Florida Senate - 2014 COMMITTEE AMENDMENT
Bill No. SB 1524
Ì7971726Î797172
LEGISLATIVE ACTION
Senate . House
Comm: RCS .
03/24/2014 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
following:
1 Senate Amendment (with title amendment)
2
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. This act may be cited as the “Florida
6 Information Protection Act of 2014.”
7 Section 2. Section 817.5681, Florida Statutes, is repealed.
8 Section 3. Section 501.171, Florida Statutes, is created to
9 read:
10 501.171 Security of confidential personal information.—
11 (1) DEFINITIONS.—As used in this section, the term:
12 (a) “Breach of security” or “breach” means unauthorized
13 access of data in electronic form containing personal
14 information. Good faith access of personal information by an
15 employee or agent of a covered entity does not constitute a
16 breach of security, provided that the information is not used
17 for a purpose unrelated to the business or subject to further
18 unauthorized use.
19 (b) “Covered entity” means a sole proprietorship,
20 partnership, corporation, trust, estate, cooperative,
21 association, or other commercial entity that acquires,
22 maintains, stores, or uses personal information. For purposes of
23 the notice requirements in subsections (3)-(6), the term
24 includes a governmental entity.
25 (c) “Customer records” means any material, regardless of
26 the physical form, on which personal information is recorded or
27 preserved by any means, including, but not limited to, written
28 or spoken words, graphically depicted, printed, or
29 electromagnetically transmitted that are provided by an
30 individual in this state to a covered entity for the purpose of
31 purchasing or leasing a product or obtaining a service.
32 (d) “Data in electronic form” means any data stored
33 electronically or digitally on any computer system or other
34 database and includes recordable tapes and other mass storage
35 devices.
36 (e) “Department” means the Department of Legal Affairs.
37 (f) “Governmental entity” means any department, division,
38 bureau, commission, regional planning agency, board, district,
39 authority, agency, or other instrumentality of this state that
40 acquires, maintains, stores, or uses data in electronic form
41 containing personal information.
42 (g)1. “Personal information” means either of the following:
43 a. An individual’s first name or first initial and last
44 name in combination with any one or more of the following data
45 elements for that individual:
46 (I) A social security number.
47 (II) A driver license or identification card number,
48 passport number, military identification number, or other
49 similar number issued on a government document used to verify
50 identity.
51 (III) A financial account number or credit or debit card
52 number, in combination with any required security code, access
53 code, or password that is necessary to permit access to an
54 individual’s financial account.
55 (IV) Any information regarding an individual’s medical
56 history, mental or physical condition, or medical treatment or
57 diagnosis by a health care professional; or
58 (V) An individual’s health insurance policy number or
59 subscriber identification number and any unique identifier used
60 by a health insurer to identify the individual.
61 b. A user name or e-mail address, in combination with a
62 password or security question and answer that would permit
63 access to an online account.
64 2. The term does not include information about an
65 individual that has been made publicly available by a federal,
66 state, or local governmental entity or information that is
67 encrypted, secured, or modified by any other method or
68 technology that removes elements that personally identify an
69 individual or that otherwise renders the information unusable.
70 (h) “Third-party agent” means an entity that has been
71 contracted to maintain, store, or process personal information
72 on behalf of a covered entity or governmental entity.
73 (2) REQUIREMENTS FOR DATA SECURITY.—Each covered entity,
74 governmental entity, or third-party agent shall take reasonable
75 measures to protect and secure data in electronic form
76 containing personal information.
77 (3) NOTICE TO DEPARTMENT OF SECURITY BREACH.—
78 (a) A covered entity shall give notice to the department of
79 any breach of security, as expeditiously as practicable, but no
80 later than 30 days after the determination of the breach or
81 reason to believe a breach had occurred.
82 (b) The written notice to the department must include:
83 1. A synopsis of the events surrounding the breach.
84 2. The number of individuals in this state who were or
85 potentially have been affected by the breach.
86 3. Any services related to the breach being offered,
87 without charge, by the covered entity to individuals, and
88 instructions as to how to use such services.
89 4. A copy of the notice required under subsection (4) or an
90 explanation of the other actions taken pursuant to subsection
91 (4).
92 5. The name, address, telephone number, and e-mail address
93 of the employee of the covered entity from whom additional
94 information may be obtained about the breach, and the steps
95 taken to rectify the breach and prevent similar breaches.
96 (c) The covered entity must provide the following
97 information to the department upon its request:
98 1. A police report, incident report, or computer forensics
99 report.
100 2. A copy of the policies in place regarding breaches.
