FRAUDULENT USE OR POSSESSION OF IDENTIFYING INFORMATION
(ss. 668.701-668.705)
PART V
COMPUTER ABUSE AND DATA RECOVERY ACT
(ss. 668.801-668.805)
PART I
ELECTRONIC SIGNATURES
668.001 Short title.
668.002 Legislative intent.
668.003 Definitions.
668.004 Force and effect of electronic signature.
668.006 Control procedures.
668.001 Short title.—This act may be cited as the “Electronic Signature Act of 1996.”
History.—s. 1, ch. 96-224.
Note.—Former s. 282.70.
668.002 Legislative intent.—It is the intent of the Legislature that this act:
(1) Facilitate economic development and efficient delivery of government services by means of reliable electronic messages.
(2) Enhance public confidence in the use of electronic signatures.
(3) Minimize the incidence of forged electronic signatures and fraud in electronic commerce.
(4) Foster the development of electronic commerce through the use of electronic signatures to lend authenticity and integrity to writings in any electronic medium.
(5) Assure that proper management oversight and accountability are maintained for agency-conducted electronic commerce.
History.—s. 2, ch. 96-224.
Note.—Former s. 282.71.
668.003 Definitions.—As used in this act:
(1) “Certificate” means a computer-based record which:
(a) Identifies the certification authority.
(b) Identifies the subscriber.
(c) Contains the subscriber’s public key.
(d) Is digitally signed by the certification authority.
(2) “Certification authority” means a person who issues a certificate.
(3) “Digital signature” means a type of electronic signature that transforms a message using an asymmetric cryptosystem such that a person having the initial message and the signer’s public key can accurately determine:
(a) Whether the transformation was created using the private key that corresponds to the signer’s public key.
(b) Whether the initial message has been altered since the transformation was made.
A “key pair” is a private key and its corresponding public key in an asymmetric cryptosystem, under which the public key verifies a digital signature the private key creates. An “asymmetric cryptosystem” is an algorithm or series of algorithms which provide a secure key pair.
(4) “Electronic signature” means any letters, characters, or symbols, manifested by electronic or similar means, executed or adopted by a party with an intent to authenticate a writing. A writing is electronically signed if an electronic signature is logically associated with such writing.
History.—s. 4, ch. 96-224.
Note.—Former s. 282.72.
668.004 Force and effect of electronic signature.—Unless otherwise provided by law, an electronic signature may be used to sign a writing and shall have the same force and effect as a written signature.
History.—s. 5, ch. 96-224.
Note.—Former s. 282.73.
668.006 Control procedures.—The head of each agency shall be responsible for adopting and implementing control processes and procedures to ensure adequate integrity, security, confidentiality, and auditability of business transactions conducted using electronic commerce.
History.—s. 7, ch. 96-224.
Note.—Former s. 282.75.
PART II
UNIFORM ELECTRONIC TRANSACTION ACT
668.50 Uniform Electronic Transaction Act.
668.50 Uniform Electronic Transaction Act.—
(1) SHORT TITLE.—This section may be cited as the “Uniform Electronic Transaction Act.”
(2) DEFINITIONS.—As used in this section:
(a) “Agreement” means the bargain of the parties in fact, as found in their language or inferred from other circumstances and from rules, regulations, and procedures given the effect of agreements under provisions of law otherwise applicable to a particular transaction.
(b) “Automated transaction” means a transaction conducted or performed, in whole or in part, by electronic means or electronic records, in which the acts or records of one or both parties are not reviewed by an individual in the ordinary course in forming a contract, performing under an existing contract, or fulfilling an obligation required by the transaction.
(c) “Computer program” means a set of statements or instructions to be used directly or indirectly in an information processing system in order to bring about a certain result.
(d) “Contract” means the total legal obligation resulting from the parties’ agreement as affected by this act and other applicable provisions of law.
(e) “Electronic” means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.
(f) “Electronic agent” means a computer program or an electronic or other automated means used independently to initiate an action or respond to electronic records or performances in whole or in part, without review or action by an individual.
(g) “Electronic record” means a record created, generated, sent, communicated, received, or stored by electronic means.
(h) “Electronic signature” means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.
(i) “Governmental agency” means an executive, legislative, or judicial agency, department, board, commission, authority, institution, or instrumentality of this state, including a county, municipality, or other political subdivision of this state and any other public or private agency, person, partnership, corporation, or business entity acting on behalf of any public agency.
(j) “Information” means data, text, images, sounds, codes, computer programs, software, databases, or other similar representations of knowledge.
(k) “Information processing system” means an electronic system for creating, generating, sending, receiving, storing, displaying, or processing information.
(l) “Person” means an individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture, governmental agency, public corporation, or any other legal or commercial entity.
(m) “Record” means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form, including public records as defined in s. 119.011.
(n) “Security procedure” means a procedure employed for the purpose of verifying that an electronic signature, record, or performance is that of a specific person or for detecting changes or errors in the information in an electronic record. The term includes a procedure that requires the use of algorithms or other codes, identifying words or numbers, encryption, or callback or other acknowledgment procedures.
