Florida Senate - 2014                                    SB 1524
       By Senator Thrasher
       6-01033A-14                                           20141524__
    1                        A bill to be entitled                      
    2         An act relating to security of confidential personal
    3         information; providing a short title; repealing s.
    4         817.5681, F.S., relating to a breach of security
    5         concerning confidential personal information in third
    6         party possession; creating s. 501.171, F.S.; providing
    7         definitions; requiring specified entities to take
    8         reasonable measures to protect and secure data
    9         containing personal information in electronic form;
   10         requiring specified entities to notify the Department
   11         of Legal Affairs of data security breaches; requiring
   12         notice to individuals of data security breaches in
   13         certain circumstances; providing exceptions to notice
   14         requirements in certain circumstances; specifying
   15         contents of notice; requiring notice to credit
   16         reporting agencies in certain circumstances; requiring
   17         the department to report annually to the Legislature;
   18         specifying report requirements; providing requirements
   19         for disposal of customer records; providing for
   20         enforcement actions by the department; providing civil
   21         penalties; specifying that no private cause of action
   22         is created; amending ss. 282.0041 and 282.318, F.S.;
   23         conforming cross-references to changes made by the
   24         act; providing an effective date.
   26  Be It Enacted by the Legislature of the State of Florida:
   28         Section 1. This act may be cited as the “Florida
   29  Information Protection Act of 2014.”
   30         Section 2. Section 817.5681, Florida Statutes, is repealed.
   31         Section 3. Section 501.171, Florida Statutes, is created to
   32  read:
   33         501.171Security of confidential personal information.—
   34         (1) DEFINITIONS.—As used in this section, the term:
   35         (a) “Breach of security” or “breach” means unauthorized
   36  access of data in electronic form containing personal
   37  information.
   38         (b) “Covered entity” means a sole proprietorship,
   39  partnership, corporation, trust, estate, cooperative,
   40  association, or other commercial entity that acquires,
   41  maintains, stores, or uses personal information. For purposes of
   42  the notice requirements of subsections (3)-(6), the term
   43  includes a governmental entity.
   44         (c) “Customer records” means any material, regardless of
   45  the physical form, on which personal information is recorded or
   46  preserved by any means, including, but not limited to, written
   47  or spoken words, graphically depicted, printed, or
   48  electromagnetically transmitted that are provided by an
   49  individual in this state to a covered entity for the purpose of
   50  purchasing or leasing a product or obtaining a service.
   51         (d) “Data in electronic form” means any data stored
   52  electronically or digitally on any computer system or other
   53  database and includes recordable tapes and other mass storage
   54  devices.
   55         (e) “Department” means the Department of Legal Affairs.
   56         (f) “Governmental entity” means any department, division,
   57  bureau, commission, regional planning agency, board, district,
   58  authority, agency, or other instrumentality of this state that
   59  acquires, maintains, stores, or uses data in electronic form
   60  containing personal information.
   61         (g)1. “Personal information” means either of the following:
   62         a. An individual’s first name or first initial and last
   63  name in combination with any one or more of the following data
   64  elements for that individual:
   65         (I) A social security number.
   66         (II) A driver license or identification card number,
   67  passport number, military identification number, or other
   68  similar number issued on a government document used to verify
   69  identity.
   70         (III) A financial account number or credit or debit card
   71  number, in combination with any required security code, access
   72  code, or password that is necessary to permit access to an
   73  individual’s financial account.
   74         (IV) Any information regarding an individual’s medical
   75  history, mental or physical condition, or medical treatment or
   76  diagnosis by a health care professional.
   77         (V) An individual’s health insurance policy number or
   78  subscriber identification number and any unique identifier used
   79  by a health insurer to identify the individual.
   80         (VI) Any other information from or about an individual that
   81  could be used to personally identify that person; or
   82         b. A user name or e-mail address, in combination with a
   83  password or security question and answer that would permit
   84  access to an online account.
   85         2. The term does not include information about an
   86  individual that has been made publicly available by a federal,
   87  state, or local governmental entity or information that is
   88  encrypted, secured, or modified by any other method or
   89  technology that removes elements that personally identify an
   90  individual or that otherwise renders the information unusable.
   91         (h) “Third-party agent” means an entity that has been
   92  contracted to maintain, store, or process personal information
   93  on behalf of a covered entity or governmental entity.