101 3. Any steps that have been taken to rectify the breach.
102 (d) For a covered entity that is the judicial branch, the
103 Executive Office of the Governor, the Department of Financial
104 Services, or the Department of Agriculture and Consumer
105 Services, in lieu of providing the written notice to the
106 department, the covered entity may post the information
107 described in subparagraphs (b)1.-4. on an agency-managed
108 website.
109 (4) NOTICE TO INDIVIDUALS OF SECURITY BREACH.—
110 (a) A covered entity shall give notice to each individual
111 in this state whose personal information was, or the covered
112 entity reasonably believes to have been, accessed as a result of
113 the breach. Notice to individuals shall be made as expeditiously
114 as practicable and without unreasonable delay, taking into
115 account the time necessary to allow the covered entity to
116 determine the scope of the breach of security, to identify
117 individuals affected by the breach, and to restore the
118 reasonable integrity of the data system that was breached, but
119 no later than 30 days after the determination of a breach unless
120 subject to a delay authorized under paragraph (b) or waiver
121 under paragraph (c).
122 (b) If a federal, state, or local law enforcement agency
123 determines that notice to individuals required under this
124 subsection would interfere with a criminal investigation, the
125 notice shall be delayed upon the written request of the law
126 enforcement agency for a specified period that the law
127 enforcement agency determines is reasonably necessary. A law
128 enforcement agency may, by a subsequent written request, revoke
129 such delay as of a specified date or extend the period set forth
130 in the original request made under this paragraph to a specified
131 date if further delay is necessary.
132 (c) Notwithstanding paragraph (a), notice to the affected
133 individuals is not required if, after an appropriate
134 investigation and consultation with relevant federal, state, and
135 local law enforcement agencies, the covered entity reasonably
136 determines that the breach has not and will not likely result in
137 identity theft or any other financial harm to the individuals
138 whose personal information has been accessed. Such a
139 determination must be documented in writing and maintained for
140 at least 5 years. The covered entity shall provide the written
141 determination to the department within 30 days after the
142 determination.
143 (d) The notice to an affected individual shall be by one of
144 the following methods:
145 1. Written notice sent to the mailing address of the
146 individual in the records of the covered entity; or
147 2. E-mail notice sent to the e-mail address of the
148 individual in the records of the covered entity.
149 (e) The notice to an individual with respect to a breach of
150 security shall include, at a minimum:
151 1. The date, estimated date, or estimated date range of the
152 breach of security.
153 2. A description of the personal information that was
154 accessed or reasonably believed to have been accessed as a part
155 of the breach of security.
156 3. Information that the individual can use to contact the
157 covered entity to inquire about the breach of security and the
158 personal information that the covered entity maintained about
159 the individual.
160 (f) A covered entity required to provide notice to an
161 individual may provide substitute notice in lieu of direct
162 notice if such direct notice is not feasible because the cost of
163 providing notice would exceed $250,000, because the affected
164 individuals exceed 500,000 persons, or because the covered
165 entity does not have an e-mail address or mailing address for
166 the affected individuals. Such substitute notice shall include
167 the following:
168 1. A conspicuous notice on the Internet website of the
169 covered entity if the covered entity maintains a website; and
170 2. Notice in print and to broadcast media, including major
171 media in urban and rural areas where the affected individuals
172 reside.
173 (g) Notice provided pursuant to rules, regulations,
174 procedures, or guidelines established by the covered entity’s
175 primary or functional federal regulator is deemed to be in
176 compliance with the notice requirement in this subsection if the
177 covered entity notifies individuals in accordance with any
178 rules, regulations, procedures, or guidelines established by the
179 primary or functional federal regulator in the event of a breach
180 of security. Under this paragraph, the covered entity must
181 provide notice to the department under subsection (3).
182 (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a covered
183 entity discovers circumstances requiring notice pursuant to this
184 section of more than 1,000 individuals at a single time, the
185 covered entity shall also notify, without unreasonable delay,
186 all consumer reporting agencies that compile and maintain files
187 on consumers on a nationwide basis, as defined in the Fair
188 Credit Reporting Act, 15 U.S.C. s. 1681a(p), of the timing,
189 distribution, and content of the notices.
190 (6) NOTICE BY THIRD-PARTY AGENTS; DUTIES OF THIRD-PARTY
191 AGENTS.—In the event of a breach of security of a system
192 maintained by a third-party agent, such third-party agent shall
193 notify the covered entity of the breach of security as
194 expeditiously as practicable, but no later than 10 days
195 following the determination of the breach of security. Upon
196 receiving notice from a third-party agent, a covered entity
197 shall provide notices required under subsections (3) and (4). A
198 third-party agent shall provide a covered entity with all
199 information that the covered entity needs to comply with its
200 notice requirements.
