Bill Text: FL S1524 | 2014 | Regular Session | Comm Sub
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Security of Confidential Personal Information
Spectrum: Slight Partisan Bill (? 2-1)
Status: (Passed) 2014-06-20 - Chapter No. 2014-189, companion bill(s) passed, see CS/CS/SB 1526 (Ch. 2014-190) [S1524 Detail]
Download: Florida-2014-S1524-Comm_Sub.html
Bill Title: Security of Confidential Personal Information
Spectrum: Slight Partisan Bill (? 2-1)
Status: (Passed) 2014-06-20 - Chapter No. 2014-189, companion bill(s) passed, see CS/CS/SB 1526 (Ch. 2014-190) [S1524 Detail]
Download: Florida-2014-S1524-Comm_Sub.html
Florida Senate - 2014 CS for SB 1524 By the Committee on Commerce and Tourism; and Senator Thrasher 577-03111-14 20141524c1 1 A bill to be entitled 2 An act relating to security of confidential personal 3 information; providing a short title; repealing s. 4 817.5681, F.S., relating to a breach of security 5 concerning confidential personal information in third 6 party possession; creating s. 501.171, F.S.; providing 7 definitions; requiring specified entities to take 8 reasonable measures to protect and secure data 9 containing personal information in electronic form; 10 requiring specified entities to notify the Department 11 of Legal Affairs of data security breaches; requiring 12 notice to individuals of data security breaches under 13 certain circumstances; providing exceptions to notice 14 requirements under certain circumstances; specifying 15 contents and methods of notice; requiring notice to 16 credit reporting agencies under certain circumstances; 17 requiring the department to report annually to the 18 Legislature; specifying report requirements; providing 19 requirements for disposal of customer records; 20 providing for enforcement actions by the department; 21 providing civil penalties; specifying that no private 22 cause of action is created; amending ss. 282.0041 and 23 282.318, F.S.; conforming cross-references to changes 24 made by the act; providing an effective date. 25 26 Be It Enacted by the Legislature of the State of Florida: 27 28 Section 1. This act may be cited as the “Florida 29 Information Protection Act of 2014.” 30 Section 2. Section 817.5681, Florida Statutes, is repealed. 31 Section 3. Section 501.171, Florida Statutes, is created to 32 read: 33 501.171 Security of confidential personal information.— 34 (1) DEFINITIONS.—As used in this section, the term: 35 (a) “Breach of security” or “breach” means unauthorized 36 access of data in electronic form containing personal 37 information. Good faith access of personal information by an 38 employee or agent of a covered entity does not constitute a 39 breach of security, provided that the information is not used 40 for a purpose unrelated to the business or subject to further 41 unauthorized use. 42 (b) “Covered entity” means a sole proprietorship, 43 partnership, corporation, trust, estate, cooperative, 44 association, or other commercial entity that acquires, 45 maintains, stores, or uses personal information. For purposes of 46 the notice requirements in subsections (3)-(6), the term 47 includes a governmental entity. 48 (c) “Customer records” means any material, regardless of 49 the physical form, on which personal information is recorded or 50 preserved by any means, including, but not limited to, written 51 or spoken words, graphically depicted, printed, or 52 electromagnetically transmitted that are provided by an 53 individual in this state to a covered entity for the purpose of 54 purchasing or leasing a product or obtaining a service. 55 (d) “Data in electronic form” means any data stored 56 electronically or digitally on any computer system or other 57 database and includes recordable tapes and other mass storage 58 devices. 59 (e) “Department” means the Department of Legal Affairs. 60 (f) “Governmental entity” means any department, division, 61 bureau, commission, regional planning agency, board, district, 62 authority, agency, or other instrumentality of this state that 63 acquires, maintains, stores, or uses data in electronic form 64 containing personal information. 65 (g)1. “Personal information” means either of the following: 66 a. An individual’s first name or first initial and last 67 name in combination with any one or more of the following data 68 elements for that individual: 69 (I) A social security number. 70 (II) A driver license or identification card number, 71 passport number, military identification number, or other 72 similar number issued on a government document used to verify 73 identity. 74 (III) A financial account number or credit or debit card 75 number, in combination with any required security code, access 76 code, or password that is necessary to permit access to an 77 individual’s financial account. 78 (IV) Any information regarding an individual’s medical 79 history, mental or physical condition, or medical treatment or 80 diagnosis by a health care professional; or 81 (V) An individual’s health insurance policy number or 82 subscriber identification number and any unique identifier used 83 by a health insurer to identify the individual. 84 b. A user name or e-mail address, in combination with a 85 password or security question and answer that would permit 86 access to an online account. 87 2. The term does not include information about an 88 individual that has been made publicly available by a federal, 89 state, or local governmental entity or information that is 90 encrypted, secured, or modified by any other method or 91 technology that removes elements that personally identify an 92 individual or that otherwise renders the information unusable. 