1(1) 2DEFINITIONS.3-4As used in this section, the term:11(a) 12“Breach of security” or “breach” means unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of the covered entity does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.
70(b) 71“Covered entity” means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information. For purposes of the notice requirements in subsections (3)-(6), the term includes a governmental entity.
110(c) 111“Customer records” means any material, regardless of the physical form, on which personal information is recorded or preserved by any means, including, but not limited to, written or spoken words, graphically depicted, printed, or electromagnetically transmitted that are provided by an individual in this state to a covered entity for the purpose of purchasing or leasing a product or obtaining a service.
173(d) 174“Data in electronic form” means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices.
201(e) 202“Department” means the Department of Legal Affairs.
209(f) 210“Governmental entity” means any department, division, bureau, commission, regional planning agency, board, district, authority, agency, or other instrumentality of this state that acquires, maintains, stores, or uses data in electronic form containing personal information.
244(g)1. 245“Personal information” means either of the following:252a. 253An individual’s first name or first initial and last name in combination with any one or more of the following data elements for that individual:278(I) 279A social security number;
283(II) 284A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity;
309(III) 310A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account;
342(IV) 343Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
365(V) 366An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
389b. 390A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.
4142. 415The term does not include information about an individual that has been made publicly available by a federal, state, or local governmental entity. The term also does not include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.
472(h) 473“Third-party agent” means an entity that has been contracted to maintain, store, or process personal information on behalf of a covered entity or governmental entity.
498(2) 499REQUIREMENTS FOR DATA SECURITY.503-504Each covered entity, governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal information.
527(3) 528NOTICE TO DEPARTMENT OF SECURITY BREACH.534-535(a) 536A covered entity shall provide notice to the department of any breach of security affecting 500 or more individuals in this state. Such notice must be provided to the department as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred. A covered entity may receive 15 additional days to provide notice as required in subsection (4) if good cause for delay is provided in writing to the department within 30 days after determination of the breach or reason to believe a breach occurred.
632(b) 633The written notice to the department must include:6411. 642A synopsis of the events surrounding the breach at the time notice is provided.
6562. 657The number of individuals in this state who were or potentially have been affected by the breach.
6743. 675Any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, and instructions as to how to use such services.
7054. 706A copy of the notice required under subsection (4) or an explanation of the other actions taken pursuant to subsection (4).
7275. 728The name, address, telephone number, and e-mail address of the employee or agent of the covered entity from whom additional information may be obtained about the breach.
755(c) 756The covered entity must provide the following information to the department upon its request:7701. 771A police report, incident report, or computer forensics report.
7802. 781A copy of the policies in place regarding breaches.
7903. 791Steps that have been taken to rectify the breach.
800(d) 801A covered entity may provide the department with supplemental information regarding a breach at any time.
817(e) 818For a covered entity that is the judicial branch, the Executive Office of the Governor, the Department of Financial Services, or the Department of Agriculture and Consumer Services, in lieu of providing the written notice to the department, the covered entity may post the information described in subparagraphs (b)1.-4. on an agency-managed website.
871(4) 872NOTICE TO INDIVIDUALS OF SECURITY BREACH.878-879(a) 880A covered entity shall give notice to each individual in this state whose personal information was, or the covered entity reasonably believes to have been, accessed as a result of the breach. Notice to individuals shall be made as expeditiously as practicable and without unreasonable delay, taking into account the time necessary to allow the covered entity to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached, but no later than 30 days after the determination of a breach or reason to believe a breach occurred unless subject to a delay authorized under paragraph (b) or waiver under paragraph (c).
999(b) 1000If a federal, state, or local law enforcement agency determines that notice to individuals required under this subsection would interfere with a criminal investigation, the notice shall be delayed upon the written request of the law enforcement agency for a specified period that the law enforcement agency determines is reasonably necessary. A law enforcement agency may, by a subsequent written request, revoke such delay as of a specified date or extend the period set forth in the original request made under this paragraph to a specified date if further delay is necessary.
1092(c) 1093Notwithstanding paragraph (a), notice to the affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed. Such a determination must be documented in writing and maintained for at least 5 years. The covered entity shall provide the written determination to the department within 30 days after the determination.
1184(d) 1185The notice to an affected individual shall be by one of the following methods:11991. 1200Written notice sent to the mailing address of the individual in the records of the covered entity; or
12182. 1219E-mail notice sent to the e-mail address of the individual in the records of the covered entity.
1236(e) 1237The notice to an individual with respect to a breach of security shall include, at a minimum:12541. 1255The date, estimated date, or estimated date range of the breach of security.
12682. 1269A description of the personal information that was accessed or reasonably believed to have been accessed as a part of the breach of security.
12933. 1294Information that the individual can use to contact the covered entity to inquire about the breach of security and the personal information that the covered entity maintained about the individual.
1324(f) 1325A covered entity required to provide notice to an individual may provide substitute notice in lieu of direct notice if such direct notice is not feasible because the cost of providing notice would exceed $250,000, because the affected individuals exceed 500,000 persons, or because the covered entity does not have an e-mail address or mailing address for the affected individuals. Such substitute notice shall include the following:13941. 1395A conspicuous notice on the Internet website of the covered entity if the covered entity maintains a website; and
14142. 1415Notice in print and to broadcast media, including major media in urban and rural areas where the affected individuals reside.
