14 Nov Florida Legislative Update
The Florida Legislature recently enacted the Florida Information Protection Act of 2014 (the “Act”) which requires notice to be given to affected customers and the Department of Legal Affairs (“DLA”) when a breach of security of personal information occurs along with a companion bill which provides for a public exemption regarding the publication of information provided to the DLA. This legislation is effective January 1, 2015.
FLORIDA SENATE BILLS 1524 AND 1526
“Breach of security” or “breach” means unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of the covered entity does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.
“Covered entity” means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.
“Customer records” means any material, regardless of the physical form, on which personal information is recorded or preserved by any means, including, but not limited to, written or spoken words, graphically depicted, printed, or electromagnetically transmitted that are provided by an individual in Florida to a covered entity for the purpose of purchasing or leasing a product or obtaining a service.
“Data in electronic form” means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices.
“Personal information” means either of the following:
1. An individual’s first name or first initial and last name in combination with any one or more of the following data elements for that individual:
- A social security number;
- A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity;
- A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account;
- Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
- An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
2. A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.
The term does not include information about an individual that has been made publicly available by a federal, state, or local governmental entity. The term also does not include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.
“Third-party agent” means an entity that has been contracted to maintain, store, or process personal information on behalf of a covered entity or governmental entity.
Requirements for Data Security
Each covered entity or third-party agent must take reasonable measures to protect and secure data in electronic form containing personal information.
Notice to the Department of Legal Affairs of Security Breach
A covered entity must provide notice to the DLA of any breach of security affecting 500 or more individuals in Florida. Such notice must be provided to the DLA as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred. A covered entity may receive 15 additional days to provide notice if good cause for delay is provided in writing to the DLA within 30 days after determination of the breach or reason to believe a breach occurred.
The written notice to the DLA must include:
- A synopsis of the events surrounding the breach at the time notice is provided.
- The number of individuals in Florida who were or potentially have been affected by the breach.
- Any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, and instructions as to how to use such services.
- A copy of the notice to the affected individual or an explanation of the other actions taken.
- The name, address, telephone number, and e-mail address of the employee or agent of the covered entity from whom additional information may be obtained about the breach.
The covered entity must provide the following information to the DLA upon its request:
- A police report, incident report, or computer forensics report.
- A copy of the policies in place regarding breaches.
- Steps that have been taken to rectify the breach.
A covered entity may provide the DLA with supplemental information regarding a breach at any time.
Notice to Individuals of Security Breach
A covered entity must give notice to each individual in Florida whose personal information was, or the covered entity reasonably believes to have been, accessed as a result of the breach. Notice to individuals must be made as expeditiously as practicable and without unreasonable delay, taking into account the time necessary to allow the covered entity to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached, but no later than 30 days after the determination of a breach or reason to believe a breach occurred unless subject to a delay or waiver as authorized by this law.
If a federal, state, or local law enforcement agency determines that notice to individuals required under this subsection would interfere with a criminal investigation, the notice may be delayed upon the written request of the law enforcement agency for a specified period that the law enforcement agency determines is reasonably necessary. A law enforcement agency may, by a subsequent written request, revoke such delay as of a specified date or extend the period set forth in the original request to a specified date if further delay is necessary.
Notice to the affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed. Such a determination must be documented in writing and maintained for at least 5 years. The covered entity must provide the written determination to the DLA within 30 days after the determination.
The notice to an affected individual must be by one of the following methods:
- Written notice sent to the mailing address of the individual in the records of the covered entity; or
- E-mail notice sent to the e-mail address of the individual in the records of the covered entity.
The notice to an individual with respect to a breach of security must include, at a minimum:
- The date, estimated date, or estimated date range of the breach of security;
- A description of the personal information that was accessed or reasonably believed to have been accessed as a part of the breach of security; and
- Information that the individual can use to contact the covered entity to inquire about the breach of security and the personal information that the covered entity maintained about the individual.
