Florida Senate - 2014                        COMMITTEE AMENDMENT
       Bill No. SB 1524
                              LEGISLATIVE ACTION                        
                    Senate             .             House              
                  Comm: RCS            .                                
                  03/24/2014           .                                

    1         Senate Amendment (with title amendment)
    3         Delete everything after the enacting clause
    4  and insert:
    5         Section 1. This act may be cited as the “Florida
    6  Information Protection Act of 2014.”
    7         Section 2. Section 817.5681, Florida Statutes, is repealed.
    8         Section 3. Section 501.171, Florida Statutes, is created to
    9  read:
   10         501.171Security of confidential personal information.—
   11         (1) DEFINITIONS.—As used in this section, the term:
   12         (a) “Breach of security” or “breach” means unauthorized
   13  access of data in electronic form containing personal
   14  information. Good faith access of personal information by an
   15  employee or agent of a covered entity does not constitute a
   16  breach of security, provided that the information is not used
   17  for a purpose unrelated to the business or subject to further
   18  unauthorized use.
   19         (b) “Covered entity” means a sole proprietorship,
   20  partnership, corporation, trust, estate, cooperative,
   21  association, or other commercial entity that acquires,
   22  maintains, stores, or uses personal information. For purposes of
   23  the notice requirements in subsections (3)-(6), the term
   24  includes a governmental entity.
   25         (c) “Customer records” means any material, regardless of
   26  the physical form, on which personal information is recorded or
   27  preserved by any means, including, but not limited to, written
   28  or spoken words, graphically depicted, printed, or
   29  electromagnetically transmitted that are provided by an
   30  individual in this state to a covered entity for the purpose of
   31  purchasing or leasing a product or obtaining a service.
   32         (d) “Data in electronic form” means any data stored
   33  electronically or digitally on any computer system or other
   34  database and includes recordable tapes and other mass storage
   35  devices.
   36         (e) “Department” means the Department of Legal Affairs.
   37         (f) “Governmental entity” means any department, division,
   38  bureau, commission, regional planning agency, board, district,
   39  authority, agency, or other instrumentality of this state that
   40  acquires, maintains, stores, or uses data in electronic form
   41  containing personal information.
   42         (g)1. “Personal information” means either of the following:
   43         a. An individual’s first name or first initial and last
   44  name in combination with any one or more of the following data
   45  elements for that individual:
   46         (I) A social security number.
   47         (II) A driver license or identification card number,
   48  passport number, military identification number, or other
   49  similar number issued on a government document used to verify
   50  identity.
   51         (III) A financial account number or credit or debit card
   52  number, in combination with any required security code, access
   53  code, or password that is necessary to permit access to an
   54  individual’s financial account.
   55         (IV) Any information regarding an individual’s medical
   56  history, mental or physical condition, or medical treatment or
   57  diagnosis by a health care professional; or
   58         (V) An individual’s health insurance policy number or
   59  subscriber identification number and any unique identifier used
   60  by a health insurer to identify the individual.
   61         b. A user name or e-mail address, in combination with a
   62  password or security question and answer that would permit
   63  access to an online account.
   64         2. The term does not include information about an
   65  individual that has been made publicly available by a federal,
   66  state, or local governmental entity or information that is
   67  encrypted, secured, or modified by any other method or
   68  technology that removes elements that personally identify an
   69  individual or that otherwise renders the information unusable.
   70         (h) “Third-party agent” means an entity that has been
   71  contracted to maintain, store, or process personal information
   72  on behalf of a covered entity or governmental entity.
   73         (2) REQUIREMENTS FOR DATA SECURITY.—Each covered entity,
   74  governmental entity, or third-party agent shall take reasonable
   75  measures to protect and secure data in electronic form
   76  containing personal information.
   78         (a) A covered entity shall give notice to the department of
   79  any breach of security, as expeditiously as practicable, but no
   80  later than 30 days after the determination of the breach or
   81  reason to believe a breach had occurred.
   82         (b) The written notice to the department must include:
   83         1. A synopsis of the events surrounding the breach.
   84         2. The number of individuals in this state who were or
   85  potentially have been affected by the breach.
   86         3. Any services related to the breach being offered,
   87  without charge, by the covered entity to individuals, and
   88  instructions as to how to use such services.
   89         4. A copy of the notice required under subsection (4) or an
   90  explanation of the other actions taken pursuant to subsection
   91  (4).
   92         5. The name, address, telephone number, and e-mail address
   93  of the employee of the covered entity from whom additional
   94  information may be obtained about the breach, and the steps
   95  taken to rectify the breach and prevent similar breaches.
   96         (c) The covered entity must provide the following
   97  information to the department upon its request:
   98         1. A police report, incident report, or computer forensics
   99  report.
