Florida Senate - 2014                             CS for SB 1524
       By the Committee on Commerce and Tourism; and Senator Thrasher
       577-03111-14                                          20141524c1
    1                        A bill to be entitled                      
    2         An act relating to security of confidential personal
    3         information; providing a short title; repealing s.
    4         817.5681, F.S., relating to a breach of security
    5         concerning confidential personal information in third
    6         party possession; creating s. 501.171, F.S.; providing
    7         definitions; requiring specified entities to take
    8         reasonable measures to protect and secure data
    9         containing personal information in electronic form;
   10         requiring specified entities to notify the Department
   11         of Legal Affairs of data security breaches; requiring
   12         notice to individuals of data security breaches under
   13         certain circumstances; providing exceptions to notice
   14         requirements under certain circumstances; specifying
   15         contents and methods of notice; requiring notice to
   16         credit reporting agencies under certain circumstances;
   17         requiring the department to report annually to the
   18         Legislature; specifying report requirements; providing
   19         requirements for disposal of customer records;
   20         providing for enforcement actions by the department;
   21         providing civil penalties; specifying that no private
   22         cause of action is created; amending ss. 282.0041 and
   23         282.318, F.S.; conforming cross-references to changes
   24         made by the act; providing an effective date.
   26  Be It Enacted by the Legislature of the State of Florida:
   28         Section 1. This act may be cited as the “Florida
   29  Information Protection Act of 2014.”
   30         Section 2. Section 817.5681, Florida Statutes, is repealed.
   31         Section 3. Section 501.171, Florida Statutes, is created to
   32  read:
   33         501.171 Security of confidential personal information.—
   34         (1) DEFINITIONS.—As used in this section, the term:
   35         (a) “Breach of security” or “breach” means unauthorized
   36  access of data in electronic form containing personal
   37  information. Good faith access of personal information by an
   38  employee or agent of a covered entity does not constitute a
   39  breach of security, provided that the information is not used
   40  for a purpose unrelated to the business or subject to further
   41  unauthorized use.
   42         (b) “Covered entity” means a sole proprietorship,
   43  partnership, corporation, trust, estate, cooperative,
   44  association, or other commercial entity that acquires,
   45  maintains, stores, or uses personal information. For purposes of
   46  the notice requirements in subsections (3)-(6), the term
   47  includes a governmental entity.
   48         (c) “Customer records” means any material, regardless of
   49  the physical form, on which personal information is recorded or
   50  preserved by any means, including, but not limited to, written
   51  or spoken words, graphically depicted, printed, or
   52  electromagnetically transmitted that are provided by an
   53  individual in this state to a covered entity for the purpose of
   54  purchasing or leasing a product or obtaining a service.
   55         (d) “Data in electronic form” means any data stored
   56  electronically or digitally on any computer system or other
   57  database and includes recordable tapes and other mass storage
   58  devices.
   59         (e) “Department” means the Department of Legal Affairs.
   60         (f) “Governmental entity” means any department, division,
   61  bureau, commission, regional planning agency, board, district,
   62  authority, agency, or other instrumentality of this state that
   63  acquires, maintains, stores, or uses data in electronic form
   64  containing personal information.
   65         (g)1. “Personal information” means either of the following:
   66         a. An individual’s first name or first initial and last
   67  name in combination with any one or more of the following data
   68  elements for that individual:
   69         (I) A social security number.
   70         (II) A driver license or identification card number,
   71  passport number, military identification number, or other
   72  similar number issued on a government document used to verify
   73  identity.
   74         (III) A financial account number or credit or debit card
   75  number, in combination with any required security code, access
   76  code, or password that is necessary to permit access to an
   77  individual’s financial account.
   78         (IV) Any information regarding an individual’s medical
   79  history, mental or physical condition, or medical treatment or
   80  diagnosis by a health care professional; or
   81         (V) An individual’s health insurance policy number or
   82  subscriber identification number and any unique identifier used
   83  by a health insurer to identify the individual.
   84         b. A user name or e-mail address, in combination with a
   85  password or security question and answer that would permit
   86  access to an online account.
   87         2. The term does not include information about an
   88  individual that has been made publicly available by a federal,
   89  state, or local governmental entity or information that is
   90  encrypted, secured, or modified by any other method or
   91  technology that removes elements that personally identify an
   92  individual or that otherwise renders the information unusable.
   93         (h) “Third-party agent” means an entity that has been
   94  contracted to maintain, store, or process personal information
   95  on behalf of a covered entity or governmental entity.
