Florida Data Breach Notification Law

Notification deadline: 30 days from discovery

Enforcement: Florida Department of Legal Affairs, Attorney General

Overview

The Florida Information Protection Act (FIPA) requires businesses to notify affected individuals within 30 days of discovering a breach and to notify the Florida Department of Legal Affairs when 500+ Florida residents are affected.

Who Must Be Notified

• • Affected Florida residents (within 30 days)
• • Florida Department of Legal Affairs (if 500+ residents affected)

Covered Data Types

Social Security number, Driver's license or state ID number, Financial account number with access code, Credit/debit card number with security code, Medical information, Health insurance information, Email address with password/security questions

Notification Requirements

• • Written or electronic notice within 30 days
• • Include description of incident and date/date range of breach
• • Types of personal information involved
• • Contact information for credit reporting agencies
• • Remedial actions taken by the business
• • Notify FL Department of Legal Affairs if 500+ affected (form submission)

Exemptions

• • Encrypted or secured data (if key not compromised)
• • Anonymized or redacted data
• • Entities in compliance with HIPAA, GLBA

Penalties

Up to $500,000 per breach. $1,000/day for each day notification is late after 30 days (up to $50,000). Additional $50,000 if not notified within 180 days.