1435(g) 1436Notice provided pursuant to rules, regulations, procedures, or guidelines established by the covered entity’s primary or functional federal regulator is deemed to be in compliance with the notice requirement in this subsection if the covered entity notifies affected individuals in accordance with the rules, regulations, procedures, or guidelines established by the primary or functional federal regulator in the event of a breach of security. Under this paragraph, a covered entity that timely provides a copy of such notice to the department is deemed to be in compliance with the notice requirement in subsection (3).
1530(5) 1531NOTICE TO CREDIT REPORTING AGENCIES.1536-1537If a covered entity discovers circumstances requiring notice pursuant to this section of more than 1,000 individuals at a single time, the covered entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in the Fair Credit Reporting Act, 15 U.S.C. s. 1681a(p), of the timing, distribution, and content of the notices.
1604(6) 1605NOTICE BY THIRD-PARTY AGENTS; DUTIES OF THIRD-PARTY AGENTS; NOTICE BY AGENTS.1616-1617(a) 1618In the event of a breach of security of a system maintained by a third-party agent, such third-party agent shall notify the covered entity of the breach of security as expeditiously as practicable, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred. Upon receiving notice from a third-party agent, a covered entity shall provide notices required under subsections (3) and (4). A third-party agent shall provide a covered entity with all information that the covered entity needs to comply with its notice requirements.
1713(b) 1714An agent may provide notice as required under subsections (3) and (4) on behalf of the covered entity; however, an agent’s failure to provide proper notice shall be deemed a violation of this section against the covered entity.
1752(7) 1753ANNUAL REPORT.1755-1756By February 1 of each year, the department shall submit a report to the President of the Senate and the Speaker of the House of Representatives describing the nature of any reported breaches of security by governmental entities or third-party agents of governmental entities in the preceding calendar year along with recommendations for security improvements. The report shall identify any governmental entity that has violated any of the applicable requirements in subsections (2)-(6) in the preceding calendar year.
1834(8) 1835REQUIREMENTS FOR DISPOSAL OF CUSTOMER RECORDS.1841-1842Each covered entity or third-party agent shall take all reasonable measures to dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained. Such disposal shall involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
1904(9) 1905ENFORCEMENT.1906-1907(a) 1908A violation of this section shall be treated as an unfair or deceptive trade practice in any action brought by the department under s. 1932501.207 1933against a covered entity or third-party agent. 1940(b) 1941In addition to the remedies provided for in paragraph (a), a covered entity that violates subsection (3) or subsection (4) shall be liable for a civil penalty not to exceed $500,000, as follows:19751. 1976In the amount of $1,000 for each day up to the first 30 days following any violation of subsection (3) or subsection (4) and, thereafter, $50,000 for each subsequent 30-day period or portion thereof for up to 180 days.
20172. 2018If the violation continues for more than 180 days, in an amount not to exceed $500,000.
2035The civil penalties for failure to notify provided in this paragraph apply per breach and not per individual affected by the breach.
2057(c) 2058All penalties collected pursuant to this subsection shall be deposited into the General Revenue Fund.
2073(10) 2074NO PRIVATE CAUSE OF ACTION.2079-2080This section does not establish a private cause of action.
2090(11) 2091PUBLIC RECORDS EXEMPTION.2094-2095(a) 2096All information received by the department pursuant to a notification required by this section, or received by the department pursuant to an investigation by the department or a law enforcement agency, is confidential and exempt from s. 2133119.07(1) 2134and s. 24(a), Art. I of the State Constitution, until such time as the investigation is completed or ceases to be active. This exemption shall be construed in conformity with s. 2165119.071(2)(c)2166. 2167(b) 2168During an active investigation, information made confidential and exempt pursuant to paragraph (a) may be disclosed by the department:21871. 2188In the furtherance of its official duties and responsibilities;
21972. 2198For print, publication, or broadcast if the department determines that such release would assist in notifying the public or locating or identifying a person that the department believes to be a victim of a data breach or improper disposal of customer records, except that information made confidential and exempt by paragraph (c) may not be released pursuant to this subparagraph; or
22593. 2260To another governmental entity in the furtherance of its official duties and responsibilities.
2273(c) 2274Upon completion of an investigation or once an investigation ceases to be active, the following information received by the department shall remain confidential and exempt from s. 2301119.07(1) 2302and s. 24(a), Art. I of the State Constitution:23111. 2312All information to which another public records exemption applies.
23212. 2322Personal information.
23243. 2325A computer forensic report.
23294. 2330Information that would otherwise reveal weaknesses in a covered entity’s data security.
23425. 2343Information that would disclose a covered entity’s proprietary information.
2352(d) 2353For purposes of this subsection, the term “proprietary information” means information that:23651. 2366Is owned or controlled by the covered entity.
23742. 2375Is intended to be private and is treated by the covered entity as private because disclosure would harm the covered entity or its business operations.
24003. 2401Has not been disclosed except as required by law or a private agreement that provides that the information will not be released to the public.
24264. 2427Is not publicly available or otherwise readily ascertainable through proper means from another source in the same configuration as received by the department.
24505. 2451Includes:2452a. 2453Trade secrets as defined in s. 2459688.0022460. 2461b. 2462Competitive interests, the disclosure of which would impair the competitive business of the covered entity who is the subject of the information.