   96         (2) REQUIREMENTS FOR DATA SECURITY.—Each covered entity,
   97  governmental entity, or third-party agent shall take reasonable
   98  measures to protect and secure data in electronic form
   99  containing personal information.
  101         (a) A covered entity shall give notice to the department of
  102  any breach of security, as expeditiously as practicable, but no
  103  later than 30 days after the determination of the breach or
  104  reason to believe a breach had occurred.
  105         (b) The written notice to the department must include:
  106         1. A synopsis of the events surrounding the breach.
  107         2. The number of individuals in this state who were or
  108  potentially have been affected by the breach.
  109         3. Any services related to the breach being offered,
  110  without charge, by the covered entity to individuals, and
  111  instructions as to how to use such services.
  112         4. A copy of the notice required under subsection (4) or an
  113  explanation of the other actions taken pursuant to subsection
  114  (4).
  115         5. The name, address, telephone number, and e-mail address
  116  of the employee of the covered entity from whom additional
  117  information may be obtained about the breach, and the steps
  118  taken to rectify the breach and prevent similar breaches.
  119         (c) The covered entity must provide the following
  120  information to the department upon its request:
  121         1. A police report, incident report, or computer forensics
  122  report.
  123         2. A copy of the policies in place regarding breaches.
  124         3. Any steps that have been taken to rectify the breach.
  125         (d) For a covered entity that is the judicial branch, the
  126  Executive Office of the Governor, the Department of Financial
  127  Services, or the Department of Agriculture and Consumer
  128  Services, in lieu of providing the written notice to the
  129  department, the covered entity may post the information
  130  described in subparagraphs (b)1.-4. on an agency-managed
  131  website.
  133         (a) A covered entity shall give notice to each individual
  134  in this state whose personal information was, or the covered
  135  entity reasonably believes to have been, accessed as a result of
  136  the breach. Notice to individuals shall be made as expeditiously
  137  as practicable and without unreasonable delay, taking into
  138  account the time necessary to allow the covered entity to
  139  determine the scope of the breach of security, to identify
  140  individuals affected by the breach, and to restore the
  141  reasonable integrity of the data system that was breached, but
  142  no later than 30 days after the determination of a breach unless
  143  subject to a delay authorized under paragraph (b) or waiver
  144  under paragraph (c).
  145         (b) If a federal, state, or local law enforcement agency
  146  determines that notice to individuals required under this
  147  subsection would interfere with a criminal investigation, the
  148  notice shall be delayed upon the written request of the law
  149  enforcement agency for a specified period that the law
  150  enforcement agency determines is reasonably necessary. A law
  151  enforcement agency may, by a subsequent written request, revoke
  152  such delay as of a specified date or extend the period set forth
  153  in the original request made under this paragraph to a specified
  154  date if further delay is necessary.
  155         (c) Notwithstanding paragraph (a), notice to the affected
  156  individuals is not required if, after an appropriate
  157  investigation and consultation with relevant federal, state, and
  158  local law enforcement agencies, the covered entity reasonably
  159  determines that the breach has not and will not likely result in
  160  identity theft or any other financial harm to the individuals
  161  whose personal information has been accessed. Such a
  162  determination must be documented in writing and maintained for
  163  at least 5 years. The covered entity shall provide the written
  164  determination to the department within 30 days after the
  165  determination.
  166         (d) The notice to an affected individual shall be by one of
  167  the following methods:
  168         1. Written notice sent to the mailing address of the
  169  individual in the records of the covered entity; or
  170         2. E-mail notice sent to the e-mail address of the
  171  individual in the records of the covered entity.
  172         (e) The notice to an individual with respect to a breach of
  173  security shall include, at a minimum:
  174         1. The date, estimated date, or estimated date range of the
  175  breach of security.
  176         2. A description of the personal information that was
  177  accessed or reasonably believed to have been accessed as a part
  178  of the breach of security.
  179         3. Information that the individual can use to contact the
  180  covered entity to inquire about the breach of security and the
  181  personal information that the covered entity maintained about
  182  the individual.
  183         (f) A covered entity required to provide notice to an
  184  individual may provide substitute notice in lieu of direct
  185  notice if such direct notice is not feasible because the cost of
  186  providing notice would exceed $250,000, because the affected
  187  individuals exceed 500,000 persons, or because the covered
  188  entity does not have an e-mail address or mailing address for
  189  the affected individuals. Such substitute notice shall include
  190  the following:
  191         1. A conspicuous notice on the Internet website of the
  192  covered entity if the covered entity maintains a website; and
  193         2. Notice in print and to broadcast media, including major
  194  media in urban and rural areas where the affected individuals
  195  reside.
