Fla. Stat. § 501.171
S.B. 1524 (signed into law June 20, 2014)
Effective July 1, 2014
S.B. 1526 (signed into law June 20, 2014)
Effective July 1, 2014
Application. A sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.
- An entity that has been contracted to maintain, store, or process personal information on behalf of an Entity or governmental entity (“third-party agent”).
Security Breach Definition. The unauthorized access of data in electronic form containing personal information.
- Good-faith access of PI by an employee or agent of the Entity is not a breach of the security of the system, provided the information is not used for a purpose unrelated to the business or subject to further unauthorized use.
Notification to Individuals. Entity must give notice to each individual in Florida whose PI was, or the Entity reasonably believes to have been, accessed as a result of the breach.
Notice to affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the Entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose PI has been accessed. Such a determination must be documented in writing and maintained for at least 5 years. The Entity must provide the written determination to the Department within 30 days after the determination.
Attorney General Notification. Entity must provide notice to the Department of Legal Affairs ("Department") of any breach of security affecting 500 or more individuals in Florida.
Notification to Consumer Reporting Agencies. If an Entity discovers circumstances requiring notification pursuant to this section of more than 1,000 persons at a single time, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, of the timing, distribution, and content of the notices.
Third-Party Data Notification. Any third-party agent, shall disclose to the Entity for which the information is maintained any breach of the security of the system as soon as practicable, but no later than 10 days following the determination of the breach or reason to believe the breach occurred. Upon receiving notice from a third-party agent, the Entity for which the information is maintained, shall provide notices to the Department and Affected Individuals. A third-party agent must provide the Entity with all information that the Entity needs to comply with notice requirements. A third-party agent may provide notice to the Department or Affected Individuals on behalf of the Entity; however, a third-party agent's failure to provide proper notice shall be deemed a violation against the Entity.
Timing of Notification.
- To the Department: Notice must be provided as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred.
- To the Individuals: Notice must be made as expeditiously as practicable and without unreasonable delay, taking into account the time necessary to allow the Entity to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached, but no later than 30 days after the determination of a breach or reasons to believe a breach occurred. Entity may receive 15 additional days to provide notice to Individuals if good cause for delay is provided in writing to the Department within 30 days after determination of the breach or reason to believe a breach occurred.
Personal Information Definition.
- An individual’s first name or first initial and last name in combination with any one or more of the following data elements for that individual:
- Social Security Number;
- A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity;
- A financial account number or credit or debit card number in combination with any required security code, access code, or password that is necessary to permit access to an individual's financial account;
- Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
- An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
- A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.
PI does not include publicly available information that is made publicly available by a federal, state, or local governmental entity. The term also does not include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.
Notice Required. Notice may be provided by one of the following methods:
- To the Department:
- Written notice must include:
- A synopsis of the events surrounding the breach at the time notice is provided.
- The number of individuals in Florida who were or potentially have been affected by the breach.
- Any services related to the breach being offered or scheduled to be offered, without charge, by the Entity to individuals, and instructions as to how to use such services.
- A copy of the notice required to affected individuals or an explanation of the other actions taken to give notice to affected individuals.
- The name, address, telephone number, and e-mail address of the employee or agent of the Entity from whom additional information may be obtained about the breach.
- Upon the Department's request, the Entity must provide the following information to the Department:
- A police report, incident report, or computer forensics report.
- A copy of the policies in place regarding breaches.
- Steps that have been taken to rectify the breach.
- The Entity may provide supplemental information regarding a breach at any time to the Department.
- Written notice must include:
- To Affected Individuals:
- Notice must contain, at a minimum:
- The date, estimated date, or estimated date range of the breach.
- A description of the PI that was accessed or reasonably believed to have been accessed as a part of the breach.
- Information that the individual can use to contact the Entity to inquire about the breach and the personal information that the Entity maintained about the individual.
- Notice may be provided by the following methods:
- Written notice sent to the mailing address of the individual in the records of the entity; or
- E-mail notice sent to the individual's e-mail address in the Entity's records.
- Notice must contain, at a minimum:
Substitute Notice to Affected Individuals Available. If the Entity demonstrates that the cost of providing notice would exceed $250,000, the affected class of subject persons to be notified exceeds 500,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of both of the following:
Conspicuous posting of the notice on the Entity's Web site, if the Entity maintains one; and
Notification in print and to broadcast media, including major media in urban and rural areas where the Affected Individuals reside.
Penalties. An Entity that violates the statute in the following manner is subject to the following administrative fines:
A violation of this section shall be treated as an unfair or deceptive trade practice in any action brought by the Department against a entity or third-party agent.
An Entity that fails to notify the Department or Affected Individuals shall be liable for a civil penalty not to exceed $500,000, (i) in the amount of $1,000 for each day the breach goes undisclosed for up to 30 days and, thereafter, $50,0000 for each 30-day period or portion therefore for up to 180 days; or (ii) if the violation continues for more than 180 days, in an amount not to exceed $500,000. The civil penalties under this paragraph apply per breach, and not per individual affected by the breach.
Exception: Compliance with Other Laws.
Primary Regulator. Notification pursuant to laws, rules, regulations, guidance, or guidelines established by an Entity’s primary or functional state regulator is sufficient for compliance.
Other Key Provisions:
- Delay for Law Enforcement. Notice to Individuals may be delayed for a specified period that the law enforcement agency determines is reasonably necessary in a written request if a law enforcement agency determines that the notice will impede a criminal investigation. Law enforcement agency may, by a subsequent written request, revoke such delay as of a specified date or extend the period specified in the original request made to a specified date if further delay is necessary.
- Public Records Exemption. All information received by the Department pursuant to the notification requirements or pursuant to a law enforcement or Department investigation is confidential and exempt from the Public Records requirement under the State Constitution and statutes.