  100         2. A copy of the policies in place regarding breaches.
  101         3. Any steps that have been taken to rectify the breach.
  102         (d) For a covered entity that is the judicial branch, the
  103  Executive Office of the Governor, the Department of Financial
  104  Services, or the Department of Agriculture and Consumer
  105  Services, in lieu of providing the written notice to the
  106  department, the covered entity may post the information
  107  described in subparagraphs (b)1.-4. on an agency-managed
  108  website.
  110         (a) A covered entity shall give notice to each individual
  111  in this state whose personal information was, or the covered
  112  entity reasonably believes to have been, accessed as a result of
  113  the breach. Notice to individuals shall be made as expeditiously
  114  as practicable and without unreasonable delay, taking into
  115  account the time necessary to allow the covered entity to
  116  determine the scope of the breach of security, to identify
  117  individuals affected by the breach, and to restore the
  118  reasonable integrity of the data system that was breached, but
  119  no later than 30 days after the determination of a breach unless
  120  subject to a delay authorized under paragraph (b) or waiver
  121  under paragraph (c).
  122         (b) If a federal, state, or local law enforcement agency
  123  determines that notice to individuals required under this
  124  subsection would interfere with a criminal investigation, the
  125  notice shall be delayed upon the written request of the law
  126  enforcement agency for a specified period that the law
  127  enforcement agency determines is reasonably necessary. A law
  128  enforcement agency may, by a subsequent written request, revoke
  129  such delay as of a specified date or extend the period set forth
  130  in the original request made under this paragraph to a specified
  131  date if further delay is necessary.
  132         (c) Notwithstanding paragraph (a), notice to the affected
  133  individuals is not required if, after an appropriate
  134  investigation and consultation with relevant federal, state, and
  135  local law enforcement agencies, the covered entity reasonably
  136  determines that the breach has not and will not likely result in
  137  identity theft or any other financial harm to the individuals
  138  whose personal information has been accessed. Such a
  139  determination must be documented in writing and maintained for
  140  at least 5 years. The covered entity shall provide the written
  141  determination to the department within 30 days after the
  142  determination.
  143         (d) The notice to an affected individual shall be by one of
  144  the following methods:
  145         1. Written notice sent to the mailing address of the
  146  individual in the records of the covered entity; or
  147         2. E-mail notice sent to the e-mail address of the
  148  individual in the records of the covered entity.
  149         (e) The notice to an individual with respect to a breach of
  150  security shall include, at a minimum:
  151         1. The date, estimated date, or estimated date range of the
  152  breach of security.
  153         2. A description of the personal information that was
  154  accessed or reasonably believed to have been accessed as a part
  155  of the breach of security.
  156         3. Information that the individual can use to contact the
  157  covered entity to inquire about the breach of security and the
  158  personal information that the covered entity maintained about
  159  the individual.
  160         (f) A covered entity required to provide notice to an
  161  individual may provide substitute notice in lieu of direct
  162  notice if such direct notice is not feasible because the cost of
  163  providing notice would exceed $250,000, because the affected
  164  individuals exceed 500,000 persons, or because the covered
  165  entity does not have an e-mail address or mailing address for
  166  the affected individuals. Such substitute notice shall include
  167  the following:
  168         1. A conspicuous notice on the Internet website of the
  169  covered entity if the covered entity maintains a website; and
  170         2. Notice in print and to broadcast media, including major
  171  media in urban and rural areas where the affected individuals
  172  reside.
  173         (g) Notice provided pursuant to rules, regulations,
  174  procedures, or guidelines established by the covered entity’s
  175  primary or functional federal regulator is deemed to be in
  176  compliance with the notice requirement in this subsection if the
  177  covered entity notifies individuals in accordance with any
  178  rules, regulations, procedures, or guidelines established by the
  179  primary or functional federal regulator in the event of a breach
  180  of security. Under this paragraph, the covered entity must
  181  provide notice to the department under subsection (3).
  182         (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a covered
  183  entity discovers circumstances requiring notice pursuant to this
  184  section of more than 1,000 individuals at a single time, the
  185  covered entity shall also notify, without unreasonable delay,
  186  all consumer reporting agencies that compile and maintain files
  187  on consumers on a nationwide basis, as defined in the Fair
  188  Credit Reporting Act, 15 U.S.C. s. 1681a(p), of the timing,
  189  distribution, and content of the notices.
  191  AGENTS.—In the event of a breach of security of a system
  192  maintained by a third-party agent, such third-party agent shall
  193  notify the covered entity of the breach of security as
  194  expeditiously as practicable, but no later than 10 days
  195  following the determination of the breach of security. Upon
  196  receiving notice from a third-party agent, a covered entity
  197  shall provide notices required under subsections (3) and (4). A
  198  third-party agent shall provide a covered entity with all
  199  information that the covered entity needs to comply with its
  200  notice requirements.