(o) “State” means a state of the United States, the District of Columbia, Puerto Rico, the United States Virgin Islands, or any territory or insular possession subject to the jurisdiction of the United States. The term includes an Indian tribe or band, or Alaskan native village, which is recognized by federal law or formally acknowledged by a state.
(p) “Transaction” means an action or set of actions occurring between two or more persons relating to the conduct of business, commercial, insurance, or governmental affairs.
(3) SCOPE.—
(a) Except as otherwise provided in paragraph (b), this section applies to electronic records and electronic signatures relating to a transaction.
(b) This section does not apply to a transaction to the extent the transaction is governed by:
1. A provision of law governing the creation and execution of wills, codicils, or testamentary trusts;
2. The Uniform Commercial Code other than s. 671.107 and chapters 672 and 680; or
3. The Uniform Computer Information Transactions Act.
(c) Except with respect to subsections (2), (9), and (11), this section does not apply to a transaction to the extent the transaction is governed by rules relating to judicial procedure.
(d) This section applies to an electronic record or electronic signature otherwise excluded under paragraph (b) to the extent such record or signature is governed by a provision of law other than those specified in paragraph (b).
(e) A transaction subject to this section is also subject to other applicable provisions of substantive law.
(4) PROSPECTIVE APPLICATION.—This section applies to any electronic record or electronic signature created, generated, sent, communicated, received, or stored on or after July 1, 2000.
(5) USE OF ELECTRONIC RECORDS AND ELECTRONIC SIGNATURES; VARIATION BY AGREEMENT.—
(a) This section does not require a record or signature to be created, generated, sent, communicated, received, stored, or otherwise processed or used by electronic means or in electronic form.
(b) This section applies only to transactions between parties each of which has agreed to conduct transactions by electronic means. Whether the parties agree to conduct a transaction by electronic means is determined from the context and surrounding circumstances, including the parties’ conduct.
(c) A party that agrees to conduct a transaction by electronic means may refuse to conduct other transactions by electronic means. The right granted by this paragraph may not be waived by agreement.
(d) Except as otherwise provided in this section, the effect of any provision of this section may be varied by agreement. The presence in certain provisions of this section of the words “unless otherwise agreed,” or words of similar import, does not imply that the effect of other provisions may not be varied by agreement.
(e) Whether an electronic record or electronic signature has legal consequences is determined by this section and other applicable provisions of law.
(6) CONSTRUCTION AND APPLICATION.—This section shall be construed and applied to:
(a) Facilitate electronic transactions consistent with other applicable provisions of law.
(b) Be consistent with reasonable practices concerning electronic transactions and with the continued expansion of those practices.
(c) Effectuate its general purpose to make uniform the law with respect to the subject of this section among states enacting similar legislation.
(7) LEGAL RECOGNITION OF ELECTRONIC RECORDS, ELECTRONIC SIGNATURES, AND ELECTRONIC CONTRACTS.—
(a) A record or signature may not be denied legal effect or enforceability solely because the record or signature is in electronic form.
(b) A contract may not be denied legal effect or enforceability solely because an electronic record was used in the formation of the contract.
(c) If a provision of law requires a record to be in writing, an electronic record satisfies such provision.
(d) If a provision of law requires a signature, an electronic signature satisfies such provision.
(8) PROVISION OF INFORMATION IN WRITING; PRESENTATION OF RECORDS.—
(a) If parties have agreed to conduct a transaction by electronic means and a provision of law requires a person to provide, send, or deliver information in writing to another person, the requirement is satisfied if the information is provided, sent, or delivered, as the case may be, in an electronic record capable of retention by the recipient at the time of receipt. An electronic record is not capable of retention by the recipient if the sender or the sender’s information processing system inhibits the ability of the recipient to print or store the electronic record.
(b) If a provision of law other than this section requires a record to be posted or displayed in a certain manner; to be sent, communicated, or transmitted by a specified method; or to contain information that is formatted in a certain manner, the following rules apply:
1. The record must be posted or displayed in the manner specified in the other provision of law.
2. Except as otherwise provided in subparagraph (d)2., the record must be sent, communicated, or transmitted by the method specified in the other provision of law.
3. The record must contain the information formatted in the manner specified in the other provision of law.
(c) If a sender inhibits the ability of a recipient to store or print an electronic record, the electronic record is not enforceable against the recipient.
(d) The requirements of this section may not be varied by agreement, provided:
1. To the extent a provision of law other than this section requires information to be provided, sent, or delivered in writing but permits that requirement to be varied by agreement, the requirement under paragraph (a) that the information be in the form of an electronic record capable of retention may also be varied by agreement.
2. A requirement under a law other than this section to send, communicate, or transmit a record by first-class mail, postage prepaid, or other regular United States mail, may be varied by agreement to the extent permitted by the other provision of law.
(9) ATTRIBUTION AND EFFECT OF ELECTRONIC RECORD AND ELECTRONIC SIGNATURE.—
(a) An electronic record or electronic signature is attributable to a person if the record or signature was the act of the person. The act of the person may be shown in any manner, including a showing of the efficacy of any security procedure applied to determine the person to which the electronic record or electronic signature was attributable.
(b) The effect of an electronic record or electronic signature attributed to a person under paragraph (a) is determined from the context and surrounding circumstances at the time of its creation, execution, or adoption, including the parties’ agreement, if any, and otherwise as provided by law.
