Bill Text: FL S1524 | 2014 | Regular Session | Introduced
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Security of Confidential Personal Information
Spectrum: Slight Partisan Bill (? 2-1)
Status: (Passed) 2014-06-20 - Chapter No. 2014-189, companion bill(s) passed, see CS/CS/SB 1526 (Ch. 2014-190) [S1524 Detail]
Download: Florida-2014-S1524-Introduced.html
Bill Title: Security of Confidential Personal Information
Spectrum: Slight Partisan Bill (? 2-1)
Status: (Passed) 2014-06-20 - Chapter No. 2014-189, companion bill(s) passed, see CS/CS/SB 1526 (Ch. 2014-190) [S1524 Detail]
Download: Florida-2014-S1524-Introduced.html
Florida Senate - 2014 SB 1524 By Senator Thrasher 6-01033A-14 20141524__ 1 A bill to be entitled 2 An act relating to security of confidential personal 3 information; providing a short title; repealing s. 4 817.5681, F.S., relating to a breach of security 5 concerning confidential personal information in third 6 party possession; creating s. 501.171, F.S.; providing 7 definitions; requiring specified entities to take 8 reasonable measures to protect and secure data 9 containing personal information in electronic form; 10 requiring specified entities to notify the Department 11 of Legal Affairs of data security breaches; requiring 12 notice to individuals of data security breaches in 13 certain circumstances; providing exceptions to notice 14 requirements in certain circumstances; specifying 15 contents of notice; requiring notice to credit 16 reporting agencies in certain circumstances; requiring 17 the department to report annually to the Legislature; 18 specifying report requirements; providing requirements 19 for disposal of customer records; providing for 20 enforcement actions by the department; providing civil 21 penalties; specifying that no private cause of action 22 is created; amending ss. 282.0041 and 282.318, F.S.; 23 conforming cross-references to changes made by the 24 act; providing an effective date. 25 26 Be It Enacted by the Legislature of the State of Florida: 27 28 Section 1. This act may be cited as the “Florida 29 Information Protection Act of 2014.” 30 Section 2. Section 817.5681, Florida Statutes, is repealed. 31 Section 3. Section 501.171, Florida Statutes, is created to 32 read: 33 501.171 Security of confidential personal information.— 34 (1) DEFINITIONS.—As used in this section, the term: 35 (a) “Breach of security” or “breach” means unauthorized 36 access of data in electronic form containing personal 37 information. 38 (b) “Covered entity” means a sole proprietorship, 39 partnership, corporation, trust, estate, cooperative, 40 association, or other commercial entity that acquires, 41 maintains, stores, or uses personal information. For purposes of 42 the notice requirements of subsections (3)-(6), the term 43 includes a governmental entity. 44 (c) “Customer records” means any material, regardless of 45 the physical form, on which personal information is recorded or 46 preserved by any means, including, but not limited to, written 47 or spoken words, graphically depicted, printed, or 48 electromagnetically transmitted that are provided by an 49 individual in this state to a covered entity for the purpose of 50 purchasing or leasing a product or obtaining a service. 51 (d) “Data in electronic form” means any data stored 52 electronically or digitally on any computer system or other 53 database and includes recordable tapes and other mass storage 54 devices. 55 (e) “Department” means the Department of Legal Affairs. 56 (f) “Governmental entity” means any department, division, 57 bureau, commission, regional planning agency, board, district, 58 authority, agency, or other instrumentality of this state that 59 acquires, maintains, stores, or uses data in electronic form 60 containing personal information. 61 (g)1. “Personal information” means either of the following: 62 a. An individual’s first name or first initial and last 63 name in combination with any one or more of the following data 64 elements for that individual: 65 (I) A social security number. 66 (II) A driver license or identification card number, 67 passport number, military identification number, or other 68 similar number issued on a government document used to verify 69 identity. 70 (III) A financial account number or credit or debit card 71 number, in combination with any required security code, access 72 code, or password that is necessary to permit access to an 73 individual’s financial account. 74 (IV) Any information regarding an individual’s medical 75 history, mental or physical condition, or medical treatment or 76 diagnosis by a health care professional. 77 (V) An individual’s health insurance policy number or 78 subscriber identification number and any unique identifier used 79 by a health insurer to identify the individual. 80 (VI) Any other information from or about an individual that 81 could be used to personally identify that person; or 82 b. A user name or e-mail address, in combination with a 83 password or security question and answer that would permit 84 access to an online account. 85 2. The term does not include information about an 86 individual that has been made publicly available by a federal, 87 state, or local governmental entity or information that is 88 encrypted, secured, or modified by any other method or 89 technology that removes elements that personally identify an 90 individual or that otherwise renders the information unusable. 