Florida Senate - 2014 COMMITTEE AMENDMENT
Bill No. CS for SB 1524
Ì676834BÎ676834
LEGISLATIVE ACTION
Senate . House
Comm: RCS .
04/02/2014 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
1 Senate Amendment (with title amendment)
2
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. This act may be cited as the “Florida
6 Information Protection Act of 2014.”
7 Section 2. Section 817.5681, Florida Statutes, is repealed.
8 Section 3. Section 501.171, Florida Statutes, is created to
9 read:
10 501.171 Security of confidential personal information.—
11 (1) DEFINITIONS.—As used in this section, the term:
12 (a) “Breach of security” or “breach” means unauthorized
13 access of data in electronic form containing personal
14 information. Good faith access of personal information by an
15 employee or agent of the covered entity does not constitute a
16 breach of security, provided that the information is not used
17 for a purpose unrelated to the business or subject to further
18 unauthorized use.
19 (b) “Covered entity” means a sole proprietorship,
20 partnership, corporation, trust, estate, cooperative,
21 association, or other commercial entity that acquires,
22 maintains, stores, or uses personal information. For purposes of
23 the notice requirements in subsections (3)-(6), the term
24 includes a governmental entity.
25 (c) “Customer records” means any material, regardless of
26 the physical form, on which personal information is recorded or
27 preserved by any means, including, but not limited to, written
28 or spoken words, graphically depicted, printed, or
29 electromagnetically transmitted that are provided by an
30 individual in this state to a covered entity for the purpose of
31 purchasing or leasing a product or obtaining a service.
32 (d) “Data in electronic form” means any data stored
33 electronically or digitally on any computer system or other
34 database and includes recordable tapes and other mass storage
35 devices.
36 (e) “Department” means the Department of Legal Affairs.
37 (f) “Governmental entity” means any department, division,
38 bureau, commission, regional planning agency, board, district,
39 authority, agency, or other instrumentality of this state that
40 acquires, maintains, stores, or uses data in electronic form
41 containing personal information.
42 (g)1. “Personal information” means either of the following:
43 a. An individual’s first name or first initial and last
44 name in combination with any one or more of the following data
45 elements for that individual:
46 (I) A social security number.
47 (II) A driver license or identification card number,
48 passport number, military identification number, or other
49 similar number issued on a government document used to verify
50 identity.
51 (III) A financial account number or credit or debit card
52 number, in combination with any required security code, access
53 code, or password that is necessary to permit access to an
54 individual’s financial account.
55 (IV) Any information regarding an individual’s medical
56 history, mental or physical condition, or medical treatment or
57 diagnosis by a health care professional; or
58 (V) An individual’s health insurance policy number or
59 subscriber identification number and any unique identifier used
60 by a health insurer to identify the individual.
61 b. A user name or e-mail address, in combination with a
62 password or security question and answer that would permit
63 access to an online account.
64 2. The term does not include information about an
65 individual that has been made publicly available by a federal,
66 state, or local governmental entity. The term also does not
67 include information that is encrypted, secured, or modified by
68 any other method or technology that removes elements that
69 personally identify an individual or that otherwise renders the
70 information unusable.
71 (h) “Third-party agent” means an entity that has been
72 contracted to maintain, store, or process personal information
73 on behalf of a covered entity or governmental entity.
74 (2) REQUIREMENTS FOR DATA SECURITY.—Each covered entity,
75 governmental entity, or third-party agent shall take reasonable
76 measures to protect and secure data in electronic form
77 containing personal information.
78 (3) NOTICE TO DEPARTMENT OF SECURITY BREACH.—
79 (a) A covered entity shall provide notice to the department
80 of any breach of security affecting 500 or more individuals in
81 this state. Such notice must be provided to the department as
82 expeditiously as practicable, but no later than 30 days after
83 the determination of the breach or reason to believe a breach
84 occurred. A covered entity may receive 15 additional days to
85 provide notice if good cause for delay is provided in writing to
86 the department within 30 days after determination of the breach
87 or reason to believe a breach occurred.
88 (b) The written notice to the department must include:
89 1. A synopsis of the events surrounding the breach at the
90 time notice is provided.
91 2. The number of individuals in this state who were or
92 potentially have been affected by the breach.
93 3. Any services related to the breach being offered or
94 scheduled to be offered, without charge, by the covered entity
95 to individuals, and instructions as to how to use such services.
96 4. A copy of the notice required under subsection (4) or an
97 explanation of the other actions taken pursuant to subsection
98 (4).
99 5. The name, address, telephone number, and e-mail address
100 of the employee or agent of the covered entity from whom
101 additional information may be obtained about the breach.
102 (c) The covered entity must provide the following
103 information to the department upon its request:
104 1. A police report, incident report, or computer forensics
105 report.
106 2. A copy of the policies in place regarding breaches.