(10) EFFECT OF CHANGE OR ERROR.—If a change or error in an electronic record occurs in a transmission between parties to a transaction, the following rules apply:
(a) If the parties have agreed to use a security procedure to detect changes or errors and one party has conformed to the procedure, but the other party has not, and the nonconforming party would have detected the change or error had that party also conformed, the conforming party may avoid the effect of the changed or erroneous electronic record.
(b) In an automated transaction involving an individual, the individual may avoid the effect of an electronic record that resulted from an error made by the individual in dealing with the electronic agent of another person if the electronic agent did not provide an opportunity for the prevention or correction of the error and, at the time the individual learns of the error, the individual:
1. Promptly notifies the other person of the error and that the individual did not intend to be bound by the electronic record received by the other person.
2. Takes reasonable steps, including steps that conform to the other person’s reasonable instructions, to return to the other person or, if instructed by the other person, to destroy the consideration received, if any, as a result of the erroneous electronic record.
3. Has not used or received any benefit or value from the consideration, if any, received from the other person.
(c) If paragraphs (a) and (b) do not apply, the change or error has the effect provided by the other provision of law, including the law of mistake, and the parties’ contract, if any.
(d) Paragraphs (b) and (c) may not be varied by agreement.
(11) NOTARIZATION AND ACKNOWLEDGMENT.—
(a) If a law requires a signature or record to be notarized, acknowledged, verified, or made under oath, the requirement is satisfied if the electronic signature of the person authorized by applicable law to perform those acts, together with all other information required to be included by other applicable law, is attached to or logically associated with the signature or record. Neither a rubber stamp nor an impression type seal is required for an electronic notarization.
(b) A first-time applicant for a notary commission must submit proof that the applicant has, within 1 year prior to the application, completed at least 3 hours of interactive or classroom instruction, including electronic notarization, and covering the duties of the notary public. Courses satisfying this section may be offered by any public or private sector person or entity registered with the Executive Office of the Governor and must include a core curriculum approved by that office.
(12) RETENTION OF ELECTRONIC RECORDS; ORIGINALS.—
(a) If a law requires that a record be retained, the requirement is satisfied by retaining an electronic record of the information in the record which:
1. Accurately reflects the information set forth in the record after the record was first generated in final form as an electronic record or otherwise.
2. Remains accessible for later reference.
(b) A requirement to retain a record in accordance with paragraph (a) does not apply to any information the sole purpose of which is to enable the record to be sent, communicated, or received.
(c) A person may satisfy paragraph (a) by using the services of another person if the requirements of paragraph (a) are satisfied.
(d) If a provision of law requires a record to be presented or retained in its original form, or provides consequences if the record is not presented or retained in its original form, that law is satisfied by an electronic record retained in accordance with paragraph (a).
(e) If a provision of law requires retention of a check, that requirement is satisfied by retention of an electronic record of the information on the front and back of the check in accordance with paragraph (a).
(f) A record retained as an electronic record in accordance with paragraph (a) satisfies a provision of law requiring a person to retain a record for evidentiary, audit, or similar purposes, unless a provision of law enacted after July 1, 2000, specifically prohibits the use of an electronic record for the specified purpose.
(g) This section does not preclude a governmental agency of this state from specifying additional requirements for the retention of a record subject to the agency’s jurisdiction.
(13) ADMISSIBILITY IN EVIDENCE.—In a proceeding, evidence of a record or signature may not be excluded solely because the record or signature is in electronic form.
(14) AUTOMATED TRANSACTIONS.—In an automated transaction, the following rules apply:
(a) A contract may be formed by the interaction of electronic agents of the parties, even if no individual was aware of or reviewed the electronic agents’ actions or the resulting terms and agreements.
(b) A contract may be formed by the interaction of an electronic agent and an individual, acting on the individual’s own behalf or for another person, including by an interaction in which the individual performs actions that the individual is free to refuse to perform and which the individual knows or has reason to know will cause the electronic agent to complete the transaction or performance.
(c) The terms of the contract are determined by the substantive law applicable to the contract.
(15) TIME AND PLACE OF SENDING AND RECEIVING.—
(a) Unless otherwise agreed between the sender and the recipient, an electronic record is sent when the record:
1. Is addressed properly or otherwise directed properly to an information processing system that the recipient has designated or uses for the purpose of receiving electronic records or information of the type sent and from which the recipient is able to retrieve the electronic record.
2. Is in a form capable of being processed by that system.
3. Enters an information processing system outside the control of the sender or of a person that sent the electronic record on behalf of the sender or enters a region of the information processing system designated or used by the recipient which is under the control of the recipient.
(b) Unless otherwise agreed between a sender and the recipient, an electronic record is received when the record enters an information processing system that the recipient has designated or uses for the purpose of receiving electronic records or information of the type sent and from which the recipient is able to retrieve the electronic record; and is in a form capable of being processed by that system.
(c) Paragraph (b) applies even if the place the information processing system is located is different from the place the electronic record is deemed to be received under paragraph (d).