91 (h) “Third-party agent” means an entity that has been 92 contracted to maintain, store, or process personal information 93 on behalf of a covered entity or governmental entity. 94 (2) REQUIREMENTS FOR DATA SECURITY.—Each covered entity, 95 governmental entity, or third-party agent shall take reasonable 96 measures to protect and secure data in electronic form 97 containing personal information and prevent a breach of 98 security. 99 (3) NOTICE TO DEPARTMENT OF SECURITY BREACH.— 100 (a) A covered entity shall give notice to the department of 101 any breach of security following discovery by the covered 102 entity. Notice to the department must be made within 30 days 103 after the determination of the breach or reason to believe a 104 breach had occurred. 105 (b) The written notice to the department must include: 106 1. A synopsis of the events surrounding the breach. 107 2. A police report, incident report, or computer forensics 108 report. 109 3. The number of individuals in this state who were or 110 potentially have been affected by the breach. 111 4. A copy of the policies in place regarding breaches. 112 5. Any steps that have been taken to rectify the breach. 113 6. Any services being offered by the covered entity to 114 individuals, without charge, and instructions as to how to use 115 such services. 116 7. A copy of the notice sent to the individuals. 117 8. The name, address, telephone number, and e-mail address 118 of the employee of the covered entity from whom additional 119 information may be obtained about the breach and the steps taken 120 to rectify the breach and prevent similar breaches. 121 9. Whether notice to individuals is being made pursuant to 122 federal law or pursuant to the requirements of subsection (4). 123 (c) For a covered entity that is the judicial branch, the 124 Executive Office of the Governor, the Department of Financial 125 Services, and the Department of Agriculture and Consumer 126 Services, in lieu of providing the written notice to the 127 department, the covered entity may post the information 128 described in subparagraphs (b)1.-7. on an agency-managed 129 website. 130 (4) NOTICE TO INDIVIDUALS OF SECURITY BREACH.— 131 (a) A covered entity shall give notice to each individual 132 in this state whose personal information was, or the covered 133 entity reasonably believes to have been, accessed as a result of 134 the breach. Notice to individuals shall be made as expeditiously 135 as practicable and without unreasonable delay, taking into 136 account the time necessary to allow the covered entity to 137 determine the scope of the breach of security, to identify 138 individuals affected by the breach, and to restore the 139 reasonable integrity of the data system that was breached, but 140 no later than 30 days after the determination of a breach unless 141 subject to a delay authorized under paragraph (b) or waiver 142 under paragraph (c). 143 (b) If a federal or state law enforcement agency determines 144 that notice to individuals required under this subsection would 145 interfere with a criminal investigation, the notice shall be 146 delayed upon the written request of the law enforcement agency 147 for any period that the law enforcement agency determines is 148 reasonably necessary. A law enforcement agency may, by a 149 subsequent written request, revoke such delay or extend the 150 period set forth in the original request made under this 151 paragraph by a subsequent request if further delay is necessary. 152 (c) Notwithstanding paragraph (a), notice to the affected 153 individuals is not required if, after an appropriate 154 investigation and written consultation with relevant federal and 155 state law enforcement agencies, the covered entity reasonably 156 determines that the breach has not and will not likely result in 157 identity theft or any other financial harm to the individuals 158 whose personal information has been accessed. Such a 159 determination must be documented in writing and maintained for 160 at least 5 years. The covered entity shall provide the written 161 determination to the department within 30 days after the 162 determination. 163 (d) The notice to an affected individual shall be by one of 164 the following methods: 165 1. Written notice sent to the mailing address of the 166 individual in the records of the covered entity; or 167 2. E-mail notice sent to the e-mail address of the 168 individual in the records of the covered entity. 169 (e) The notice to an individual with respect to a breach of 170 security shall include, at a minimum: 171 1. The date, estimated date, or estimated date range of the 172 breach of security. 173 2. A description of the personal information that was 174 accessed or reasonably believed to have been accessed as a part 175 of the breach of security. 176 3. Information that the individual can use to contact the 177 covered entity to inquire about the breach of security and the 178 personal information that the covered entity maintained about 179 the individual. 180 (f) A covered entity required to provide notice to an 181 individual may provide substitute notice in lieu of direct 182 notice if such direct notice is not feasible because the cost of 183 providing notice would exceed $250,000, the affected individuals 184 exceed 500,000 persons, or the covered entity does not have an 185 e-mail address or mailing address for the affected individuals. 