   94         (2) REQUIREMENTS FOR DATA SECURITY.—Each covered entity,
   95  governmental entity, or third-party agent shall take reasonable
   96  measures to protect and secure data in electronic form
   97  containing personal information and prevent a breach of
   98  security.
  100         (a) A covered entity shall give notice to the department of
  101  any breach of security following discovery by the covered
  102  entity. Notice to the department must be made within 30 days
  103  after the determination of the breach or reason to believe a
  104  breach had occurred.
  105         (b) The written notice to the department must include:
  106         1. A synopsis of the events surrounding the breach.
  107         2. A police report, incident report, or computer forensics
  108  report.
  109         3. The number of individuals in this state who were or
  110  potentially have been affected by the breach.
  111         4. A copy of the policies in place regarding breaches.
  112         5. Any steps that have been taken to rectify the breach.
  113         6. Any services being offered by the covered entity to
  114  individuals, without charge, and instructions as to how to use
  115  such services.
  116         7. A copy of the notice sent to the individuals.
  117         8. The name, address, telephone number, and e-mail address
  118  of the employee of the covered entity from whom additional
  119  information may be obtained about the breach and the steps taken
  120  to rectify the breach and prevent similar breaches.
  121         9. Whether notice to individuals is being made pursuant to
  122  federal law or pursuant to the requirements of subsection (4).
  123         (c) For a covered entity that is the judicial branch, the
  124  Executive Office of the Governor, the Department of Financial
  125  Services, and the Department of Agriculture and Consumer
  126  Services, in lieu of providing the written notice to the
  127  department, the covered entity may post the information
  128  described in subparagraphs (b)1.-7. on an agency-managed
  129  website.
  131         (a) A covered entity shall give notice to each individual
  132  in this state whose personal information was, or the covered
  133  entity reasonably believes to have been, accessed as a result of
  134  the breach. Notice to individuals shall be made as expeditiously
  135  as practicable and without unreasonable delay, taking into
  136  account the time necessary to allow the covered entity to
  137  determine the scope of the breach of security, to identify
  138  individuals affected by the breach, and to restore the
  139  reasonable integrity of the data system that was breached, but
  140  no later than 30 days after the determination of a breach unless
  141  subject to a delay authorized under paragraph (b) or waiver
  142  under paragraph (c).
  143         (b) If a federal or state law enforcement agency determines
  144  that notice to individuals required under this subsection would
  145  interfere with a criminal investigation, the notice shall be
  146  delayed upon the written request of the law enforcement agency
  147  for any period that the law enforcement agency determines is
  148  reasonably necessary. A law enforcement agency may, by a
  149  subsequent written request, revoke such delay or extend the
  150  period set forth in the original request made under this
  151  paragraph by a subsequent request if further delay is necessary.
  152         (c) Notwithstanding paragraph (a), notice to the affected
  153  individuals is not required if, after an appropriate
  154  investigation and written consultation with relevant federal and
  155  state law enforcement agencies, the covered entity reasonably
  156  determines that the breach has not and will not likely result in
  157  identity theft or any other financial harm to the individuals
  158  whose personal information has been accessed. Such a
  159  determination must be documented in writing and maintained for
  160  at least 5 years. The covered entity shall provide the written
  161  determination to the department within 30 days after the
  162  determination.
  163         (d) The notice to an affected individual shall be by one of
  164  the following methods:
  165         1. Written notice sent to the mailing address of the
  166  individual in the records of the covered entity; or
  167         2. E-mail notice sent to the e-mail address of the
  168  individual in the records of the covered entity.
  169         (e) The notice to an individual with respect to a breach of
  170  security shall include, at a minimum:
  171         1. The date, estimated date, or estimated date range of the
  172  breach of security.
  173         2. A description of the personal information that was
  174  accessed or reasonably believed to have been accessed as a part
  175  of the breach of security.
  176         3. Information that the individual can use to contact the
  177  covered entity to inquire about the breach of security and the
  178  personal information that the covered entity maintained about
  179  the individual.
  180         (f) A covered entity required to provide notice to an
  181  individual may provide substitute notice in lieu of direct
  182  notice if such direct notice is not feasible because the cost of
  183  providing notice would exceed $250,000, the affected individuals
  184  exceed 500,000 persons, or the covered entity does not have an
  185  e-mail address or mailing address for the affected individuals.
  186  Such substitute notice shall include the following:
  187         1. A conspicuous notice on the Internet website of the
  188  covered entity, if such covered entity maintains a website; and
  189         2. Notice in print and to broadcast media, including major
  190  media in urban and rural areas where the affected individuals
  191  reside.