(d) Unless otherwise expressly provided in the electronic record or agreed between the sender and the recipient, an electronic record is deemed to be sent from the sender’s place of business and to be received at the recipient’s place of business. For purposes of this paragraph, the following rules apply:
1. If the sender or recipient has more than one place of business, the place of business of that person is the place having the closest relationship to the underlying transaction.
2. If the sender or the recipient does not have a place of business, the place of business is the sender’s or recipient’s residence, as the case may be.
(e) An electronic record is received under paragraph (b) even if no individual is aware of its receipt.
(f) Receipt of an electronic acknowledgment from an information processing system described in paragraph (b) establishes that a record was received but, by itself, does not establish that the content sent corresponds to the content received.
(g) If a person is aware that an electronic record purportedly sent under paragraph (a), or purportedly received under paragraph (b), was not actually sent or received, the legal effect of the sending or receipt is determined by other applicable provisions of law. Except to the extent permitted by the other provisions of law, the requirements of this paragraph may not be varied by agreement.
(h) An automated transaction does not establish the acceptability of an electronic record for recording purposes.
(16) TRANSFERABLE RECORDS.—
(a) For purposes of this paragraph, “transferable record” means an electronic record that:
1. Would be a note under chapter 673, or a document under chapter 677, if the electronic record were in writing.
2. The issuer of the electronic record expressly has agreed is a transferable record.
(b) A person has control of a transferable record if a system employed for evidencing the transfer of interests in the transferable record reliably establishes that person as the person to which the transferable record was issued or transferred.
(c) A system satisfies paragraph (b), and a person is deemed to have control of a transferable record, if the transferable record is created, stored, and assigned in such a manner that:
1. A single authoritative copy of the transferable record exists which is unique, identifiable, and, except as otherwise provided in subparagraphs 4., 5., and 6., unalterable.
2. The authoritative copy identifies the person asserting control as the person to which the transferable record was issued or, if the authoritative copy indicates that the transferable record has been transferred, the person to which the transferable record was most recently transferred.
3. The authoritative copy is communicated to and maintained by the person asserting control or its designated custodian.
4. Copies or revisions that add or change an identified assignee of the authoritative copy can be made only with the consent of the person asserting control.
5. Each copy of the authoritative copy and any copy of a copy is readily identifiable as a copy that is not the authoritative copy.
6. Any revision of the authoritative copy is readily identifiable as authorized or unauthorized.
(d) Except as otherwise agreed, a person having control of a transferable record is the holder, as defined in s. 671.201(22), of the transferable record and has the same rights and defenses as a holder of an equivalent record or writing under the Uniform Commercial Code, including, if the applicable statutory requirements under s. 673.3021, s. 677.501, or s. 679.330 are satisfied, the rights and defenses of a holder in due course, a holder to which a negotiable document of title has been duly negotiated, or a purchaser, respectively. Delivery, possession, and indorsement are not required to obtain or exercise any of the rights under this paragraph.
(e) Except as otherwise agreed, an obligor under a transferable record has the same rights and defenses as an equivalent obligor under equivalent records or writings under the Uniform Commercial Code.
(f) If requested by a person against which enforcement is sought, the person seeking to enforce the transferable record shall provide reasonable proof that the person is in control of the transferable record. Proof may include access to the authoritative copy of the transferable record and related business records sufficient to review the terms of the transferable record and to establish the identity of the person having control of the transferable record.
(17) CREATION AND RETENTION OF ELECTRONIC RECORDS AND CONVERSION OF WRITTEN RECORDS BY GOVERNMENTAL AGENCIES.—Each governmental agency shall determine whether, and the extent to which, such agency will create and retain electronic records and convert written records to electronic records.
(18) ACCEPTANCE AND DISTRIBUTION OF ELECTRONIC RECORDS BY GOVERNMENTAL AGENCIES.—
(a) Except as otherwise provided in paragraph (12)(f), each governmental agency shall determine whether, and the extent to which, such agency will send and accept electronic records and electronic signatures to and from other persons and otherwise create, generate, communicate, store, process, use, and rely upon electronic records and electronic signatures.
(b) To the extent that a governmental agency uses electronic records and electronic signatures under paragraph (a), the Department of Management Services, in consultation with the governmental agency, giving due consideration to security, may specify:
1. The manner and format in which the electronic records must be created, generated, sent, communicated, received, and stored and the systems established for those purposes.
2. If electronic records must be signed by electronic means, the type of electronic signature required, the manner and format in which the electronic signature must be affixed to the electronic record, and the identity of, or criteria that must be met by, any third party used by a person filing a document to facilitate the process.
3. Control processes and procedures as appropriate to ensure adequate preservation, disposition, integrity, security, confidentiality, and auditability of electronic records.
4. Any other required attributes for electronic records which are specified for corresponding nonelectronic records or reasonably necessary under the circumstances.
(c) Except as otherwise provided in paragraph (12)(f), this section does not require a governmental agency of this state to use or permit the use of electronic records or electronic signatures.
(d) Service charges and fees otherwise established by law applicable to the filing of nonelectronic records shall apply in kind to the filing of electronic records.
(19) INTEROPERABILITY.—The governmental agency which adopts standards pursuant to subsection (18) may encourage and promote consistency and interoperability with similar requirements adopted by other governmental agencies of this and other states and the Federal Government and nongovernmental persons interacting with governmental agencies of this state. If appropriate, those standards may specify differing levels of standards from which governmental agencies of this state may choose in implementing the most appropriate standard for a particular application.