93 (h) “Third-party agent” means an entity that has been 94 contracted to maintain, store, or process personal information 95 on behalf of a covered entity or governmental entity. 96 (2) REQUIREMENTS FOR DATA SECURITY.—Each covered entity, 97 governmental entity, or third-party agent shall take reasonable 98 measures to protect and secure data in electronic form 99 containing personal information. 100 (3) NOTICE TO DEPARTMENT OF SECURITY BREACH.— 101 (a) A covered entity shall give notice to the department of 102 any breach of security, as expeditiously as practicable, but no 103 later than 30 days after the determination of the breach or 104 reason to believe a breach had occurred. 105 (b) The written notice to the department must include: 106 1. A synopsis of the events surrounding the breach. 107 2. The number of individuals in this state who were or 108 potentially have been affected by the breach. 109 3. Any services related to the breach being offered, 110 without charge, by the covered entity to individuals, and 111 instructions as to how to use such services. 112 4. A copy of the notice required under subsection (4) or an 113 explanation of the other actions taken pursuant to subsection 114 (4). 115 5. The name, address, telephone number, and e-mail address 116 of the employee of the covered entity from whom additional 117 information may be obtained about the breach, and the steps 118 taken to rectify the breach and prevent similar breaches. 119 (c) The covered entity must provide the following 120 information to the department upon its request: 121 1. A police report, incident report, or computer forensics 122 report. 123 2. A copy of the policies in place regarding breaches. 124 3. Any steps that have been taken to rectify the breach. 125 (d) For a covered entity that is the judicial branch, the 126 Executive Office of the Governor, the Department of Financial 127 Services, or the Department of Agriculture and Consumer 128 Services, in lieu of providing the written notice to the 129 department, the covered entity may post the information 130 described in subparagraphs (b)1.-4. on an agency-managed 131 website. 132 (4) NOTICE TO INDIVIDUALS OF SECURITY BREACH.— 133 (a) A covered entity shall give notice to each individual 134 in this state whose personal information was, or the covered 135 entity reasonably believes to have been, accessed as a result of 136 the breach. Notice to individuals shall be made as expeditiously 137 as practicable and without unreasonable delay, taking into 138 account the time necessary to allow the covered entity to 139 determine the scope of the breach of security, to identify 140 individuals affected by the breach, and to restore the 141 reasonable integrity of the data system that was breached, but 142 no later than 30 days after the determination of a breach unless 143 subject to a delay authorized under paragraph (b) or waiver 144 under paragraph (c). 145 (b) If a federal, state, or local law enforcement agency 146 determines that notice to individuals required under this 147 subsection would interfere with a criminal investigation, the 148 notice shall be delayed upon the written request of the law 149 enforcement agency for a specified period that the law 150 enforcement agency determines is reasonably necessary. A law 151 enforcement agency may, by a subsequent written request, revoke 152 such delay as of a specified date or extend the period set forth 153 in the original request made under this paragraph to a specified 154 date if further delay is necessary. 155 (c) Notwithstanding paragraph (a), notice to the affected 156 individuals is not required if, after an appropriate 157 investigation and consultation with relevant federal, state, and 158 local law enforcement agencies, the covered entity reasonably 159 determines that the breach has not and will not likely result in 160 identity theft or any other financial harm to the individuals 161 whose personal information has been accessed. Such a 162 determination must be documented in writing and maintained for 163 at least 5 years. The covered entity shall provide the written 164 determination to the department within 30 days after the 165 determination. 166 (d) The notice to an affected individual shall be by one of 167 the following methods: 168 1. Written notice sent to the mailing address of the 169 individual in the records of the covered entity; or 170 2. E-mail notice sent to the e-mail address of the 171 individual in the records of the covered entity. 172 (e) The notice to an individual with respect to a breach of 173 security shall include, at a minimum: 174 1. The date, estimated date, or estimated date range of the 175 breach of security. 176 2. A description of the personal information that was 177 accessed or reasonably believed to have been accessed as a part 178 of the breach of security. 179 3. Information that the individual can use to contact the 180 covered entity to inquire about the breach of security and the 181 personal information that the covered entity maintained about 182 the individual. 183 (f) A covered entity required to provide notice to an 184 individual may provide substitute notice in lieu of direct 185 notice if such direct notice is not feasible because the cost of 186 providing notice would exceed $250,000, because the affected 187 individuals exceed 500,000 persons, or because the covered 188 entity does not have an e-mail address or mailing address for 189 the affected individuals. Such substitute notice shall include 190 the following: 191 1. A conspicuous notice on the Internet website of the 192 covered entity if the covered entity maintains a website; and 193 2. Notice in print and to broadcast media, including major 194 media in urban and rural areas where the affected individuals 195 reside. 