201 (7) ANNUAL REPORT.—By February 1 of each year, the
202 department shall submit a report to the President of the Senate
203 and the Speaker of the House of Representatives describing the
204 nature of any reported breaches of security by governmental
205 entities or third-party agents of governmental entities in the
206 preceding calendar year along with recommendations for security
207 improvements. The report shall identify any governmental entity
208 that has violated any of the applicable requirements in
209 subsections (2)-(6) in the preceding calendar year.
210 (8) REQUIREMENTS FOR DISPOSAL OF CUSTOMER RECORDS.—Each
211 covered entity or third-party agent shall take all reasonable
212 measures to dispose, or arrange for the disposal, of customer
213 records containing personal information within its custody or
214 control when the records are no longer to be retained. Such
215 disposal shall involve shredding, erasing, or otherwise
216 modifying the personal information in the records to make it
217 unreadable or undecipherable through any means.
218 (9) ENFORCEMENT.—
219 (a) A violation of this section shall be treated as an
220 unfair or deceptive trade practice in any action brought by the
221 department under s. 501.207 against a covered entity or third
222 party agent.
223 (b) In addition to the remedies provided for in paragraph
224 (a), a covered entity that violates subsection (3) or subsection
225 (4) shall be liable for a civil penalty not to exceed $500,000,
226 as follows:
227 1. In the amount of $1,000 for each day up to the first 30
228 days following any violation of subsection (3) or subsection (4)
229 and, thereafter, $50,000 for each subsequent 30-day period or
230 portion thereof for up to 180 days.
231 2. If the violation continues for more than 180 days, in an
232 amount not to exceed $500,000.
233
234 The civil penalties for failure to notify provided in this
235 paragraph apply per breach and not per individual affected by
236 the breach.
237 (c) All penalties collected pursuant to this subsection
238 shall be deposited into the General Revenue Fund.
239 (10) NO PRIVATE CAUSE OF ACTION.—This section does not
240 establish a private cause of action.
241 Section 4. Subsection (5) of section 282.0041, Florida
242 Statutes, is amended to read:
243 282.0041 Definitions.—As used in this chapter, the term:
244 (5) “Breach” has the same meaning as the term “breach of
245 security” as defined in s. 501.171 in s. 817.5681(4).
246 Section 5. Paragraph (i) of subsection (4) of section
247 282.318, Florida Statutes, is amended to read:
248 282.318 Enterprise security of data and information
249 technology.—
250 (4) To assist the Agency for Enterprise Information
251 Technology in carrying out its responsibilities, each agency
252 head shall, at a minimum:
253 (i) Develop a process for detecting, reporting, and
254 responding to suspected or confirmed security incidents,
255 including suspected or confirmed breaches consistent with the
256 security rules and guidelines established by the Agency for
257 Enterprise Information Technology.
258 1. Suspected or confirmed information security incidents
259 and breaches must be immediately reported to the Agency for
260 Enterprise Information Technology.
261 2. For incidents involving breaches, agencies shall provide
262 notice in accordance with s. 501.171 s. 817.5681 and to the
263 Agency for Enterprise Information Technology in accordance with
264 this subsection.
265 Section 6. This act shall take effect July 1, 2014.
266
267 ================= T I T L E A M E N D M E N T ================
268 And the title is amended as follows:
269 Delete everything before the enacting clause
270 and insert:
271 A bill to be entitled
272 An act relating to security of confidential personal
273 information; providing a short title; repealing s.
274 817.5681, F.S., relating to a breach of security
275 concerning confidential personal information in third
276 party possession; creating s. 501.171, F.S.; providing
277 definitions; requiring specified entities to take
278 reasonable measures to protect and secure data
279 containing personal information in electronic form;
280 requiring specified entities to notify the Department
281 of Legal Affairs of data security breaches; requiring
282 notice to individuals of data security breaches under
283 certain circumstances; providing exceptions to notice
284 requirements under certain circumstances; specifying
285 contents and methods of notice; requiring notice to
286 credit reporting agencies under certain circumstances;
287 requiring the department to report annually to the
288 Legislature; specifying report requirements; providing
289 requirements for disposal of customer records;
290 providing for enforcement actions by the department;
291 providing civil penalties; specifying that no private
292 cause of action is created; amending ss. 282.0041 and
293 282.318, F.S.; conforming cross-references to changes
294 made by the act; providing an effective date.