(20) SEVERABILITY.—If any provision of this section or its application to any person or circumstance is held invalid, the invalidity does not affect other provisions or applications of this section which can be given effect without the invalid provision or application, and to this end the provisions of this act are severable.
History.—s. 1, ch. 2000-164; s. 49, ch. 2004-335; s. 22, ch. 2007-134; s. 16, ch. 2008-116; s. 2, ch. 2010-131; s. 16, ch. 2012-100; s. 29, ch. 2014-221; s. 27, ch. 2019-118; s. 5, ch. 2023-80.
PART III
ELECTRONIC MAIL COMMUNICATIONS
668.60 Short title; application.
668.601 Legislative intent.
668.602 Definitions.
668.603 Prohibited activity.
668.604 Blocking of commercial electronic mail by interactive computer service.
668.605 Confidentiality of intelligence or investigation information.
668.606 Civil remedies; service provider immunity.
668.6075 Unfair and deceptive trade practices.
668.6076 Public records status of e-mail addresses; agency website notice.
668.608 Criminal violations.
668.610 Cumulative remedies.
668.60 Short title; application.—This part may be known by the popular name of the “Electronic Mail Communications Act.” Except as otherwise provided, this part applies to unsolicited commercial electronic mail.
History.—s. 1, ch. 2004-233.
668.601 Legislative intent.—This part is intended to promote the integrity of electronic commerce and shall be construed liberally in order to protect the public and legitimate businesses from deceptive and unsolicited commercial electronic mail.
History.—s. 1, ch. 2004-233.
668.602 Definitions.—As used in this part, the term:
(1) “Affirmative consent” means that the recipient of electronic mail expressly consented to receive the message either in response to a clear and conspicuous request for the recipient’s consent or at the recipient’s own initiative. A recipient is deemed to have given affirmative consent if the electronic mail message is from a person other than the person to whom the recipient directly communicated consent if clear and conspicuous notice was given to the recipient that the recipient’s electronic mail address could be transferred to another person for the purpose of that person initiating the transmission of a commercial electronic mail message to the recipient.
(2) “Assist in the transmission” means to provide substantial assistance or support that enables a person to formulate, compose, send, originate, initiate, or transmit a commercial electronic mail message when the person providing the assistance knows or has reason to know that the initiator of the commercial electronic mail message is engaged in or intends to engage in a practice that violates this chapter. “Assist in the transmission” does not include:
(a) Actions that constitute routine conveyance of such message; or
(b) Activities of any entity related to the design, manufacture, or distribution of any technology, product, or component that has a commercially significant use other than to violate or circumvent this part.
(3) “Commercial electronic mail message” means an electronic mail message sent to promote the sale or lease of, or investment in, property, goods, or services related to any trade or commerce. This includes any electronic mail message that may interfere with any trade or commerce, including messages that contain computer viruses.
(4) “Computer virus” means a computer program that is designed to replicate itself or affect another program or file in the computer by attaching a copy of the program or other set of instructions to one or more computer programs or files without the consent of the owner or lawful user. The term includes, but is not limited to, programs that are designed to contaminate other computer programs; compromise computer security; consume computer resources; modify, destroy, record, or transmit data; or disrupt the normal operation of the computer, computer system, or computer network. The term also includes, but is not limited to, programs that are designed to use a computer without the knowledge and consent of the owner or authorized user and to send large quantities of data to a targeted computer network without the consent of the network for the purpose of degrading the targeted computer’s or network’s performance or for the purpose of denying access through the network to the targeted computer or network.
(5) “Department” means the Department of Legal Affairs.
(6) “Electronic mail address” means a destination, commonly expressed as a string of characters, to which electronic mail may be sent or delivered.
(7) “Electronic mail message” means an electronic message or computer file that is transmitted between two or more telecommunications devices; computers; computer networks, regardless of whether the network is a local, regional, or global network; or electronic devices capable of receiving electronic messages, regardless of whether the message is converted to hard copy format after receipt, viewed upon transmission, or stored for later retrieval.
(8) “Initiate the transmission” means the action taken by the original sender with respect to a commercial electronic mail message.
(9) “Interactive computer service” means any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server, including specifically, but not limited to, a service or system that provides access to the Internet and the systems operated or services offered by libraries or educational institutions.
(10) “Internet domain name” means a globally unique, hierarchical reference to an Internet host or service, which is assigned through centralized Internet naming authorities and which is comprised of a series of character strings separated by periods, with the right-most string specifying the top of the hierarchy.
(11) “Person” means any individual, group of individuals, firm, association, corporation, partnership, joint venture, sole proprietorship, or any other business entity.
(12) “Routine conveyance” means the transmission, routing, relaying, handling, or storing, through an automatic technical process, of an electronic mail message for which another person has identified the recipients or provided the recipient addresses. This does not include any routine conveyance which is deliberately intended to assist persons in violating this part.
(13) “Trade or commerce” means the advertising, soliciting, providing, offering, or distributing, whether by sale, rental, or otherwise, of any goods or service, or any property, whether tangible or intangible, or any other article, commodity, or thing of value, wherever situated.
