Breach Notification Law in Florida


Learn more about the breach notification laws in the State of Florida.

Florida Statute Codes for Breach Notification

A security breach in Florida is defined as a breach of personal information stored in an electronic information system that is accessed by an unauthorized party. Personal information includes first and last names, first initial and last name, Social Security numbers, driver’s license information, passport information, military identifications, and government documents used for identification purposes. Health information, credit and debit card information, and online account information are also considered personal information.

Breach notification laws in Florida are contained under the Florida Information Protection Act of 2014, Fla. Stat. § 501.171, which includes S.B. 1524 and S.B. 1526. S.B. 1524. That which defines breach notification in Florida pertains to entities, defined locally as proprietorships, corporations, cooperatives, associations, estates, or any other such commercial entity which regularly handles PI. Additionally, any entity contracted under such groups for storage or management of PI on behalf or that entity is included. This contracted party is referred to as a “third-party agent”.

When the Proper Parties Must Be Informed of a Breach

Breach notification must take place if PI has been compromised, or it is believed PI may have been compromised. Should the investigation reveal a data breach will not cause harm or identity theft, and that investigation complies with laws pertaining to such investigations, then the notification is not necessary. However, the breach must still be documented in writing, and that documentation maintained for at least five years. Additionally, the Department of Legal Affairs must be notified in writing within 30 days once a determination has been made. The AG presides over this department and should more than 500 individuals in Florida be affected, they must be notified.

Consumer reporting agencies must be notified if more than 1,000 people are affected.

The Department must be notified no later than 30 days after it’s been determined a breach happened, or there’s reason to believe a breach has happened. Affected individuals must be notified as fast as possible. Reasonable delays involve law enforcement restriction, re-establishment of data system functionality, and breach scope determination. However, it’s not reasonable to delay breach notification of individuals beyond 30 days. Entities are given 15 extra days if good cause is given in writing by the entity to the Department inside 30 days from when a breach has been

Giving the Department notice can be done through a written notice that includes a synopsis of the event, how many people were involved, services entities offer affected individuals in compensation, a copy of the notice that will be sent to affected parties, and contact information from the entity providing notice. This contact information must include name, address, phone number, and email address of the affected parties that can be used to reach the entity. If the Department asks, entities must also provide a police or incident report, a copy of breach policies in place, and what steps have been taken to fix the problem. Supplemental information from the entity to the Department may be provided at any time.

Contact SCA for More Information about Breach Notification Law in Florida

Security Compliance Associates has years of experience with breach notification law and information security in Florida and throughout the United States. For more information about breach notification law in Florida and any other part of the United States, download your free SCA Breach Notification Guide today. Contact SCA today at 727-571-1141 for more information and to schedule a free system analysis.