(1) DEFINITIONS.—As used in this section, the term:(a) “Breach of security” or “breach” means unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of the covered entity does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.
(b) “Covered entity” means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information. For purposes of the notice requirements in subsections (3)-(6), the term includes a governmental entity.
(c) “Customer records” means any material, regardless of the physical form, on which personal information is recorded or preserved by any means, including, but not limited to, written or spoken words, graphically depicted, printed, or electromagnetically transmitted that are provided by an individual in this state to a covered entity for the purpose of purchasing or leasing a product or obtaining a service.
(d) “Data in electronic form” means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices.
(e) “Department” means the Department of Legal Affairs.
(f) “Governmental entity” means any department, division, bureau, commission, regional planning agency, board, district, authority, agency, or other instrumentality of this state that acquires, maintains, stores, or uses data in electronic form containing personal information.
501.207 against a covered entity or third-party agent. (b) In addition to the remedies provided for in paragraph (a), a covered entity that violates subsection (3) or subsection (4) shall be liable for a civil penalty not to exceed $500,000, as follows:1. In the amount of $1,000 for each day up to the first 30 days following any violation of subsection (3) or subsection (4) and, thereafter, $50,000 for each subsequent 30-day period or portion thereof for up to 180 days.
2. If the violation continues for more than 180 days, in an amount not to exceed $500,000.
The civil penalties for failure to notify provided in this paragraph apply per breach and not per individual affected by the breach.
(c) All penalties collected pursuant to this subsection shall be deposited into the General Revenue Fund.
(10) NO PRIVATE CAUSE OF ACTION.—This section does not establish a private cause of action.
(11) PUBLIC RECORDS EXEMPTION.—(a) All information received by the department pursuant to a notification required by this section, or received by the department pursuant to an investigation by the department or a law enforcement agency, is confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution, until such time as the investigation is completed or ceases to be active. This exemption shall be construed in conformity with s. 119.071(2)(c). (b) During an active investigation, information made confidential and exempt pursuant to paragraph (a) may be disclosed by the department:1. In the furtherance of its official duties and responsibilities;
2. For print, publication, or broadcast if the department determines that such release would assist in notifying the public or locating or identifying a person that the department believes to be a victim of a data breach or improper disposal of customer records, except that information made confidential and exempt by paragraph (c) may not be released pursuant to this subparagraph; or
3. To another governmental entity in the furtherance of its official duties and responsibilities.
(c) Upon completion of an investigation or once an investigation ceases to be active, the following information received by the department shall remain confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution:1. All information to which another public records exemption applies.
2. Personal information.
3. A computer forensic report.
4. Information that would otherwise reveal weaknesses in a covered entity’s data security.
5. Information that would disclose a covered entity’s proprietary information.
(d) For purposes of this subsection, the term “proprietary information” means information that:1. Is owned or controlled by the covered entity.
2. Is intended to be private and is treated by the covered entity as private because disclosure would harm the covered entity or its business operations.
3. Has not been disclosed except as required by law or a private agreement that provides that the information will not be released to the public.
4. Is not publicly available or otherwise readily ascertainable through proper means from another source in the same configuration as received by the department.
5. Includes:a. Trade secrets as defined in s. 688.002. b. Competitive interests, the disclosure of which would impair the competitive business of the covered entity who is the subject of the information.
History.—s. 3, ch. 2014-189; s. 1, ch. 2014-190; s. 1, ch. 2019-32; s. 25, ch. 2023-201.
1Note.—Section 25, ch. 2023-201, amended paragraph (1)(g), effective July 1, 2024, to read:(g)1. “Personal information” means either of the following:
a. An individual’s first name or first initial and last name in combination with any one or more of the following data elements for that individual:
(I) A social security number;
(II) A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity;
(III) A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account;
(IV) Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
(V) An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;
(VI) An individual’s biometric data as defined in s. 501.702; or
(VII) Any information regarding an individual’s geolocation.
b. A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.
2. The term does not include information about an individual that has been made publicly available by a federal, state, or local governmental entity. The term also does not include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.