(14) “Unsolicited commercial electronic mail message” means any commercial electronic mail message that is not a transactional or relationship message and is sent to a recipient without the recipient’s affirmative or implied consent.
History.—s. 1, ch. 2004-233; s. 132, ch. 2005-2.
668.603 Prohibited activity.—A person may not:
(1) Initiate or assist in the transmission of an unsolicited commercial electronic mail message from a computer located in this state or to an electronic mail address that is held by a resident of this state which:
(a) Uses a third party’s Internet domain name without permission of the third party;
(b) Contains falsified or missing routing information or otherwise misrepresents, falsifies, or obscures any information in identifying the point of origin or the transmission path of the unsolicited commercial electronic mail message;
(c) Contains false or misleading information in the subject line; or
(d) Contains false or deceptive information in the body of the message which is designed and intended to cause damage to the receiving device of an addressee or of another recipient of the message. However, this section does not apply to electronic mail messages resulting from or created by a computer virus which are sent or retransmitted from a computer or other electronic device without the sender’s knowledge or consent.
(2) Distribute software or any other system designed to falsify missing routing information identifying the point of origin or the transmission path of the commercial electronic mail message.
History.—s. 1, ch. 2004-233.
668.604 Blocking of commercial electronic mail by interactive computer service.—This part does not:
(1) Require a provider of Internet access service to block, transmit, route, relay, handle, or store certain types of electronic mail messages;
(2) Prevent or limit, in any way, a provider of Internet access service from adopting a policy regarding commercial or other electronic mail, including a policy of declining to transmit certain types of electronic mail messages, or from enforcing such policy through technical means, through contract, or pursuant to any remedy available under any other provision of law; or
(3) Render lawful any policy or action that is unlawful under any other provision of law.
History.—s. 1, ch. 2004-233.
668.605 Confidentiality of intelligence or investigation information.—This part does not contravene the provisions of s. 501.2065, which provide for maintaining the confidential status of certain information.
History.—s. 1, ch. 2004-233.
668.606 Civil remedies; service provider immunity.—
(1) The department may bring an action for damages or for declaratory or injunctive relief or may impose a civil penalty as provided in s. 668.6075. A cause of action, without regard to any other remedy or relief to which a person is entitled, including the right to seek declaratory and injunctive relief against a person who initiates or assists in the transmission of a commercial electronic mail message that violates, has violated, or is otherwise likely to violate s. 668.603, is also available to an interactive computer service, telephone company, or cable provider that handles or retransmits the commercial electronic mail message.
(2) This part does not create a cause of action or provide for criminal charges against an interactive computer service, customer premise equipment provider, communications service provider, or cable provider whose equipment is used to transport, handle, or retransmit a commercial electronic mail message that violates s. 668.603.
(3) A prevailing plaintiff in an action filed under this part is entitled to:
(a) An injunction to enjoin future violations of s. 668.603.
(b) Compensatory damages equal to any actual damage proven by the plaintiff to have resulted from the initiation of the unsolicited commercial electronic mail message or liquidated damages of $500 for each unsolicited commercial electronic mail message that violates s. 668.603.
(c) The plaintiff’s attorney’s fees and other litigation costs reasonably incurred in connection with the action.
(4) Any person outside this state who initiates or assists in the transmission of a commercial electronic mail message received in this state which violates s. 668.603 and who knows, or should have known, that the commercial electronic mail message will be received in this state submits to the jurisdiction of this state for purposes of this part.
(5) An action under this section must be commenced within 4 years following the date of any activity prohibited by s. 668.603.
History.—s. 1, ch. 2004-233; s. 2, ch. 2006-232.
668.6075 Unfair and deceptive trade practices.—A violation of s. 668.603 shall be deemed an unfair and deceptive trade practice within the meaning of part II of chapter 501. In addition to any remedies or penalties set forth in that part, a violator shall be subject to the penalties and remedies provided for in this part.
History.—s. 1, ch. 2004-233; s. 3, ch. 2006-232.
668.6076 Public records status of e-mail addresses; agency website notice.—Any agency, as defined in s. 119.011, or legislative entity that operates a website and uses electronic mail shall post the following statement in a conspicuous location on its website:
Under Florida law, e-mail addresses are public records. If you do not want your e-mail address released in response to a public records request, do not send electronic mail to this entity. Instead, contact this office by phone or in writing.
History.—s. 1, ch. 2006-232.
668.608 Criminal violations.—
(1) Except as provided in subsection (2), any person who violates s. 668.603 commits a misdemeanor of the first degree, punishable as provided in s. 775.082 or s. 775.083.
(2) Any person who violates s. 668.603 commits a felony of the third degree, punishable as provided in s. 775.082, s. 775.083, or s. 775.084, if:
(a) The volume of commercial electronic mail messages transmitted by the person exceeds 2,500 attempted recipients in any 24-hour period;
(b) The volume of commercial electronic mail messages transmitted by the person exceeds 25,000 attempted recipients in any 30-day period;
(c) The volume of commercial electronic mail messages transmitted by the person exceeds 250,000 attempted recipients in any 1-year period;
(d) The revenue generated from a specific commercial electronic mail message transmitted by the person exceeds $1,000;
(e) The total revenue generated from all commercial electronic mail messages transmitted by the person to any electronic mail message service provider or its subscribers exceeds $50,000;
(f) The person knowingly hires, employs, uses, or permits any minor to assist in the transmission of a commercial electronic mail message in violation of s. 668.603; or
(g) The person commits a violation otherwise punishable under subsection (1) within a 5-year period after a previous conviction under this section.
