33 SYSTEMS INC’s (d/b/a “33 HelpME”) data breach policy is in accordance with Fla. Stat. 501.171 (2016). All definitions for this policy are as defined under this statute. 33 SYSTEMS INC shall take reasonable measures to protect and secure data in electronic form containing personal information.
- 33 SYSTEMS INC shall provide notice to the Florida Department of Legal Affairs (department) of any breach of security affecting 500 or more individuals in this state. Such notice shall be provided to the department as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred.
- 33 SYSTEMS INC may receive 15 additional days to provide notice if good cause for delay is provided to the department within 30 days after determination of the breach or reason to believe a breach occurred.33 SYSTEMS INC’s written notice to the department must include the following: 1: A synopsis of the events surrounding the breach at the time notice is provided. 2: The number of individuals in this state who were or potentially have been affected by the breach. 3: Any services related to the breach being offered or scheduled to be offered, without charge, by 33 SYSTEMS INC to individuals, and instructions as to how to use such services. 4: A copy of the notice required or an explanation of the other actions taken. 5: The name, address, telephone number, and e-mail address of 33 SYSTEMS INC’s employee or agent from whom additional information may be obtained about the breach.
- 33 SYSTEMS INC must provide the following information to the department upon its request: 1: A police report, incident report, or computer foren33 SYSTEMS INCs report. 2: A copy of the policies in place regarding breaches. 3: Steps that have been taken to rectify the breach.
- 33 SYSTEMS INC may provide the department with supplemental information regarding a breach at any time.
- 33 SYSTEMS INC shall give notice to each individual in this state whose personal information was, or 33 SYSTEMS INC reasonably believes to have been, accessed as a result of the breach. Notice to individuals shall be made as expeditiously as practicable and without unreasonable delay, taking into account the time necessary to allow 33 SYSTEMS INC to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached, but no later than 30 days after the determination of a breach or reason to believe a breach occurred unless subject to a authorized delay or waiver.
- If a federal, state, or local law enforcement agency determines that notice to individuals required herein would interfere with a criminal investigation, the notice shall be delayed upon the written request of the law enforcement agency for a specified period that the law enforcement agency determines is reasonably necessary. A law enforcement agency may, by a subsequent written request, revoke such delay as of a specified date or extend the period set forth in the original request if further delay is necessary.
- Notice to the affected individual is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, 33 SYSTEMS INC reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed. Such a determination shall be documented in writing and maintained for at least 5 years. 33 SYSTEMS INC shall provide the written determination to the department within 30 days after the determination.
- The notice to an affected individual shall be by either a written notice sent to the mailing address of the individual in 33 SYSTEMS INC’s records or by email sent to the individual’s email address in 33 SYSTEMS INC’s records.
- The notice to an individual with respect to a breach of security shall include, at a minimum the date, estimated date, or estimated date range of the breach of security, a description of the personal information that was accessed or reasonably believed to have been accessed as a part of the breach of security, and information that the individual can use to contact 33 SYSTEMS INC to inquire about the breach of security and the personal information that 33 SYSTEMS INC maintained about the individual.
- 33 SYSTEMS INC may provide substitute notice in lieu of direct notice if such direct notice is not feasible because the cost of providing notice would exceed $10,000, because the affected individuals exceed 5,000 persons, or because the covered entity does not have an email address or mailing address for the affected individuals. Such substitute notice shall include a conspicuous notice on 33 SYSTEMS INC’s website and notice in print and to broadcast media, including major media in urban and rural areas where the affected individuals reside.
- Notice provided pursuant to rules, regulations, procedures, or guidelines established by 33 SYSTEMS INC’s primary or functional federal regulator is deemed to be in compliance with the notice requirement if 33 SYSTEMS INC notifies affected individuals in accordance with the rules, regulations, procedures, or guidelines established by the primary or functional federal regulator in the event of a breach of security. 33 SYSTEMS INC is deemed to be in compliance with notice requirements if it timely provides a copy of such notice to the department.
- If 33 SYSTEMS INC discovers circumstances requiring notice to more than 1,000 individuals at a single time, 33 SYSTEMS INC shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis as defined in the Fair Credit Reporting Act, 15 U.S.C. s. 1681a(p), of the timing, distribution, and content of the notices.
- In the event of a breach of security of a system maintained by a third-part agent, such third-party agent shall notify 33 SYSTEMS INC of the breach of security as expeditiously as practicable, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred. Upon receiving notice from a third-party agent, 33 SYSTEMS INC shall provide notices indicated above. A third-party agent shall provide 33 SYSTEMS INC under law with all information that 33 SYSTEMS INC needs to comply with its notice requirements.
- An agent may provide notice on 33 SYSTEMS INC’s behalf; however, an agent’s failure to provide proper notice shall be deemed a violation against 33 SYSTEMS INC. 33 SYSTEMS INC or third-party agents shall take all reasonable measures to dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained. Such disposal shall involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
- There is no private cause of action pursuant to this policy. There are no additional requirements imposed under this data breach policy upon 33 SYSTEMS INC than those recited in Fla. Stat. 501.171 (2016).