| 1 | A bill to be entitled |
| 2 | An act relating to privacy of personal information; |
| 3 | providing definitions; requiring certain persons who |
| 4 | maintain computerized data that contains personal |
| 5 | information to notify any state resident whose unencrypted |
| 6 | personal information may have been obtained as a result of |
| 7 | a security breach; providing for forms of notice; |
| 8 | providing exceptions and alternative forms of notice; |
| 9 | providing for delays in notification in certain |
| 10 | circumstances; providing an effective date. |
| 11 |
|
| 12 | Be It Enacted by the Legislature of the State of Florida: |
| 13 |
|
| 14 | Section 1. (1) As used in this section, the term: |
| 15 | (a) "Breach of security" means the unauthorized |
| 16 | acquisition of computerized data which compromises the |
| 17 | confidentiality, integrity, or security of personal information |
| 18 | maintained by a person. Good-faith acquisition of personal |
| 19 | information by an employee or agent of such person for |
| 20 | legitimate purposes of the person is not a breach of security. |
| 21 | (b) "Person" means any person or political subdivision as |
| 22 | defined in section 1.01, Florida Statutes, or any agency as |
| 23 | defined in section 20.03, Florida Statutes. |
| 24 | (c) "Personal information" means an individual's first |
| 25 | name or first initial and last name and at least one of the |
| 26 | following elements: |
| 27 | 1. Social security number. |
| 28 | 2. Driver's license number or state identification card |
| 29 | number. |
| 30 | 3. Account or card number and any required security code, |
| 31 | access code, or password that permits access to that account. |
| 32 | (2)(a) Any person that conducts business in this state and |
| 33 | owns or licenses computerized data that contains personal |
| 34 | information about a resident of this state must notify that |
| 35 | resident regarding any breach of security of the data |
| 36 | immediately following discovery of the breach, if the personal |
| 37 | information was, or is reasonably believed to have been, |
| 38 | acquired by an unauthorized person. |
| 39 | (b) Any person that conducts business in this state and |
| 40 | maintains computerized data that includes personal information |
| 41 | that is owned or licensed by another person must notify such |
| 42 | owner or licensee regarding any breach of security of the data |
| 43 | immediately following discovery, if the personal information |
| 44 | was, or is reasonably believed to have been, acquired by an |
| 45 | unauthorized person. |
| 46 | (3)(a) Notice may be provided in writing or in electronic |
| 47 | form. |
| 48 | (b) If the cost of providing notice exceeds $250,000, the |
| 49 | affected class of individuals to be notified exceeds 500,000 |
| 50 | persons, or the person does not have sufficient contact |
| 51 | information for all of the affected individuals, it may provide |
| 52 | substitute notice by: |
| 53 | 1. Sending an e-mail notice to each affected individual |
| 54 | for whom it has an e-mail address. |
| 55 | 2. Conspicuously posting notice of the security breach on |
| 56 | the person's website. |
| 57 | 3. Providing notification of the security breach to major |
| 58 | statewide media. |
| 59 | (c) If a person has established notification procedures |
| 60 | that are otherwise consistent with the requirements of this |
| 61 | section as part of an information security policy, that person |
| 62 | may notify affected individuals pursuant to such procedures. |
| 63 | (d) Notification may be delayed if a law enforcement |
| 64 | agency determines that the notification will impede a criminal |
| 65 | investigation. |
| 66 | Section 2. This act shall take effect July 1, 2004. |