  180  reside.
  181         (g) Notice provided pursuant to rules, regulations,
  182  procedures, or guidelines established by the covered entity’s
  183  primary or functional federal regulator is deemed to be in
  184  compliance with the notice requirement in this subsection if the
  185  covered entity notifies affected individuals in accordance with
  186  the rules, regulations, procedures, or guidelines established by
  187  the primary or functional federal regulator in the event of a
  188  breach of security. Under this paragraph, a covered entity that
  189  timely provides a copy of such notice to the department is
  190  deemed to be in compliance with the notice requirement in
  191  subsection (3).
  192         (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a covered
  193  entity discovers circumstances requiring notice pursuant to this
  194  section of more than 1,000 individuals at a single time, the
  195  covered entity shall also notify, without unreasonable delay,
  196  all consumer reporting agencies that compile and maintain files
  197  on consumers on a nationwide basis, as defined in the Fair
  198  Credit Reporting Act, 15 U.S.C. s. 1681a(p), of the timing,
  199  distribution, and content of the notices.
  202         (a) In the event of a breach of security of a system
  203  maintained by a third-party agent, such third-party agent shall
  204  notify the covered entity of the breach of security as
  205  expeditiously as practicable, but no later than 10 days
  206  following the determination of the breach of security or reason
  207  to believe the breach occurred. Upon receiving notice from a
  208  third-party agent, a covered entity shall provide notices
  209  required under subsections (3) and (4). A third-party agent
  210  shall provide a covered entity with all information that the
  211  covered entity needs to comply with its notice requirements.
  212         (b) An agent may provide notice as required under
  213  subsections (3) and (4) on behalf of the covered entity;
  214  however, an agent’s failure to provide proper notice shall be
  215  deemed a violation of this section against the covered entity.
  216         (7) ANNUAL REPORT.—By February 1 of each year, the
  217  department shall submit a report to the President of the Senate
  218  and the Speaker of the House of Representatives describing the
  219  nature of any reported breaches of security by governmental
  220  entities or third-party agents of governmental entities in the
  221  preceding calendar year along with recommendations for security
  222  improvements. The report shall identify any governmental entity
  223  that has violated any of the applicable requirements in
  224  subsections (2)-(6) in the preceding calendar year.
  226  covered entity or third-party agent shall take all reasonable
  227  measures to dispose, or arrange for the disposal, of customer
  228  records containing personal information within its custody or
  229  control when the records are no longer to be retained. Such
  230  disposal shall involve shredding, erasing, or otherwise
  231  modifying the personal information in the records to make it
  232  unreadable or undecipherable through any means.
  233         (9) ENFORCEMENT.—
  234         (a) A violation of this section shall be treated as an
  235  unfair or deceptive trade practice in any action brought by the
  236  department under s. 501.207 against a covered entity or third
  237  party agent.
  238         (b) In addition to the remedies provided for in paragraph
  239  (a), a covered entity that violates subsection (3) or subsection
  240  (4) shall be liable for a civil penalty not to exceed $500,000,
  241  as follows:
  242         1. In the amount of $1,000 for each day up to the first 30
  243  days following any violation of subsection (3) or subsection (4)
  244  and, thereafter, $50,000 for each subsequent 30-day period or
  245  portion thereof for up to 180 days.
  246         2. If the violation continues for more than 180 days, in an
  247  amount not to exceed $500,000.
  249  The civil penalties for failure to notify provided in this
  250  paragraph apply per breach and not per individual affected by
  251  the breach.
  252         (c) All penalties collected pursuant to this subsection
  253  shall be deposited into the General Revenue Fund.
  254         (10) NO PRIVATE CAUSE OF ACTION.—This section does not
  255  establish a private cause of action.
  256         Section 4. Subsection (5) of section 282.0041, Florida
  257  Statutes, is amended to read:
  258         282.0041 Definitions.—As used in this chapter, the term:
  259         (5) “Breach” has the same meaning as the term “breach of
  260  security” as defined in s. 501.171 in s. 817.5681(4).
  261         Section 5. Paragraph (i) of subsection (4) of section
  262  282.318, Florida Statutes, is amended to read:
  263         282.318 Enterprise security of data and information
  264  technology.—
  265         (4) To assist the Agency for Enterprise Information
  266  Technology in carrying out its responsibilities, each agency
  267  head shall, at a minimum:
  268         (i) Develop a process for detecting, reporting, and
  269  responding to suspected or confirmed security incidents,
  270  including suspected or confirmed breaches consistent with the
  271  security rules and guidelines established by the Agency for
  272  Enterprise Information Technology.
  273         1. Suspected or confirmed information security incidents
  274  and breaches must be immediately reported to the Agency for
  275  Enterprise Information Technology.
  276         2. For incidents involving breaches, agencies shall provide
  277  notice in accordance with s. 501.171 s. 817.5681 and to the
  278  Agency for Enterprise Information Technology in accordance with
  279  this subsection.
  280         Section 6. This act shall take effect July 1, 2014.
  282  ================= T I T L E  A M E N D M E N T ================
  283  And the title is amended as follows:
  284         Delete everything before the enacting clause
  285  and insert:
  286                        A bill to be entitled                      
  287         An act relating to security of confidential personal
  288         information; providing a short title; repealing s.
  289         817.5681, F.S., relating to a breach of security
  290         concerning confidential personal information in third
  291         party possession; creating s. 501.171, F.S.; providing
  292         definitions; requiring specified entities to take
  293         reasonable measures to protect and secure data
  294         containing personal information in electronic form;
  295         requiring specified entities to notify the Department
  296         of Legal Affairs of data security breaches; requiring
  297         notice to individuals of data security breaches under
  298         certain circumstances; providing exceptions to notice
  299         requirements under certain circumstances; specifying
  300         contents and methods of notice; requiring notice to
  301         credit reporting agencies under certain circumstances;
  302         requiring the department to report annually to the
  303         Legislature; specifying report requirements; providing
  304         requirements for disposal of customer records;
  305         providing for enforcement actions by the department;
  306         providing civil penalties; specifying that no private
  307         cause of action is created; amending ss. 282.0041 and
  308         282.318, F.S.; conforming cross-references to changes
  309         made by the act; providing an effective date.