  196         (g) Notice provided pursuant to rules, regulations,
  197  procedures, or guidelines established by the covered entity’s
  198  primary or functional federal regulator is deemed to be in
  199  compliance with the notice requirement in this subsection if the
  200  covered entity notifies individuals in accordance with any
  201  rules, regulations, procedures, or guidelines established by the
  202  primary or functional federal regulator in the event of a breach
  203  of security. Under this paragraph, the covered entity must
  204  provide notice to the department under subsection (3).
  205         (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a covered
  206  entity discovers circumstances requiring notice pursuant to this
  207  section of more than 1,000 individuals at a single time, the
  208  covered entity shall also notify, without unreasonable delay,
  209  all consumer reporting agencies that compile and maintain files
  210  on consumers on a nationwide basis, as defined in the Fair
  211  Credit Reporting Act, 15 U.S.C. s. 1681a(p), of the timing,
  212  distribution, and content of the notices.
  214  AGENTS.—In the event of a breach of security of a system
  215  maintained by a third-party agent, such third-party agent shall
  216  notify the covered entity of the breach of security as
  217  expeditiously as practicable, but no later than 10 days
  218  following the determination of the breach of security. Upon
  219  receiving notice from a third-party agent, a covered entity
  220  shall provide notices required under subsections (3) and (4). A
  221  third-party agent shall provide a covered entity with all
  222  information that the covered entity needs to comply with its
  223  notice requirements.
  224         (7) ANNUAL REPORT.—By February 1 of each year, the
  225  department shall submit a report to the President of the Senate
  226  and the Speaker of the House of Representatives describing the
  227  nature of any reported breaches of security by governmental
  228  entities or third-party agents of governmental entities in the
  229  preceding calendar year along with recommendations for security
  230  improvements. The report shall identify any governmental entity
  231  that has violated any of the applicable requirements in
  232  subsections (2)-(6) in the preceding calendar year.
  234  covered entity or third-party agent shall take all reasonable
  235  measures to dispose, or arrange for the disposal, of customer
  236  records containing personal information within its custody or
  237  control when the records are no longer to be retained. Such
  238  disposal shall involve shredding, erasing, or otherwise
  239  modifying the personal information in the records to make it
  240  unreadable or undecipherable through any means.
  241         (9) ENFORCEMENT.—
  242         (a) A violation of this section shall be treated as an
  243  unfair or deceptive trade practice in any action brought by the
  244  department under s. 501.207 against a covered entity or third
  245  party agent.
  246         (b) In addition to the remedies provided for in paragraph
  247  (a), a covered entity that violates subsection (3) or subsection
  248  (4) shall be liable for a civil penalty not to exceed $500,000,
  249  as follows:
  250         1. In the amount of $1,000 for each day up to the first 30
  251  days following any violation of subsection (3) or subsection (4)
  252  and, thereafter, $50,000 for each subsequent 30-day period or
  253  portion thereof for up to 180 days.
  254         2. If the violation continues for more than 180 days, in an
  255  amount not to exceed $500,000.
  257  The civil penalties for failure to notify provided in this
  258  paragraph apply per breach and not per individual affected by
  259  the breach.
  260         (c) All penalties collected pursuant to this subsection
  261  shall be deposited into the General Revenue Fund.
  262         (10) NO PRIVATE CAUSE OF ACTION.—This section does not
  263  establish a private cause of action.
  264         Section 4. Subsection (5) of section 282.0041, Florida
  265  Statutes, is amended to read:
  266         282.0041 Definitions.—As used in this chapter, the term:
  267         (5) “Breach” has the same meaning as the term “breach of
  268  security” as defined in s. 501.171 in s. 817.5681(4).
  269         Section 5. Paragraph (i) of subsection (4) of section
  270  282.318, Florida Statutes, is amended to read:
  271         282.318 Enterprise security of data and information
  272  technology.—
  273         (4) To assist the Agency for Enterprise Information
  274  Technology in carrying out its responsibilities, each agency
  275  head shall, at a minimum:
  276         (i) Develop a process for detecting, reporting, and
  277  responding to suspected or confirmed security incidents,
  278  including suspected or confirmed breaches consistent with the
  279  security rules and guidelines established by the Agency for
  280  Enterprise Information Technology.
  281         1. Suspected or confirmed information security incidents
  282  and breaches must be immediately reported to the Agency for
  283  Enterprise Information Technology.
  284         2. For incidents involving breaches, agencies shall provide
  285  notice in accordance with s. 501.171 s. 817.5681 and to the
  286  Agency for Enterprise Information Technology in accordance with
  287  this subsection.
  288         Section 6. This act shall take effect July 1, 2014.