History.—s. 4, ch. 2006-232.
668.610 Cumulative remedies.—The remedies and criminal penalties of this part are in addition to remedies and criminal penalties otherwise available for the same conduct under federal or state law.
History.—s. 1, ch. 2004-233; s. 3, ch. 2006-232.
Note.—Former s. 668.6075(2).
PART IV
FRAUDULENT USE OR POSSESSION OF IDENTIFYING INFORMATION
668.701 Short title.
668.702 Definitions.
668.703 Prohibited acts.
668.704 Remedies.
668.705 Exemptions.
668.701 Short title.—This part may be cited as the “Antiphishing Act.”
History.—s. 5, ch. 2006-232.
668.702 Definitions.—As used in this part, the term:
(1) “Department” means the Department of Legal Affairs.
(2) “Electronic mail address” has the same meaning as provided in s. 668.602.
(3) “Electronic mail message” has the same meaning as provided in s. 668.602.
(4) “Identifying information” has the same meaning as the term “personal identification information” as defined in s. 817.568(1).
(5) “Internet domain name” has the same meaning as provided in s. 668.602.
(6) “Web page” means a location that has a single uniform resource locator (URL) with respect to the World Wide Web or another location that can be accessed on the Internet.
History.—s. 5, ch. 2006-232.
668.703 Prohibited acts.—
(1) A person with an intent to engage in conduct involving the fraudulent use or possession of another person’s identifying information may not represent oneself, directly or by implication, to be another person without the authority or approval of such other person through the use of a web page or Internet domain name and use that web page, Internet domain name, or a link to that web page or domain name or another site on the Internet to induce, request, or solicit a resident of this state to provide identifying information.
(2) A person with an intent to engage in conduct involving the fraudulent use or possession of identifying information may not send or cause to be sent to an electronic mail address held by a resident of this state an electronic mail message that is falsely represented as being sent by another person without the authority or approval of such other person, refers or links the recipient of the message to a web page, and directly or indirectly induces, requests, or solicits the recipient of the electronic mail message to provide identifying information.
History.—s. 5, ch. 2006-232.
668.704 Remedies.—
(1) The following persons may bring a civil action against a person who violates this part:
(a) A person engaged in the business of providing Internet access service to the public who is adversely affected by the violation.
(b) A financial institution as defined in s. 655.005(1) that is adversely affected by the violation.
(c) An owner of a web page, trademark, or service mark who is adversely affected by the violation.
(d) The Attorney General.
(2) A person bringing an action under this section may:
(a) Seek injunctive relief to restrain the violator from continuing the violation.
(b) Recover damages in an amount equal to the greater of:
1. Actual damages arising from the violation; or
2. The sum of $5,000 for each violation of the same nature.
(3) The court may increase an award of actual damages in an action brought under this section to an amount not to exceed three times the actual damages sustained if the court finds that the violations have occurred with a frequency as to constitute a pattern or practice.
(4) For purposes of this section, violations are of the same nature if the violations consist of the same course of conduct or action, regardless of the number of times the conduct or action occurred.
(5) A plaintiff who prevails in an action filed under this section is entitled to recover reasonable attorney’s fees and court costs.
(6) By committing a violation under this part, the violator submits personally to the jurisdiction of the courts of this state. This section does not preclude other methods of obtaining jurisdiction over a person who commits a violation under this part.
(7) An action under this part may be brought in any court of competent jurisdiction to enforce such rights and to recover damages as stated in this part.
(8) The venue for a civil action brought under this section shall be the county in which the plaintiff resides or in any county in which any part of the alleged violation under this part took place, regardless of whether the defendant was ever actually present in that county. A civil action filed under this section must be brought within 3 years after the violation occurred.
(9) The remedies available under this section are in addition to remedies otherwise available for the same conduct under federal or state law.
(10) Any moneys received by the Attorney General for attorney’s fees and costs of investigation or litigation in proceedings brought under this section shall be deposited as received into the Legal Affairs Revolving Trust Fund.
(11) Any moneys received by the Attorney General which are not for attorney’s fees and costs of investigation or litigation or used for reimbursing persons found under this part to be damaged shall accrue to the state and be deposited as received into the Legal Affairs Revolving Trust Fund.
History.—s. 5, ch. 2006-232; s. 104, ch. 2013-18.
668.705 Exemptions.—
(1) This part does not apply to a telecommunications provider’s or Internet service provider’s good faith transmission or routing of, or intermediate temporary storing or caching of, identifying information.
(2) A provider of an interactive computer service is not liable under the laws of this state for removing or disabling access to content that resides on an Internet website or other online location controlled or operated by such provider if such provider believes in good faith that the content is used to engage in a violation of this part.
History.—s. 5, ch. 2006-232.
