DATA BREACH POLICY
Summit Industries Corporation’s (Summit’s) (d/b/a “School Check IN”) data breach policy is in accordance with Fla. Stat. 501.171 (2016). All definitions for this policy are as defined under this statute.
Summit shall take reasonable measures to protect and secure data in electronic form containing personal information.
Summit shall provide notice to the Florida Department of Legal Affairs (department) of any breach of security affecting 500 or more individuals in this state. Such notice shall be provided to the department as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred. Summit may receive 15 additional days to provide notice if good cause for delay is provided to the department within 30 days after determination of the breach or reason to believe a breach occurred.
Summit’s written notice to the department must include the following:
A synopsis of the events surrounding the breach at the time notice is provided.
The number of individuals in this state who were or potentially have been affected by the breach.
Any services related to the breach being offered or scheduled to be offered, without charge, by Summit to individuals, and instructions as to how to use such services.
A copy of the notice required or an explanation of the other actions taken.
The name, address, telephone number, and e-mail address of Summit’s employee or agent from whom additional information may be obtained about the breach.
Summit must provide the following information to the department upon its request:
A police report, incident report, or computer forensics report.
A copy of the policies in place regarding breaches.
Steps that have been taken to rectify the breach.
Summit may provide the department with supplemental information regarding a breach at any time.
Summit shall give notice to each individual in this state whose personal information was, or Summit reasonably believes to have been, accessed as a result of the breach. Notice to individuals shall be made as expeditiously as practicable and without unreasonable delay, taking into account the time necessary to allow Summit to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached, but no later than 30 days after the determination of a breach or reason to believe a breach occurred unless subject to a authorized delay or waiver.
If a federal, state, or local law enforcement agency determines that notice to individuals required herein would interfere with a criminal investigation, the notice shall be delayed upon the written request of the law enforcement agency for a specified period that the law enforcement agency determines is reasonably necessary. A law enforcement agency may, by a subsequent written request, revoke such delay as of a specified date or extend the period set forth in the original request if further delay is necessary.
Notice to the affected individual is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, Summit reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed. Such a determination shall be documented in writing and maintained for at least 5 years. Summit shall provide the written determination to the department within 30 days after the determination.
The notice to an affected individual shall be by either a written notice sent to the mailing address of the individual in Summit’s records or by email sent to the individual’s email address in Summit’s records.
The notice to an individual with respect to a breach of security shall include, at a minimum the date, estimated date, or estimated date range of the breach of security, a description of the personal information that was accessed or reasonably believed to have been accessed as a part of the breach of security, and information that the individual can use to contact Summit to inquire about the breach of security and the personal information that Summit maintained about the individual.
Summit may provide substitute notice in lieu of direct notice if such direct notice is not feasible because the cost of providing notice would exceed $250,000, because the affected individuals exceed 500,000 persons, or because the covered entity does not have an email address or mailing address for the affected individuals. Such substitute notice shall include a conspicuous notice on Summit’s website and notice in print and to broadcast media, including major media in urban and rural areas where the affected individuals reside.
Notice provided pursuant to rules, regulations, procedures, or guidelines established by Summit’s primary or functional federal regulator is deemed to be in compliance with the notice requirement if Summit notifies affected individuals in accordance with the rules, regulations, procedures, or guidelines established by the primary or functional federal regulator in the event of a breach of security. Summit is deemed to be in compliance with notice requirements if it timely provides a copy of such notice to the department.
If Summit discovers circumstances requiring notice to more than 1,000 individuals at a single time, Summit shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis as defined in the Fair Credit Reporting Act, 15 U.S.C. s. 1681a(p), of the timing, distribution, and content of the notices.
In the event of a breach of security of a system maintained by a third-part agent, such third-party agent shall notify Summit of the breach of security as expeditiously as practicable, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred. Upon receiving notice from a third-party agent, Summit shall provide notices indicated above. A third-party agent shall provide Summit under law with all information that Summit needs to comply with its notice requirements.
An agent may provide notice on Summit’s behalf; however, an agent’s failure to provide proper notice shall be deemed a violation against Summit.
Summit or third-party agents shall take all reasonable measures to dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained. Such disposal shall involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
There is no private cause of action pursuant to this policy. There are no additional requirements imposed under this data breach policy upon Summit than those recited in Fla. Stat. 501.171 (2016).