skip to main content
Experience List
  • Email Page
  • Create PDF
  • Print Page


Florida Data Breach Statute


Fla. Stat. § 501.171

To print or save this summary, click here.


Quick Facts

Breach Based on
Harm Threshold

Deadline for
Consumer Notice

Notification Required


No later than 30 days

YES, if >499 residents notified


More Details

Scope of this Summary Notification requirements applicable to commercial entities that acquire, maintain, store, or use covered info. Some types of businesses may be exempt from some or all of these requirements and non-commercial entities may be subject to different requirements.
Covered Info First name or first initial and last name, plus: Social Security number; driver's license, state identification card, passport, military identification, or other government-issued number to verify identity; financial account, credit, or debit card number in combination with any required code or password that would permit access to a financial account; info regarding medical history, mental/physical condition, or medical treatment/diagnosis; or health insurance policy or subscriber identification number and any unique identifier used by health insurer.

Covered info also includes a username or email address in combination with password or security question and answer that would permit access to online account.
Form of Covered Info Electronic Only
Encryption Safe Harbor Statute does not apply to information that is encrypted, secured or modified to remove identifying elements or otherwise render it unusable.
Breach Defined Unauthorized access to covered info, excluding certain good-faith access by employees or agents.
Consumer Notice Timing: Must be made as expeditiously as practicable and without unreasonable delay, but no later than 30 days after determination of breach or reason to believe breach occurred, consistent with time necessary to determine scope of the breach, identify those affected, and restore the reasonable integrity of the system. May receive 15 more days if good cause for delay provided to Dept. of Legal Affairs within original 30 days.

Content: Notice must include the date(s) of the breach, a description of the covered info that was or is reasonably believed to have been accessed, and the covered entity's contact info.

Method: By written notice or e-mail. Substitute notice is available if certain criteria are satisfied.
Delayed Notice Notification may be delayed for a specified period upon written request by law enforcement if law enforcement determines that notice will impede a criminal investigation.
Harm Threshold Notification not required if, after investigation and consultation with relevant federal, state, or local law enforcement, covered entity reasonably determines breach has not and will not likely result in identity theft or other financial harm. Determination must be documented in writing, maintained for five years, and provided to Dept. of Legal Affairs within 30 days.
Government Notice If breach affects 500 or more residents, must notify Dept. of Legal Affairs as expeditiously as practicable, but no later than 30 days after determination of breach or reason to believe breach occurred. Notice must include: synopsis of events surrounding breach; number of residents affected/potentially affected; info on services offered to affected individuals free of charge; copy of the notice to residents; and contact info for covered entity. Must provide additional info upon request by Dept.
Consumer Agency Notice If more than 1,000 residents notified, must notify all nationwide CRAs without unreasonable delay of timing, distribution and content of the consumer notice.
Third-Party Notice If you maintain covered info on behalf of another entity, you must notify them as expeditiously as practicable, but no later than 10 days following determination of a breach or reason to believe breach occurred. Must provide all info other entity needs to comply with its notice requirements.
Potential Penalties Violations may result in civil penalties.


To print or save this summary, click here.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on May 30, 2018