A covered entity required to provide notice to an individual may provide substitute notice in lieu of direct notice if such direct notice is not feasible because the cost of providing notice would exceed $250,000, because the affected individuals exceed 500,000 persons, or because the covered entity does not have an e-mail address or mailing address for the affected individuals. Such substitute notice must include the following:
- A conspicuous notice on the website of the covered entity if the covered entity maintains a website; and
- Notice in print and to broadcast media, including major media in urban and rural areas where the affected individuals reside.
Notice provided pursuant to rules, regulations, procedures, or guidelines established by the covered entity’s primary or functional federal regulator is deemed to be in compliance with the notice requirement if the covered entity notifies affected individuals in accordance with the rules, regulations, procedures, or guidelines established by the primary or functional federal regulator in the event of a breach of security. A covered entity that timely provides a copy of such notice to the DLA is deemed to be in compliance with the notice requirement.
Notice to Credit Reporting Agencies
If a covered entity discovers circumstances requiring notice pursuant to the Act of more than 1,000 individuals at a single time, the covered entity must also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in the Fair Credit Reporting Act, of the timing, distribution, and content of the notices.
Notice by Third-Party Agents; Duties of Third-Party Agents; Notice by Agents
In the event of a breach of security of a system maintained by a third-party agent, such third-party agent must notify the covered entity of the breach of security as expeditiously as practicable, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred. Upon receiving notice from a third-party agent, a covered entity must provide notices required by the Act. A third-party agent must provide a covered entity with all information that the covered entity needs to comply with its notice requirements.
An agent may provide notice as required on behalf of the covered entity; however, an agent’s failure to provide proper notice will be deemed a violation of the Act against the covered entity.
Requirements for Disposal of Customer Records
Each covered entity or third-party agent must take all reasonable measures to dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained. Such disposal must involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
A violation of the Act will be treated as an unfair or deceptive trade practice in any action brought by the DLA against a covered entity or third-party agent.
In addition, a covered entity that violates the provisions requiring notice to DLA or to individuals will be liable for a civil penalty not to exceed $500,000 as follows:
- In the amount of $1,000 for each day up to the first 30 days following any violation and thereafter, $50,000 for each subsequent 30-day period or portion thereof for up to 180 days.
- If the violation continues for more than 180 days, in an amount not to exceed $500,000.
The civil penalties for failure to notify apply per breach and not per individual affected by the breach.
All penalties collected will be deposited into the General Revenue Fund.
The Act does not establish a private cause of action.
The Act repeals the previous requirements for breach notification.
A companion bill provides for a public exemption regarding the publication of information provided to the DLA pursuant to a notification of breach.
Public Records Exemption
All information received by the DLA pursuant to a required notification, or received by the DLA pursuant to an investigation by the DLA or a law enforcement agency, is confidential and exempt from Florida laws allowing access to public records until such time as the investigation is completed or ceases to be active.
During an active investigation, information made confidential and exempt pursuant to this law may be disclosed by the DLA:
- In the furtherance of its official duties and responsibilities;
- For print, publication, or broadcast if the DLA determines that such release would assist in notifying the public or locating or identifying a person that the DLA believes to be a victim of a data breach or improper disposal of customer records, except that information made confidential and exempt may not be released; or
- To another governmental entity in the furtherance of its official duties and responsibilities.
Upon completion of an investigation or once an investigation ceases to be active, the following information received by the DLA will remain confidential and exempt:
- All information to which another public records exemption applies.
- Personal information.
- A computer forensic report.
- Information that would otherwise reveal weaknesses in a covered entity’s data security.
- Information that would disclose a covered entity’s proprietary information.
For purposes of this subsection, the term “proprietary information” means information that:
- Is owned or controlled by the covered entity.
- Is intended to be private and is treated by the covered entity as private because disclosure would harm the covered entity or its business operations.
- Has not been disclosed except as required by law or a private agreement that provides that the information will not be released to the public.
- Is not publicly available or otherwise readily ascertainable through proper means from another source in the same configuration as received by the DLA.
- Includes trade secrets and competitive interests, the disclosure of which would impair the competitive business of the covered entity who is the subject of the information.
These provisions will remain effective until October 2, 2019.