186 Such substitute notice shall include the following: 187 1. A conspicuous notice on the Internet website of the 188 covered entity, if such covered entity maintains a website; and 189 2. Notice in print and to broadcast media, including major 190 media in urban and rural areas where the affected individuals 191 reside. 192 (g) A covered entity that is in compliance with any federal 193 law that requires such covered entity to provide notice to 194 individuals following a breach of security is deemed to comply 195 with the notice requirements of this subsection if the covered 196 entity has promptly provided the notice to the department under 197 subsection (3). 198 (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a covered 199 entity discovers circumstances requiring notice pursuant to this 200 section of more than 1,000 individuals at a single time, the 201 covered entity shall also notify, without unreasonable delay, 202 all consumer reporting agencies that compile and maintain files 203 on consumers on a nationwide basis, as defined in the Fair 204 Credit Reporting Act, 15 U.S.C. s. 1681a(p), of the timing, 205 distribution, and content of the notices. 206 (6) NOTICE BY THIRD-PARTY AGENTS; DUTIES OF THIRD-PARTY 207 AGENTS.—In the event of a breach of security of a system 208 maintained by a third-party agent, such third-party agent shall 209 promptly notify the covered entity of the breach of security. 210 Upon receiving notice from a third-party agent, a covered entity 211 shall provide notices required under subsections (3) and (4). A 212 third-party agent shall provide a covered entity with all 213 information that the covered entity needs to comply with its 214 notice requirements. 215 (7) ANNUAL REPORT.—By February 1 of each year, the 216 department shall submit a report to the President of the Senate 217 and the Speaker of the House of Representatives describing the 218 nature of any reported breaches of security by governmental 219 entities or third-party agents of governmental entities in the 220 preceding calendar year along with recommendations for security 221 improvements. The report shall identify any governmental entity 222 that has violated any of the applicable requirements in 223 subsections (2)-(6) in the preceding calendar year. 224 (8) REQUIREMENTS FOR DISPOSAL OF CUSTOMER RECORDS.—Each 225 covered entity or third-party agent shall take all reasonable 226 measures to dispose, or arrange for the disposal, of customer 227 records containing personal information within its custody or 228 control when the records are no longer to be retained. Such 229 disposal shall involve shredding, erasing, or otherwise 230 modifying the personal information in the records to make it 231 unreadable or undecipherable through any means. 232 (9) ENFORCEMENT.— 233 (a) A violation of this section shall be treated as an 234 unfair or deceptive trade practice in any action brought by the 235 department under s. 501.207 against a covered entity or third 236 party agent. 237 (b) In addition to the remedies provided for in paragraph 238 (a), a covered entity that violates subsection (3) or subsection 239 (4) shall be liable for a civil penalty not to exceed $500,000, 240 as follows: 241 1. In the amount of $1,000 for each day the breach goes 242 undisclosed for up to 30 days and, thereafter, $50,000 for each 243 30-day period or portion thereof for up to 180 days. 244 2. If notice is not made within 180 days, in an amount not 245 to exceed $500,000. 246 247 The civil penalties for failure to notify provided in this 248 paragraph shall apply per breach and not per individual affected 249 by the breach. 250 (c) All penalties collected pursuant to this subsection 251 shall be deposited into the General Revenue Fund. 252 (10) NO PRIVATE CAUSE OF ACTION.—This section does not 253 establish a private cause of action. 254 Section 4. Subsection (5) of section 282.0041, Florida 255 Statutes, is amended to read: 256 282.0041 Definitions.—As used in this chapter, the term: 257 (5) “Breach” has the same meaning as the term “breach of 258 security” as provided in s. 501.171in s. 817.5681(4). 259 Section 5. Paragraph (i) of subsection (4) of section 260 282.318, Florida Statutes, is amended to read: 261 282.318 Enterprise security of data and information 262 technology.— 263 (4) To assist the Agency for Enterprise Information 264 Technology in carrying out its responsibilities, each agency 265 head shall, at a minimum: 266 (i) Develop a process for detecting, reporting, and 267 responding to suspected or confirmed security incidents, 268 including suspected or confirmed breaches consistent with the 269 security rules and guidelines established by the Agency for 270 Enterprise Information Technology. 271 1. Suspected or confirmed information security incidents 272 and breaches must be immediately reported to the Agency for 273 Enterprise Information Technology. 274 2. For incidents involving breaches, agencies shall provide 275 notice in accordance with s. 501.171s. 817.5681and to the 276 Agency for Enterprise Information Technology in accordance with 277 this subsection. 278 Section 6. This act shall take effect July 1, 2014.