Florida Security of Confidential Personal Information
Fla. Stat. § 501.171
SUMMARY:
EFFECTIVE. July 1, 2014
WHO DOES THIS LAW APPLY TO. Any sole proprietorship, partnership, corporation, trust, estate, cooperative, association or other commercial (collectively, “entity”) entity that acquires, maintains, stores, or uses Personal Information. An entity that has been contracted to maintain, store or process personal information on behalf of another entity or governmental entity (“third-party agent”).
WHAT IS A BREACH. Unauthorized acquisition of computerized data of Personal Information.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name, in combination with any one or more of the following data elements:
-
Social Security Number.
-
Driver’s license number, Identification Card number, passport number, military identification number, or other similar number issued on a government document used to verify identity.
-
Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
-
Medical history, mental or physical condition, medical treatment, or diagnosis by a health care professional.
-
Health insurance policy number, subscriber identification number and any unique identifier used by a health insurer to identify the individual.
-
Username or email address, in combination with a password or security question and answer that would permit access to an online account.
Personal Information does not include publicly available information, information that is lawfully available from Federal, State, or local government records, or widely distributed media. This also does not include information that is encrypted, secured, or modified by any other method or technology that removes personally identifiable elements or otherwise renders the information unusable.
WHO TO NOTIFY OF THE BREACH. Individuals: Notification of the breach must be sent to the Florida residents affected. No notification is required if the person, after consultation with a law enforcement agency and conducting a reasonable investigation, determines that a breach of the security of the system has not occurred or is not likely to harm the affected individual(s). Such a determination must be documented in writing and maintained for five years. Department of Legal Affairs: If more than 500 Florida residents are affected, entity must provide note to the Department of Legal Affairs. Credit Reporting Agencies: If more than 1,000 individuals are involved in a breach, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that maintain files on consumers nationwide of the timing, distribution, and content of the notices.
EXCEPTION. This Section does not apply to the following:
-
A good faith acquisition of Personal Information by an employee or agent of the owner for internal purposes only is not a breach, if it is not used for a purpose unrelated to the business or subject to further unauthorized use.
-
Compliance with Other Laws exemption. An entity that is regulated by State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules, is considered in compliance with this Section, if the affected individuals are notified in accordance with such policies.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent to individuals as expeditiously as practicable without unreasonable delay, but no later than 30 days after the determination of a breach. Entity may receive an additional 15 days to provide notice to the individuals for good cause for delay is provided in writing to the Department of Legal Affairs, within 30 days after the determination of breach. Notice to the Department of Legal Affairs must be sent expeditiously as practicable, but no later than 30 days after the determination of the breach. Notification may be delayed if it will impede a criminal investigation, and requested by law enforcement. In that instance, notification will be made within 45 days following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice to the affected individuals may be provided by one of the following methods:
-
Written.
-
Email notice sent to the individual’s email address in the entity’s records.
-
Substitute notice as provided below.
The notice to the affected individuals must contain the following, at a minimum:
-
Date, estimated date, or estimated date range of the breach.
-
Description of the Personal Information that was accessed or believed to have been accessed in the breach.
-
Contact information for the entity to inquire about the breach and personal information the entity maintained about the individual.
Written notice to the Department of Legal Affairs must include the following (if more than 500 individuals are affected). Entity may provide supplemental information regarding the breach at any time to the Department of Legal Affairs:
-
Description of the events surrounding the breach at the time notice was provided.
-
Number of Florida individuals who were or potentially have been affected by the breach.
-
Any services being offered or scheduled to be offered, without charge, by the entity to individuals and instructions as to how individuals use such services.
-
Copy of the required notice to the affected individuals or an explanation of the other actions taken to give notice to affected individuals.
-
Contact name, address, telephone number and email address of the employee or agent of the entity for additional information may be obtained regarding the breach.
The Department of Legal Affairs may request the following additional information and the entity must provide:
-
Police report, incident report, or computer forensics report.
-
Copy of the entities policies in place regarding breaches.
-
Steps taken to rectify the breach.
SUBSTITUTE NOTICE AVAILABLE. If the entity can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the entity has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Conspicuous posting of the notice on the entity’s website, if one is maintained.
-
Notification in print and broadcast media, including major media in urban and rural areas.
NOTICE TO THIRD-PARTIES. If an entity maintains computerized data on behalf of another business that includes Personal Information, that person shall notify the business of the data breach as soon as possible, but no later than 10 days after it is discovered. The person who maintains the data and the business on whose behalf the data is maintained may decide who will provide notice to the affected individual(s). If no agreement can be reached, then the person who has the direct business relationship with the Florida resident will be subject to the notification requirements of this section. An entity, who maintains computerized data on behalf of another business, is subject to the same notification requirements as the owner of the data.
CONSEQUENCES FOR FAILING TO NOTIFY. An entity that violates this section in the following manner, is subject to the following administrative fines:
-
Violation of this section shall be treated as unfair or deceptive trade practice in any action brought by the Department of Legal Affairs against an entity or third-party agent.
-
Failing to notify the affected individuals or Department, shall be liable for a civil penalty of $1,000 per day for each day it is not disclosed for up to 30 days, and $50,000 for each 30-day period thereafter up to 180 days.
-
If violation continues more than 180 days, a fine of up to $500,000 may be incurred per breach, not per individual affected.
PRIVATE RIGHT OF ACTION. NO PRIVATE CAUSE OF ACTION. This section does not establish a private cause of action.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. Fla. Stat. § 501.171(8). (8) REQUIREMENTS FOR DISPOSAL OF CUSTOMER RECORDS. Each covered entity or third-party agent shall take all reasonable measures to dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained. Such disposal shall involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
LEGISLATIVE UPDATES.
H.B. 481 – Signed into law on 6/14/2005, Effective 7/1/2005 (Repealed July 1, 2014).
S.B. 1524 – Signed into law on 6/20/2014, Effective 7/1/2014.
S.B. 1526 – Signed into law on 6/20/2014, Effective 7/1/2014.
For more information, see here: http://www.leg.state.fl.us/statutes/index.cfm?mode=View%20Statutes&SubMenu=1&App_mode=Display_Statute&Search_String=personal+information&URL=0500-0599/0501/Sections/0501.171.html
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.