The Senate has convened, unilaterally, in Special Session for the sole purpose of consideration of Executive Order 19-14.
CS/CS/SB 1524 — Security of Confidential Personal Information
by Rules Committee; Commerce and Tourism Committee; and Senator Thrasher
This summary is provided for information only and does not represent the opinion of any Senator, Senate Officer, or Senate Office.
Prepared by: Commerce and Tourism Committee (CM)
The bill creates the “Florida Information Protection Act of 2014.” The bill requires notice to be given to affected customers and the Department of Legal Affairs (DLA) when a breach of security of personal information occurs. The bill requires such notice to be given within 30 days of the discovery of the breach or belief that a breach occurred, unless delayed at the request of law enforcement for investigative purposes or for other good cause shown. The bill provides enforcement authority to the DLA under the Florida Deceptive and Unfair Trade Practices Act to civilly prosecute violations. A violator of the bill’s provisions may also be subject to civil penalties, similar to current law, if breach notification is not provided timely. State governmental entities are required to provide notification of security breaches to the DLA, but are not liable for civil penalties for failure to timely report the security breaches. The bill provides exceptions for those entities that comply with breach notifications as required by the appropriate federal regulator.
The bill requires the DLA to submit an annual report to the Legislature, by February 1 of each year, detailing any reported breaches of security by governmental entities or their third-party agents for the preceding year, along with any recommendations for security improvement. The report must also identify any governmental entity that has violated the breach notification provisions.
The bill requires customer records, both physical and electronic, to be disposed in a manner that protects personal information from being disclosed. This provision does not apply to governmental entities.
The bill repeals s. 817.5681, F.S., which contains the current law requirements for breach notification.
If approved by the Governor, these provisions take effect July 1, 2014.
Vote: Senate 38-0; House 117-0