196 (g) Notice provided pursuant to rules, regulations, 197 procedures, or guidelines established by the covered entity’s 198 primary or functional federal regulator is deemed to be in 199 compliance with the notice requirement in this subsection if the 200 covered entity notifies individuals in accordance with any 201 rules, regulations, procedures, or guidelines established by the 202 primary or functional federal regulator in the event of a breach 203 of security. Under this paragraph, the covered entity must 204 provide notice to the department under subsection (3). 205 (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a covered 206 entity discovers circumstances requiring notice pursuant to this 207 section of more than 1,000 individuals at a single time, the 208 covered entity shall also notify, without unreasonable delay, 209 all consumer reporting agencies that compile and maintain files 210 on consumers on a nationwide basis, as defined in the Fair 211 Credit Reporting Act, 15 U.S.C. s. 1681a(p), of the timing, 212 distribution, and content of the notices. 213 (6) NOTICE BY THIRD-PARTY AGENTS; DUTIES OF THIRD-PARTY 214 AGENTS.—In the event of a breach of security of a system 215 maintained by a third-party agent, such third-party agent shall 216 notify the covered entity of the breach of security as 217 expeditiously as practicable, but no later than 10 days 218 following the determination of the breach of security. Upon 219 receiving notice from a third-party agent, a covered entity 220 shall provide notices required under subsections (3) and (4). A 221 third-party agent shall provide a covered entity with all 222 information that the covered entity needs to comply with its 223 notice requirements. 224 (7) ANNUAL REPORT.—By February 1 of each year, the 225 department shall submit a report to the President of the Senate 226 and the Speaker of the House of Representatives describing the 227 nature of any reported breaches of security by governmental 228 entities or third-party agents of governmental entities in the 229 preceding calendar year along with recommendations for security 230 improvements. The report shall identify any governmental entity 231 that has violated any of the applicable requirements in 232 subsections (2)-(6) in the preceding calendar year. 233 (8) REQUIREMENTS FOR DISPOSAL OF CUSTOMER RECORDS.—Each 234 covered entity or third-party agent shall take all reasonable 235 measures to dispose, or arrange for the disposal, of customer 236 records containing personal information within its custody or 237 control when the records are no longer to be retained. Such 238 disposal shall involve shredding, erasing, or otherwise 239 modifying the personal information in the records to make it 240 unreadable or undecipherable through any means. 241 (9) ENFORCEMENT.— 242 (a) A violation of this section shall be treated as an 243 unfair or deceptive trade practice in any action brought by the 244 department under s. 501.207 against a covered entity or third 245 party agent. 246 (b) In addition to the remedies provided for in paragraph 247 (a), a covered entity that violates subsection (3) or subsection 248 (4) shall be liable for a civil penalty not to exceed $500,000, 249 as follows: 250 1. In the amount of $1,000 for each day up to the first 30 251 days following any violation of subsection (3) or subsection (4) 252 and, thereafter, $50,000 for each subsequent 30-day period or 253 portion thereof for up to 180 days. 254 2. If the violation continues for more than 180 days, in an 255 amount not to exceed $500,000. 256 257 The civil penalties for failure to notify provided in this 258 paragraph apply per breach and not per individual affected by 259 the breach. 260 (c) All penalties collected pursuant to this subsection 261 shall be deposited into the General Revenue Fund. 262 (10) NO PRIVATE CAUSE OF ACTION.—This section does not 263 establish a private cause of action. 264 Section 4. Subsection (5) of section 282.0041, Florida 265 Statutes, is amended to read: 266 282.0041 Definitions.—As used in this chapter, the term: 267 (5) “Breach” has the same meaning as the term “breach of 268 security” as defined in s. 501.171in s. 817.5681(4). 269 Section 5. Paragraph (i) of subsection (4) of section 270 282.318, Florida Statutes, is amended to read: 271 282.318 Enterprise security of data and information 272 technology.— 273 (4) To assist the Agency for Enterprise Information 274 Technology in carrying out its responsibilities, each agency 275 head shall, at a minimum: 276 (i) Develop a process for detecting, reporting, and 277 responding to suspected or confirmed security incidents, 278 including suspected or confirmed breaches consistent with the 279 security rules and guidelines established by the Agency for 280 Enterprise Information Technology. 281 1. Suspected or confirmed information security incidents 282 and breaches must be immediately reported to the Agency for 283 Enterprise Information Technology. 284 2. For incidents involving breaches, agencies shall provide 285 notice in accordance with s. 501.171s. 817.5681and to the 286 Agency for Enterprise Information Technology in accordance with 287 this subsection. 288 Section 6. This act shall take effect July 1, 2014.