Click here to review text of state statute
Information Covered / Important Definitions
Personal information of Florida residents.
Definition includes (i) medical history, (ii) mental or physical condition, (iii) medical treatment or diagnosis by a health care professional, (iv) health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual, and (v) a user name or e-mail address in combination with a password or security question and answer that would permit access to the account.
“Security Breach” means unauthorized access of data in electronic form containing personal information.
Covered Entities* / Third Party Recipients
Subject to statute:
Any legal or commercial entity that acquires, maintains, stores, or uses personal information.
(Definition also includes government entities in some instances.)
Third party recipients:
In the event of a security breach of a system maintained by a third party agent, such third party agent must cooperate with and notify the covered entity as expeditiously as practicable but not later than ten (10) days following determination of the breach.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to Florida residents whose personal information was, or is reasonably believed to have been, accessed as a result of a security breach as expeditiously as practical, but not later than thirty (30) days following the determination of the breach. The notification may be delayed upon the written request of law enforcement.
- Specific content requirements prescribed by statute for notice to individuals.
- Substitute notice is available by means described in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information.
- Notice not required if the entity responsible for the data concludes after a reasonable investigation and consultation with federal, state, and local law enforcement agencies that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.
Any covered entity that must notify more than 1,000 persons at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies.
Covered entities must take reasonable measures to dispose of records with personal information.
A covered entity or third party contracted to maintain, store, or process personal information on behalf of a covered entity must take reasonable measures to protect and secure data in electronic form containing personal information.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted, secured, or modified to remove elements that personally identify an individual or otherwise render the information unusable.
Exemption for good faith acquisition of personal information by an employee or agent of covered entity so long as personal information is not used for purposes unrelated to the business or subject to further unauthorized use.
Entities notifying individuals in compliance with requirements of primary or functional federal regulator are deemed in compliance with Florida requirements provided notice is timely provided to Florida Department of Legal Affairs.
Notification to Regulator / Waiver
Florida Department of Legal Affairs must be notified not later than thirty (30) days after determination of breach if more than 500 Florida residents are affected.
Additional notification time may be obtained by request to the Florida Department of Legal Affairs within the 30 day period.
Specific content requirements prescribed in statute for notification to Department of Legal Affairs.
A determination of no likelihood of harm:
Must be made in consultation with relevant federal, state, or local law enforcement agencies. Such a determination must be documented in writing and maintained for at least five (5) years. Covered entity must provide the written determination to the Florida Department of Legal Affairs within 30 days of determination.
Violations are treated as an unfair or deceptive trade practice.
For failure to provide notice of the security breach within 30 days:
(i) $1,000 per day for first 30 days following violation, then (ii) up to $50,000 for each subsequent 30-day period up to 180 days, then (iii) an amount not to exceed $500,000 if violation continues.
Penalties apply per breach, not per affected individual.
Penalties do not apply to government entities.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by Florida Department of Legal Affairs only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute