Bill Amendment: FL S1524 | 2014 | Regular Session
NOTE: For additional amemendments please see the Bill Drafting List
Bill Title: Security of Confidential Personal Information
Status: 2014-06-20 - Chapter No. 2014-189, companion bill(s) passed, see CS/CS/SB 1526 (Ch. 2014-190) [S1524 Detail]
Download: Florida-2014-S1524-Senate_Committee_Amendment_797172.html
Bill Title: Security of Confidential Personal Information
Status: 2014-06-20 - Chapter No. 2014-189, companion bill(s) passed, see CS/CS/SB 1526 (Ch. 2014-190) [S1524 Detail]
Download: Florida-2014-S1524-Senate_Committee_Amendment_797172.html
Florida Senate - 2014 COMMITTEE AMENDMENT Bill No. SB 1524 Ì7971726Î797172 LEGISLATIVE ACTION Senate . House . . . . . ————————————————————————————————————————————————————————————————— ————————————————————————————————————————————————————————————————— following: 1 Senate Amendment (with title amendment) 2 3 Delete everything after the enacting clause 4 and insert: 5 Section 1. This act may be cited as the “Florida 6 Information Protection Act of 2014.” 7 Section 2. Section 817.5681, Florida Statutes, is repealed. 8 Section 3. Section 501.171, Florida Statutes, is created to 9 read: 10 501.171 Security of confidential personal information.— 11 (1) DEFINITIONS.—As used in this section, the term: 12 (a) “Breach of security” or “breach” means unauthorized 13 access of data in electronic form containing personal 14 information. Good faith access of personal information by an 15 employee or agent of a covered entity does not constitute a 16 breach of security, provided that the information is not used 17 for a purpose unrelated to the business or subject to further 18 unauthorized use. 19 (b) “Covered entity” means a sole proprietorship, 20 partnership, corporation, trust, estate, cooperative, 21 association, or other commercial entity that acquires, 22 maintains, stores, or uses personal information. For purposes of 23 the notice requirements in subsections (3)-(6), the term 24 includes a governmental entity. 25 (c) “Customer records” means any material, regardless of 26 the physical form, on which personal information is recorded or 27 preserved by any means, including, but not limited to, written 28 or spoken words, graphically depicted, printed, or 29 electromagnetically transmitted that are provided by an 30 individual in this state to a covered entity for the purpose of 31 purchasing or leasing a product or obtaining a service. 32 (d) “Data in electronic form” means any data stored 33 electronically or digitally on any computer system or other 34 database and includes recordable tapes and other mass storage 35 devices. 36 (e) “Department” means the Department of Legal Affairs. 37 (f) “Governmental entity” means any department, division, 38 bureau, commission, regional planning agency, board, district, 39 authority, agency, or other instrumentality of this state that 40 acquires, maintains, stores, or uses data in electronic form 41 containing personal information. 42 (g)1. “Personal information” means either of the following: 43 a. An individual’s first name or first initial and last 44 name in combination with any one or more of the following data 45 elements for that individual: 46 (I) A social security number. 47 (II) A driver license or identification card number, 48 passport number, military identification number, or other 49 similar number issued on a government document used to verify 50 identity. 51 (III) A financial account number or credit or debit card 52 number, in combination with any required security code, access 53 code, or password that is necessary to permit access to an 54 individual’s financial account. 55 (IV) Any information regarding an individual’s medical 56 history, mental or physical condition, or medical treatment or 57 diagnosis by a health care professional; or 58 (V) An individual’s health insurance policy number or 59 subscriber identification number and any unique identifier used 60 by a health insurer to identify the individual. 61 b. A user name or e-mail address, in combination with a 62 password or security question and answer that would permit 63 access to an online account. 64 2. The term does not include information about an 65 individual that has been made publicly available by a federal, 66 state, or local governmental entity or information that is 67 encrypted, secured, or modified by any other method or 68 technology that removes elements that personally identify an 69 individual or that otherwise renders the information unusable. 70 (h) “Third-party agent” means an entity that has been 71 contracted to maintain, store, or process personal information 72 on behalf of a covered entity or governmental entity. 73 (2) REQUIREMENTS FOR DATA SECURITY.—Each covered entity, 74 governmental entity, or third-party agent shall take reasonable 75 measures to protect and secure data in electronic form 76 containing personal information. 77 (3) NOTICE TO DEPARTMENT OF SECURITY BREACH.— 78 (a) A covered entity shall give notice to the department of 79 any breach of security, as expeditiously as practicable, but no 80 later than 30 days after the determination of the breach or 81 reason to believe a breach had occurred. 82 (b) The written notice to the department must include: 83 1. A synopsis of the events surrounding the breach. 84 2. The number of individuals in this state who were or 85 potentially have been affected by the breach. 86 3. Any services related to the breach being offered, 87 without charge, by the covered entity to individuals, and 88 instructions as to how to use such services. 89 4. A copy of the notice required under subsection (4) or an 90 explanation of the other actions taken pursuant to subsection 91 (4). 92 5. The name, address, telephone number, and e-mail address 93 of the employee of the covered entity from whom additional 94 information may be obtained about the breach, and the steps 95 taken to rectify the breach and prevent similar breaches. 96 (c) The covered entity must provide the following 97 information to the department upon its request: 98 1. A police report, incident report, or computer forensics 99 report. 100 2. A copy of the policies in place regarding breaches. 101 3. Any steps that have been taken to rectify the breach. 102 (d) For a covered entity that is the judicial branch, the 103 Executive Office of the Governor, the Department of Financial 104 Services, or the Department of Agriculture and Consumer 105 Services, in lieu of providing the written notice to the 106 department, the covered entity may post the information 107 described in subparagraphs (b)1.-4. on an agency-managed 108 website. 109 (4) NOTICE TO INDIVIDUALS OF SECURITY BREACH.— 110 (a) A covered entity shall give notice to each individual 111 in this state whose personal information was, or the covered 112 entity reasonably believes to have been, accessed as a result of 113 the breach. Notice to individuals shall be made as expeditiously 114 as practicable and without unreasonable delay, taking into 115 account the time necessary to allow the covered entity to 116 determine the scope of the breach of security, to identify 117 individuals affected by the breach, and to restore the 118 reasonable integrity of the data system that was breached, but 119 no later than 30 days after the determination of a breach unless 120 subject to a delay authorized under paragraph (b) or waiver 121 under paragraph (c). 122 (b) If a federal, state, or local law enforcement agency 123 determines that notice to individuals required under this 124 subsection would interfere with a criminal investigation, the 125 notice shall be delayed upon the written request of the law 126 enforcement agency for a specified period that the law 127 enforcement agency determines is reasonably necessary. A law 128 enforcement agency may, by a subsequent written request, revoke 129 such delay as of a specified date or extend the period set forth 130 in the original request made under this paragraph to a specified 131 date if further delay is necessary. 132 (c) Notwithstanding paragraph (a), notice to the affected 133 individuals is not required if, after an appropriate 134 investigation and consultation with relevant federal, state, and 135 local law enforcement agencies, the covered entity reasonably 136 determines that the breach has not and will not likely result in 137 identity theft or any other financial harm to the individuals 138 whose personal information has been accessed. Such a 139 determination must be documented in writing and maintained for 140 at least 5 years. The covered entity shall provide the written 141 determination to the department within 30 days after the 142 determination. 143 (d) The notice to an affected individual shall be by one of 144 the following methods: 145 1. Written notice sent to the mailing address of the 146 individual in the records of the covered entity; or 147 2. E-mail notice sent to the e-mail address of the 148 individual in the records of the covered entity. 149 (e) The notice to an individual with respect to a breach of 150 security shall include, at a minimum: 151 1. The date, estimated date, or estimated date range of the 152 breach of security. 153 2. A description of the personal information that was 154 accessed or reasonably believed to have been accessed as a part 155 of the breach of security. 156 3. Information that the individual can use to contact the 157 covered entity to inquire about the breach of security and the 158 personal information that the covered entity maintained about 159 the individual. 160 (f) A covered entity required to provide notice to an 161 individual may provide substitute notice in lieu of direct 162 notice if such direct notice is not feasible because the cost of 163 providing notice would exceed $250,000, because the affected 164 individuals exceed 500,000 persons, or because the covered 165 entity does not have an e-mail address or mailing address for 166 the affected individuals. Such substitute notice shall include 167 the following: 168 1. A conspicuous notice on the Internet website of the 169 covered entity if the covered entity maintains a website; and 170 2. Notice in print and to broadcast media, including major 171 media in urban and rural areas where the affected individuals 172 reside. 173 (g) Notice provided pursuant to rules, regulations, 174 procedures, or guidelines established by the covered entity’s 175 primary or functional federal regulator is deemed to be in 176 compliance with the notice requirement in this subsection if the 177 covered entity notifies individuals in accordance with any 178 rules, regulations, procedures, or guidelines established by the 179 primary or functional federal regulator in the event of a breach 180 of security. Under this paragraph, the covered entity must 181 provide notice to the department under subsection (3). 182 (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a covered 183 entity discovers circumstances requiring notice pursuant to this 184 section of more than 1,000 individuals at a single time, the 185 covered entity shall also notify, without unreasonable delay, 186 all consumer reporting agencies that compile and maintain files 187 on consumers on a nationwide basis, as defined in the Fair 188 Credit Reporting Act, 15 U.S.C. s. 1681a(p), of the timing, 189 distribution, and content of the notices. 