107 3. Steps that have been taken to rectify the breach.
108 (d) A covered entity may provide the department with
109 supplemental information regarding a breach at any time.
110 (e) For a covered entity that is the judicial branch, the
111 Executive Office of the Governor, the Department of Financial
112 Services, or the Department of Agriculture and Consumer
113 Services, in lieu of providing the written notice to the
114 department, the covered entity may post the information
115 described in subparagraphs (b)1.-4. on an agency-managed
116 website.
117 (4) NOTICE TO INDIVIDUALS OF SECURITY BREACH.—
118 (a) A covered entity shall give notice to each individual
119 in this state whose personal information was, or the covered
120 entity reasonably believes to have been, accessed as a result of
121 the breach. Notice to individuals shall be made as expeditiously
122 as practicable and without unreasonable delay, taking into
123 account the time necessary to allow the covered entity to
124 determine the scope of the breach of security, to identify
125 individuals affected by the breach, and to restore the
126 reasonable integrity of the data system that was breached, but
127 no later than 30 days after the determination of a breach or
128 reason to believe a breach occurred unless subject to a delay
129 authorized under paragraph (b) or waiver under paragraph (c).
130 (b) If a federal, state, or local law enforcement agency
131 determines that notice to individuals required under this
132 subsection would interfere with a criminal investigation, the
133 notice shall be delayed upon the written request of the law
134 enforcement agency for a specified period that the law
135 enforcement agency determines is reasonably necessary. A law
136 enforcement agency may, by a subsequent written request, revoke
137 such delay as of a specified date or extend the period set forth
138 in the original request made under this paragraph to a specified
139 date if further delay is necessary.
140 (c) Notwithstanding paragraph (a), notice to the affected
141 individuals is not required if, after an appropriate
142 investigation and consultation with relevant federal, state, or
143 local law enforcement agencies, the covered entity reasonably
144 determines that the breach has not and will not likely result in
145 identity theft or any other financial harm to the individuals
146 whose personal information has been accessed. Such a
147 determination must be documented in writing and maintained for
148 at least 5 years. The covered entity shall provide the written
149 determination to the department within 30 days after the
150 determination.
151 (d) The notice to an affected individual shall be by one of
152 the following methods:
153 1. Written notice sent to the mailing address of the
154 individual in the records of the covered entity; or
155 2. E-mail notice sent to the e-mail address of the
156 individual in the records of the covered entity.
157 (e) The notice to an individual with respect to a breach of
158 security shall include, at a minimum:
159 1. The date, estimated date, or estimated date range of the
160 breach of security.
161 2. A description of the personal information that was
162 accessed or reasonably believed to have been accessed as a part
163 of the breach of security.
164 3. Information that the individual can use to contact the
165 covered entity to inquire about the breach of security and the
166 personal information that the covered entity maintained about
167 the individual.
168 (f) A covered entity required to provide notice to an
169 individual may provide substitute notice in lieu of direct
170 notice if such direct notice is not feasible because the cost of
171 providing notice would exceed $250,000, because the affected
172 individuals exceed 500,000 persons, or because the covered
173 entity does not have an e-mail address or mailing address for
174 the affected individuals. Such substitute notice shall include
175 the following:
176 1. A conspicuous notice on the Internet website of the
177 covered entity if the covered entity maintains a website; and
178 2. Notice in print and to broadcast media, including major
179 media in urban and rural areas where the affected individuals
180 reside.
181 (g) Notice provided pursuant to rules, regulations,
182 procedures, or guidelines established by the covered entity’s
183 primary or functional federal regulator is deemed to be in
184 compliance with the notice requirement in this subsection if the
185 covered entity notifies affected individuals in accordance with
186 the rules, regulations, procedures, or guidelines established by
187 the primary or functional federal regulator in the event of a
188 breach of security. Under this paragraph, a covered entity that
189 timely provides a copy of such notice to the department is
190 deemed to be in compliance with the notice requirement in
191 subsection (3).
192 (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a covered
193 entity discovers circumstances requiring notice pursuant to this
194 section of more than 1,000 individuals at a single time, the
195 covered entity shall also notify, without unreasonable delay,
196 all consumer reporting agencies that compile and maintain files
197 on consumers on a nationwide basis, as defined in the Fair
198 Credit Reporting Act, 15 U.S.C. s. 1681a(p), of the timing,
199 distribution, and content of the notices.
200 (6) NOTICE BY THIRD-PARTY AGENTS; DUTIES OF THIRD-PARTY
201 AGENTS; NOTICE BY AGENTS.—
202 (a) In the event of a breach of security of a system
203 maintained by a third-party agent, such third-party agent shall
204 notify the covered entity of the breach of security as
205 expeditiously as practicable, but no later than 10 days
206 following the determination of the breach of security or reason
207 to believe the breach occurred. Upon receiving notice from a
208 third-party agent, a covered entity shall provide notices
209 required under subsections (3) and (4). A third-party agent
210 shall provide a covered entity with all information that the
211 covered entity needs to comply with its notice requirements.