  192         (g) A covered entity that is in compliance with any federal
  193  law that requires such covered entity to provide notice to
  194  individuals following a breach of security is deemed to comply
  195  with the notice requirements of this subsection if the covered
  196  entity has promptly provided the notice to the department under
  197  subsection (3).
  198         (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a covered
  199  entity discovers circumstances requiring notice pursuant to this
  200  section of more than 1,000 individuals at a single time, the
  201  covered entity shall also notify, without unreasonable delay,
  202  all consumer reporting agencies that compile and maintain files
  203  on consumers on a nationwide basis, as defined in the Fair
  204  Credit Reporting Act, 15 U.S.C. s. 1681a(p), of the timing,
  205  distribution, and content of the notices.
  207  AGENTS.—In the event of a breach of security of a system
  208  maintained by a third-party agent, such third-party agent shall
  209  promptly notify the covered entity of the breach of security.
  210  Upon receiving notice from a third-party agent, a covered entity
  211  shall provide notices required under subsections (3) and (4). A
  212  third-party agent shall provide a covered entity with all
  213  information that the covered entity needs to comply with its
  214  notice requirements.
  215         (7) ANNUAL REPORT.—By February 1 of each year, the
  216  department shall submit a report to the President of the Senate
  217  and the Speaker of the House of Representatives describing the
  218  nature of any reported breaches of security by governmental
  219  entities or third-party agents of governmental entities in the
  220  preceding calendar year along with recommendations for security
  221  improvements. The report shall identify any governmental entity
  222  that has violated any of the applicable requirements in
  223  subsections (2)-(6) in the preceding calendar year.
  225  covered entity or third-party agent shall take all reasonable
  226  measures to dispose, or arrange for the disposal, of customer
  227  records containing personal information within its custody or
  228  control when the records are no longer to be retained. Such
  229  disposal shall involve shredding, erasing, or otherwise
  230  modifying the personal information in the records to make it
  231  unreadable or undecipherable through any means.
  232         (9) ENFORCEMENT.—
  233         (a) A violation of this section shall be treated as an
  234  unfair or deceptive trade practice in any action brought by the
  235  department under s. 501.207 against a covered entity or third
  236  party agent.
  237         (b) In addition to the remedies provided for in paragraph
  238  (a), a covered entity that violates subsection (3) or subsection
  239  (4) shall be liable for a civil penalty not to exceed $500,000,
  240  as follows:
  241         1. In the amount of $1,000 for each day the breach goes
  242  undisclosed for up to 30 days and, thereafter, $50,000 for each
  243  30-day period or portion thereof for up to 180 days.
  244         2. If notice is not made within 180 days, in an amount not
  245  to exceed $500,000.
  247  The civil penalties for failure to notify provided in this
  248  paragraph shall apply per breach and not per individual affected
  249  by the breach.
  250         (c) All penalties collected pursuant to this subsection
  251  shall be deposited into the General Revenue Fund.
  252         (10) NO PRIVATE CAUSE OF ACTION.—This section does not
  253  establish a private cause of action.
  254         Section 4. Subsection (5) of section 282.0041, Florida
  255  Statutes, is amended to read:
  256         282.0041 Definitions.—As used in this chapter, the term:
  257         (5) “Breach” has the same meaning as the term “breach of
  258  security” as provided in s. 501.171 in s. 817.5681(4).
  259         Section 5. Paragraph (i) of subsection (4) of section
  260  282.318, Florida Statutes, is amended to read:
  261         282.318 Enterprise security of data and information
  262  technology.—
  263         (4) To assist the Agency for Enterprise Information
  264  Technology in carrying out its responsibilities, each agency
  265  head shall, at a minimum:
  266         (i) Develop a process for detecting, reporting, and
  267  responding to suspected or confirmed security incidents,
  268  including suspected or confirmed breaches consistent with the
  269  security rules and guidelines established by the Agency for
  270  Enterprise Information Technology.
  271         1. Suspected or confirmed information security incidents
  272  and breaches must be immediately reported to the Agency for
  273  Enterprise Information Technology.
  274         2. For incidents involving breaches, agencies shall provide
  275  notice in accordance with s. 501.171 s. 817.5681 and to the
  276  Agency for Enterprise Information Technology in accordance with
  277  this subsection.
  278         Section 6. This act shall take effect July 1, 2014.