Advanced Search
View Mobile Site
ExperiencePracticesProfessionalsOfficesEventsNews/BlogsFirmDiversityCareers

Florida


Fla. Stat. § 817.5681

H.B. 481 (signed into law June 14, 2005)

Effective July 1, 2005
Application.  Any person, firm, association, joint adventure, partnership, syndicate, corporation, and all other groups or combinations (collectively, Entity) who conduct business in FL and maintain computerized data in a system that includes PI. 
    • The provisions governing maintenance of PI that the Entity does not own appear applicable to any Entity maintaining information on FL residents, whether or not the Entity conducts business in FL.
Security Breach Definition.  An unlawful and unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of PI maintained by the Entity.
    • Good-faith acquisition of PI by an employee or agent of the Entity is not a breach of the security of the system, provided the information is not used for a purpose unrelated to the business or subject to further unauthorized use.
Notification Obligation.  An Entity that conducts business in FL and maintains computerized data in a system that includes PI shall provide notice of any breach of the security of the system, following a determination of the breach, to any resident of FL whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.
    • Notification is not required if, after an appropriate investigation or after consultation with relevant federal, state, and local agencies responsible for law enforcement, the Entity reasonably determines that the breach has not and will not likely result in harm to the individuals whose PI has been acquired and accessed.  Such a determination must be documented in writing and the documentation must be maintained for five years.
Notification to Consumer Reporting Agencies. If an Entity discovers circumstances requiring notification pursuant to this section of more than 1,000 persons at a single time, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices.

Third-Party Data Notification.  Any Entity that maintains computerized data that includes PI on behalf of another business entity shall disclose to the business entity for which the information is maintained any breach of the security of the system as soon as practicable, but no later than 10 days following the determination, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.  The Entity that maintains the data on behalf of another business entity and the business entity on whose behalf the data is maintained may agree who will provide the notice, if any is required, provided only a single notice for each breach of the security system shall be required.  If agreement regarding notification cannot be reached, the entity which has the direct business relationship with the FL resident shall be subject to these provisions.

Timing of Notification.  Notification shall be made without unreasonable delay, subject to any measures necessary to determine the presence, nature, and scope of the breach and restore the reasonable integrity of the system.  Notification must be made no later than 45 days following the determination of the breach.

Personal Information Definition.  An individual’s first name, first initial and last name, or any middle name and last name, in combination with any one or more of the following data elements when the data elements are not encrypted:
    • Social Security Number;

    • Driver license or FL identification card number; or

    • Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.

Notice Required.  Notice may be provided by one of the following methods:
    • Written notice; or

    • Electronic notice, if the Entity has a valid email address for the subject person and the subject person has agreed to accept communications electronically, or if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).
Substitute Notice Available.  If the Entity demonstrates that the cost of providing notice would exceed $250,000, the affected class of subject persons to be notified exceeds 500,000, or the Entity does not have sufficient contact information.  Substitute notice shall consist of all of the following:
    • Email notice when the Entity has an email address for the subject persons;

    • Conspicuous posting of the notice on the Web site of the Entity, if the Entity maintains one; and

    • Notification to major statewide media.
Exception: Own Notification Policy.  Any Entity who maintains its own notification procedures as part of an information security or privacy policy for the treatment of PI, which procedures are otherwise consistent with the timing requirements of this statute, shall be deemed in compliance with the notification requirements of the statute if the Entity notifies subject persons in accordance with the Entity’s policies in the event of a breach of security of the system.

Penalties.  An Entity that violates the statute in the following manner is subject to the following administrative fines:
    • An Entity that fails to notify subject persons or another Entity following the determination of a breach is liable for a fine per breach, not to exceed $500,000, (i) in the amount of $1,000 for each day the breach goes undisclosed for up to 30 days and, thereafter, $50,0000 for each 30-day period or portion therefore for up to 180 days; or (ii) if notification is not made within 180 days, any Entity required to make notification who fails to do so is subject to a fine of up to $500,000. 

    • An Entity required to document a failure to notify affected persons who fails to document the failure, or who, if documentation was created, fails to maintain the documentation for the full five years is liable for a fine of up to $50,000 for such failure.
Exception: Compliance with Other Laws.
    • Primary Regulator.  Notification pursuant to laws, rules, regulations, guidances, or guidelines established by an Entity’s primary or functional state regulator is sufficient for compliance.
Other Key Provisions:
    • Delay for Law Enforcement.  Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation.  Notice required by the statute must be made without unreasonable delay and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.

    • Department of Legal Affairs Enforcement.  Allows the DLA to assess and collect the fines provided under the statute.
Contact Us  ·  Mobile Access  ·  Site Map  ·  Terms Of Use  ·  Privacy Policy  ·  Legal Disclaimer  · Alumni ·  Perkins Coie Trust Company LLC
2012 Perkins Coie LLP