190 (6) NOTICE BY THIRD-PARTY AGENTS; DUTIES OF THIRD-PARTY 191 AGENTS.—In the event of a breach of security of a system 192 maintained by a third-party agent, such third-party agent shall 193 notify the covered entity of the breach of security as 194 expeditiously as practicable, but no later than 10 days 195 following the determination of the breach of security. Upon 196 receiving notice from a third-party agent, a covered entity 197 shall provide notices required under subsections (3) and (4). A 198 third-party agent shall provide a covered entity with all 199 information that the covered entity needs to comply with its 200 notice requirements. 201 (7) ANNUAL REPORT.—By February 1 of each year, the 202 department shall submit a report to the President of the Senate 203 and the Speaker of the House of Representatives describing the 204 nature of any reported breaches of security by governmental 205 entities or third-party agents of governmental entities in the 206 preceding calendar year along with recommendations for security 207 improvements. The report shall identify any governmental entity 208 that has violated any of the applicable requirements in 209 subsections (2)-(6) in the preceding calendar year. 210 (8) REQUIREMENTS FOR DISPOSAL OF CUSTOMER RECORDS.—Each 211 covered entity or third-party agent shall take all reasonable 212 measures to dispose, or arrange for the disposal, of customer 213 records containing personal information within its custody or 214 control when the records are no longer to be retained. Such 215 disposal shall involve shredding, erasing, or otherwise 216 modifying the personal information in the records to make it 217 unreadable or undecipherable through any means. 218 (9) ENFORCEMENT.— 219 (a) A violation of this section shall be treated as an 220 unfair or deceptive trade practice in any action brought by the 221 department under s. 501.207 against a covered entity or third 222 party agent. 223 (b) In addition to the remedies provided for in paragraph 224 (a), a covered entity that violates subsection (3) or subsection 225 (4) shall be liable for a civil penalty not to exceed $500,000, 226 as follows: 227 1. In the amount of $1,000 for each day up to the first 30 228 days following any violation of subsection (3) or subsection (4) 229 and, thereafter, $50,000 for each subsequent 30-day period or 230 portion thereof for up to 180 days. 231 2. If the violation continues for more than 180 days, in an 232 amount not to exceed $500,000. 233 234 The civil penalties for failure to notify provided in this 235 paragraph apply per breach and not per individual affected by 236 the breach. 237 (c) All penalties collected pursuant to this subsection 238 shall be deposited into the General Revenue Fund. 239 (10) NO PRIVATE CAUSE OF ACTION.—This section does not 240 establish a private cause of action. 241 Section 4. Subsection (5) of section 282.0041, Florida 242 Statutes, is amended to read: 243 282.0041 Definitions.—As used in this chapter, the term: 244 (5) “Breach” has the same meaning as the term “breach of 245 security” as defined in s. 501.171in s. 817.5681(4). 246 Section 5. Paragraph (i) of subsection (4) of section 247 282.318, Florida Statutes, is amended to read: 248 282.318 Enterprise security of data and information 249 technology.— 250 (4) To assist the Agency for Enterprise Information 251 Technology in carrying out its responsibilities, each agency 252 head shall, at a minimum: 253 (i) Develop a process for detecting, reporting, and 254 responding to suspected or confirmed security incidents, 255 including suspected or confirmed breaches consistent with the 256 security rules and guidelines established by the Agency for 257 Enterprise Information Technology. 258 1. Suspected or confirmed information security incidents 259 and breaches must be immediately reported to the Agency for 260 Enterprise Information Technology. 261 2. For incidents involving breaches, agencies shall provide 262 notice in accordance with s. 501.171s. 817.5681and to the 263 Agency for Enterprise Information Technology in accordance with 264 this subsection. 265 Section 6. This act shall take effect July 1, 2014. 266 267 ================= T I T L E A M E N D M E N T ================ 268 And the title is amended as follows: 269 Delete everything before the enacting clause 270 and insert: 271 A bill to be entitled 272 An act relating to security of confidential personal 273 information; providing a short title; repealing s. 274 817.5681, F.S., relating to a breach of security 275 concerning confidential personal information in third 276 party possession; creating s. 501.171, F.S.; providing 277 definitions; requiring specified entities to take 278 reasonable measures to protect and secure data 279 containing personal information in electronic form; 280 requiring specified entities to notify the Department 281 of Legal Affairs of data security breaches; requiring 282 notice to individuals of data security breaches under 283 certain circumstances; providing exceptions to notice 284 requirements under certain circumstances; specifying 285 contents and methods of notice; requiring notice to 286 credit reporting agencies under certain circumstances; 287 requiring the department to report annually to the 288 Legislature; specifying report requirements; providing 289 requirements for disposal of customer records; 290 providing for enforcement actions by the department; 291 providing civil penalties; specifying that no private 292 cause of action is created; amending ss. 282.0041 and 293 282.318, F.S.; conforming cross-references to changes 294 made by the act; providing an effective date.