212 (b) An agent may provide notice as required under
213 subsections (3) and (4) on behalf of the covered entity;
214 however, an agent’s failure to provide proper notice shall be
215 deemed a violation of this section against the covered entity.
216 (7) ANNUAL REPORT.—By February 1 of each year, the
217 department shall submit a report to the President of the Senate
218 and the Speaker of the House of Representatives describing the
219 nature of any reported breaches of security by governmental
220 entities or third-party agents of governmental entities in the
221 preceding calendar year along with recommendations for security
222 improvements. The report shall identify any governmental entity
223 that has violated any of the applicable requirements in
224 subsections (2)-(6) in the preceding calendar year.
225 (8) REQUIREMENTS FOR DISPOSAL OF CUSTOMER RECORDS.—Each
226 covered entity or third-party agent shall take all reasonable
227 measures to dispose, or arrange for the disposal, of customer
228 records containing personal information within its custody or
229 control when the records are no longer to be retained. Such
230 disposal shall involve shredding, erasing, or otherwise
231 modifying the personal information in the records to make it
232 unreadable or undecipherable through any means.
233 (9) ENFORCEMENT.—
234 (a) A violation of this section shall be treated as an
235 unfair or deceptive trade practice in any action brought by the
236 department under s. 501.207 against a covered entity or third
237 party agent.
238 (b) In addition to the remedies provided for in paragraph
239 (a), a covered entity that violates subsection (3) or subsection
240 (4) shall be liable for a civil penalty not to exceed $500,000,
241 as follows:
242 1. In the amount of $1,000 for each day up to the first 30
243 days following any violation of subsection (3) or subsection (4)
244 and, thereafter, $50,000 for each subsequent 30-day period or
245 portion thereof for up to 180 days.
246 2. If the violation continues for more than 180 days, in an
247 amount not to exceed $500,000.
248
249 The civil penalties for failure to notify provided in this
250 paragraph apply per breach and not per individual affected by
251 the breach.
252 (c) All penalties collected pursuant to this subsection
253 shall be deposited into the General Revenue Fund.
254 (10) NO PRIVATE CAUSE OF ACTION.—This section does not
255 establish a private cause of action.
256 Section 4. Subsection (5) of section 282.0041, Florida
257 Statutes, is amended to read:
258 282.0041 Definitions.—As used in this chapter, the term:
259 (5) “Breach” has the same meaning as the term “breach of
260 security” as defined in s. 501.171 in s. 817.5681(4).
261 Section 5. Paragraph (i) of subsection (4) of section
262 282.318, Florida Statutes, is amended to read:
263 282.318 Enterprise security of data and information
264 technology.—
265 (4) To assist the Agency for Enterprise Information
266 Technology in carrying out its responsibilities, each agency
267 head shall, at a minimum:
268 (i) Develop a process for detecting, reporting, and
269 responding to suspected or confirmed security incidents,
270 including suspected or confirmed breaches consistent with the
271 security rules and guidelines established by the Agency for
272 Enterprise Information Technology.
273 1. Suspected or confirmed information security incidents
274 and breaches must be immediately reported to the Agency for
275 Enterprise Information Technology.
276 2. For incidents involving breaches, agencies shall provide
277 notice in accordance with s. 501.171 s. 817.5681 and to the
278 Agency for Enterprise Information Technology in accordance with
279 this subsection.
280 Section 6. This act shall take effect July 1, 2014.
281
282 ================= T I T L E A M E N D M E N T ================
283 And the title is amended as follows:
284 Delete everything before the enacting clause
285 and insert:
286 A bill to be entitled
287 An act relating to security of confidential personal
288 information; providing a short title; repealing s.
289 817.5681, F.S., relating to a breach of security
290 concerning confidential personal information in third
291 party possession; creating s. 501.171, F.S.; providing
292 definitions; requiring specified entities to take
293 reasonable measures to protect and secure data
294 containing personal information in electronic form;
295 requiring specified entities to notify the Department
296 of Legal Affairs of data security breaches; requiring
297 notice to individuals of data security breaches under
298 certain circumstances; providing exceptions to notice
299 requirements under certain circumstances; specifying
300 contents and methods of notice; requiring notice to
301 credit reporting agencies under certain circumstances;
302 requiring the department to report annually to the
303 Legislature; specifying report requirements; providing
304 requirements for disposal of customer records;
305 providing for enforcement actions by the department;
306 providing civil penalties; specifying that no private
307 cause of action is created; amending ss. 282.0041 and
308 282.318, F.S.; conforming cross-references to changes
309 made by the act; providing an effective date.