  201         (7) ANNUAL REPORT.—By February 1 of each year, the
  202  department shall submit a report to the President of the Senate
  203  and the Speaker of the House of Representatives describing the
  204  nature of any reported breaches of security by governmental
  205  entities or third-party agents of governmental entities in the
  206  preceding calendar year along with recommendations for security
  207  improvements. The report shall identify any governmental entity
  208  that has violated any of the applicable requirements in
  209  subsections (2)-(6) in the preceding calendar year.
  211  covered entity or third-party agent shall take all reasonable
  212  measures to dispose, or arrange for the disposal, of customer
  213  records containing personal information within its custody or
  214  control when the records are no longer to be retained. Such
  215  disposal shall involve shredding, erasing, or otherwise
  216  modifying the personal information in the records to make it
  217  unreadable or undecipherable through any means.
  218         (9) ENFORCEMENT.—
  219         (a) A violation of this section shall be treated as an
  220  unfair or deceptive trade practice in any action brought by the
  221  department under s. 501.207 against a covered entity or third
  222  party agent.
  223         (b) In addition to the remedies provided for in paragraph
  224  (a), a covered entity that violates subsection (3) or subsection
  225  (4) shall be liable for a civil penalty not to exceed $500,000,
  226  as follows:
  227         1. In the amount of $1,000 for each day up to the first 30
  228  days following any violation of subsection (3) or subsection (4)
  229  and, thereafter, $50,000 for each subsequent 30-day period or
  230  portion thereof for up to 180 days.
  231         2. If the violation continues for more than 180 days, in an
  232  amount not to exceed $500,000.
  234  The civil penalties for failure to notify provided in this
  235  paragraph apply per breach and not per individual affected by
  236  the breach.
  237         (c) All penalties collected pursuant to this subsection
  238  shall be deposited into the General Revenue Fund.
  239         (10) NO PRIVATE CAUSE OF ACTION.—This section does not
  240  establish a private cause of action.
  241         Section 4. Subsection (5) of section 282.0041, Florida
  242  Statutes, is amended to read:
  243         282.0041 Definitions.—As used in this chapter, the term:
  244         (5) “Breach” has the same meaning as the term “breach of
  245  security” as defined in s. 501.171 in s. 817.5681(4).
  246         Section 5. Paragraph (i) of subsection (4) of section
  247  282.318, Florida Statutes, is amended to read:
  248         282.318 Enterprise security of data and information
  249  technology.—
  250         (4) To assist the Agency for Enterprise Information
  251  Technology in carrying out its responsibilities, each agency
  252  head shall, at a minimum:
  253         (i) Develop a process for detecting, reporting, and
  254  responding to suspected or confirmed security incidents,
  255  including suspected or confirmed breaches consistent with the
  256  security rules and guidelines established by the Agency for
  257  Enterprise Information Technology.
  258         1. Suspected or confirmed information security incidents
  259  and breaches must be immediately reported to the Agency for
  260  Enterprise Information Technology.
  261         2. For incidents involving breaches, agencies shall provide
  262  notice in accordance with s. 501.171 s. 817.5681 and to the
  263  Agency for Enterprise Information Technology in accordance with
  264  this subsection.
  265  Section 6. This act shall take effect July 1, 2014.
  267  ================= T I T L E  A M E N D M E N T ================
  268  And the title is amended as follows:
  269         Delete everything before the enacting clause
  270  and insert:
  271                        A bill to be entitled                      
  272         An act relating to security of confidential personal
  273         information; providing a short title; repealing s.
  274         817.5681, F.S., relating to a breach of security
  275         concerning confidential personal information in third
  276         party possession; creating s. 501.171, F.S.; providing
  277         definitions; requiring specified entities to take
  278         reasonable measures to protect and secure data
  279         containing personal information in electronic form;
  280         requiring specified entities to notify the Department
  281         of Legal Affairs of data security breaches; requiring
  282         notice to individuals of data security breaches under
  283         certain circumstances; providing exceptions to notice
  284         requirements under certain circumstances; specifying
  285         contents and methods of notice; requiring notice to
  286         credit reporting agencies under certain circumstances;
  287         requiring the department to report annually to the
  288         Legislature; specifying report requirements; providing
  289         requirements for disposal of customer records;
  290         providing for enforcement actions by the department;
  291         providing civil penalties; specifying that no private
  292         cause of action is created; amending ss. 282.0041 and
  293         282.318, F.S.; conforming cross-references to changes
  294         made by the act; providing an effective date.