PART V
COMPUTER ABUSE AND DATA RECOVERY ACT
668.801 Purpose.
668.802 Definitions.
668.803 Prohibited acts.
668.804 Remedies.
668.805 Exclusions.
668.801 Purpose.—This part shall be construed liberally to:
(1) Safeguard an owner, operator, or lessee of a protected computer used in the operation of a business from harm or loss caused by unauthorized access to such computer.
(2) Safeguard an owner of information stored in a protected computer used in the operation of a business from harm or loss caused by unauthorized access to such computer.
History.—s. 2, ch. 2015-14.
668.802 Definitions.—As used in this part, the term:
(1) “Authorized user” means a director, officer, employee, third-party agent, contractor, or consultant of the owner, operator, or lessee of the protected computer or the owner of information stored in the protected computer if the director, officer, employee, third-party agent, contractor, or consultant is given express permission by the owner, operator, or lessee of the protected computer or by the owner of information stored in the protected computer to access the protected computer through a technological access barrier. Such permission, however, is terminated upon revocation by the owner, operator, or lessee of the protected computer or by the owner of information stored in the protected computer, or upon cessation of employment, affiliation, or agency with the owner, operator, or lessee of the protected computer or the owner of information stored in the protected computer.
(2) “Business” means any trade or business regardless of its for-profit or not-for-profit status.
(3) “Computer” means an electronic, magnetic, optical, electrochemical, or other high-speed data processing device that performs logical, arithmetic, or storage functions and includes any data storage facility, data storage device, or communications facility directly related to, or operating in conjunction with, the device.
(4) “Harm” means any impairment to the integrity, access, or availability of data, programs, systems, or information.
(5) “Loss” means any of the following:
(a) Any reasonable cost incurred by the owner, operator, or lessee of a protected computer or the owner of stored information, including the reasonable cost of conducting a damage assessment for harm associated with the violation and the reasonable cost for remediation efforts, such as restoring the data, programs, systems, or information to the condition it was in before the violation.
(b) Economic damages.
(c) Lost profits.
(d) Consequential damages, including the interruption of service.
(e) Profits earned by a violator as a result of the violation.
(6) “Protected computer” means a computer that is used in connection with the operation of a business and stores information, programs, or code in connection with the operation of the business in which the stored information, programs, or code can be accessed only by employing a technological access barrier.
(7) “Technological access barrier” means a password, security code, token, key fob, access device, or similar measure.
(8) “Traffic” means to sell, purchase, or deliver.
(9) “Without authorization” means access to a protected computer by a person who:
(a) Is not an authorized user;
(b) Has stolen a technological access barrier of an authorized user; or
(c) Circumvents a technological access barrier on a protected computer without the express or implied permission of the owner, operator, or lessee of the computer or the express or implied permission of the owner of information stored in the protected computer. The term does not include circumventing a technological measure that does not effectively control access to the protected computer or the information stored in the protected computer.
History.—s. 3, ch. 2015-14.
668.803 Prohibited acts.—A person who knowingly and with intent to cause harm or loss:
(1) Obtains information from a protected computer without authorization and, as a result, causes harm or loss;
(2) Causes the transmission of a program, code, or command to a protected computer without authorization and, as a result of the transmission, causes harm or loss; or
(3) Traffics in any technological access barrier through which access to a protected computer may be obtained without authorization,
is liable to the extent provided in s. 668.804 in a civil action to the owner, operator, or lessee of the protected computer, or the owner of information stored in the protected computer who uses the information in connection with the operation of a business.
History.—s. 4, ch. 2015-14.
668.804 Remedies.—
(1) A person who brings a civil action for a violation under s. 668.803 may:
(a) Recover actual damages, including the person’s lost profits and economic damages.
(b) Recover the violator’s profits that are not included in the computation of actual damages under paragraph (a).
(c) Obtain injunctive or other equitable relief from the court to prevent a future violation of s. 668.803.
(d) Recover the misappropriated information, program, or code, and all copies thereof, that are subject to the violation.
(2) A court shall award reasonable attorney fees to the prevailing party in any action arising under this part.
(3) The remedies available for a violation of s. 668.803 are in addition to remedies otherwise available for the same conduct under federal or state law.
(4) A final judgment or decree in favor of the state in any criminal proceeding under chapter 815 shall estop the defendant in any subsequent action brought pursuant to s. 668.803 as to all matters as to which the judgment or decree would be an estoppel as if the plaintiff had been a party in the previous criminal action.
(5) A civil action filed under s. 668.803 must be commenced within 3 years after the violation occurred or within 3 years after the violation was discovered or should have been discovered with due diligence.
History.—s. 5, ch. 2015-14.
668.805 Exclusions.—This part does not prohibit any lawfully authorized investigative, protective, or intelligence activity of any law enforcement agency, regulatory agency, or political subdivision of this state, any other state, the United States, or any foreign country. This part may not be construed to impose liability on any provider of an interactive computer service as defined in 47 U.S.C. s. 230(f), of an information service as defined in 47 U.S.C. s. 153, or of a communications service as defined in s. 202.11, if the provider provides the transmission, storage, or caching of electronic communications or messages of a person other than the provider, related telecommunications or commercial mobile radio services, or content provided by a person other than the provider.