Quick Facts
Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: No later than 30 days
Government Notification Required: Yes, if 500+ residents notified
Scope of this Summary:
Notification requirements applicable to commercial entities that acquire, maintain, store, or use covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if, after investigation and consultation with relevant federal, state, or local law enforcement, covered entity reasonably determines breach has not and will not likely result in identity theft or other financial harm. Determination must be documented in writing, maintained for five years, and provided to Dept. of Legal Affairs within 30 days of determination.
Breach Defined
Unauthorized access to covered info, excluding certain good-faith access by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted, secured, or modified to remove identifying elements or otherwise render it unusable.
Triggering Event
The Florida statute's notification obligations are triggered by a "breach of security," defined as an unauthorized access to electronic data containing personal information.
Form of Covered Info
Electronic Only
Covered Info
- An individual's first name or first initial and last name in combination with any one or more of the following data elements for that individual:
- Social Security number.
- Driver's license number or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity.
- Financial account number, credit card number, or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual's financial account.
- Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by healthcare professional.
- An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
- Personal information also includes a username or email address in combination with a password or security question and answer that would permit access to an online account.
Consumer Notice Timing
Must be made as expeditiously as practicable and without unreasonable delay but no later than 30 days after determination of breach or reason to believe breach occurred, consistent with time necessary to determine scope of the breach, identify those affected, and restore the reasonable integrity of the system. May receive 15 more days if good cause for delay provided to Dept. of Legal Affairs within original 30 days.
Consumer Notice Method
By written notice or email. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
Notice must include the date(s), estimated date, or estimated date range of the breach of security; a description of the covered info that was or is reasonably believed to have been accessed; and the covered entity's contact info for inquiries.
Delayed Notice
Notification may be delayed for a specified period upon written request by law enforcement if law enforcement determines that notice will impede a criminal investigation. A covered entity can also receive an extra 15 days to provide notice to consumers if good cause for delay is provided in writing to the Dept. of Legal Affairs within 30 days of the breach.
Government Notice
If breach affects 500 or more residents, must notify the AG as expeditiously as practicable, but no later than 30 days after determination of breach or reason to believe breach occurred. Notice must include: synopsis of events surrounding breach; number of residents affected/potentially affected; info on services offered to affected individuals free of charge; copy of the notice to residents; and contact info for covered entity. Must provide additional info upon request by Dept.
Consumer Reporting Agency Notice
The Florida statute requires a covered entity to notify the major consumer reporting agencies if it must notify more than 1,000 individuals at one time. The notice to the consumer reporting agencies must include information regarding the timing, distribution, and content of the notice sent to individuals.
Third-Party Notice
If you maintain covered info on behalf of another entity, you must notify it as expeditiously as practicable but no later than 10 days following determination of a breach or reason to believe breach occurred. Must provide all info other entity needs to comply with its notice requirements.
Exceptions for Other Laws
A covered entity that notifies affected individuals of a breach according to the rules, regulations, procedures, or guidelines established by its primary or functional federal regulator is deemed in compliance with this statute's individual notification requirements. The covered entity is deemed in compliance with the law's requirement to notify the Florida Department of Legal Affairs if it timely provides the Department with a copy of the notice sent to individuals.
Consumer Reporting Agency Notice
If more than 1,000 residents notified, must, without reasonable delay, notify all nationwide Consumer Reporting Agencies of timing, distribution, and content of the consumer notice.
Private Right of Action
The Florida statute does not provide a private right of action.
Potential Penalties
Violations may result in civil penalties.
This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.
Last revised on June 15, 2023