Skip to content
DWT logo
People Expertise Insights
About Locations Careers
Search
People
Expertise
Insights
About
Locations
Careers
Search

Florida

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: YES
Deadline for Consumer Notice: No later than 30 days
Government Notification Required: YES, if 500+ residents notified

Fla. Stat. § 501.171

More Details

Scope of this Summary

Notification requirements applicable to commercial entities that acquire, maintain, store, or use covered info. Some types of businesses may be exempt from some or all of these requirements and non-commercial entities may be subject to different requirements.

Covered Info

First name or first initial and last name, plus: Social Security number; driver's license, state identification card, passport, military identification, or other government-issued number to verify identity; financial account, credit, or debit card number in combination with any required code or password that would permit access to a financial account; info regarding medical history, mental/physical condition, or medical treatment/diagnosis; or health insurance policy or subscriber identification number and any unique identifier used by health insurer.

Covered info also includes a username or email address in combination with password or security question and answer that would permit access to online account.

Form of Covered Info

Electronic Only.

Encryption Safe Harbor

Statute does not apply to information that is encrypted, secured or modified to remove identifying elements or otherwise render it unusable.

Breach Defined

Unauthorized access to covered info, excluding certain good-faith access by employees or agents.

Consumer Notice

Timing: Must be made as expeditiously as practicable and without unreasonable delay, but no later than 30 days after determination of breach or reason to believe breach occurred, consistent with time necessary to determine scope of the breach, identify those affected, and restore the reasonable integrity of the system. May receive 15 more days if good cause for delay provided to Dept. of Legal Affairs within original 30 days.

Content: Notice must include the date(s) of the breach, a description of the covered info that was or is reasonably believed to have been accessed, and the covered entity's contact info.

Method: By written notice or email. Substitute notice is available if certain criteria are satisfied.

Delayed Notice

Notification may be delayed for a specified period upon written request by law enforcement if law enforcement determines that notice will impede a criminal investigation. A covered entity can also receive an extra 15 days to provide notice to consumers if good cause for delay is provided in writing to the Dept. of Legal Affairs within 30 days of the breach.

Harm Threshold

Notification not required if, after investigation and consultation with relevant federal, state, or local law enforcement, covered entity reasonably determines breach has not and will not likely result in identity theft or other financial harm. Determination must be documented in writing, maintained for five years, and provided to Dept. of Legal Affairs within 30 days.

Government Notice

If breach affects 500 or more residents, must notify Dept. of Legal Affairs as expeditiously as practicable, but no later than 30 days after determination of breach or reason to believe breach occurred. Notice must include: synopsis of events surrounding breach; number of residents affected/potentially affected; info on services offered to affected individuals free of charge; copy of the notice to residents; and contact info for covered entity. Must provide additional info upon request by Dept.

Consumer Reporting Agency Notice

If more than 1,000 residents notified, must notify all nationwide CRAs without unreasonable delay of timing, distribution and content of the consumer notice.

Third-Party Notice

If you maintain covered info on behalf of another entity, you must notify them as expeditiously as practicable, but no later than 10 days following determination of a breach or reason to believe breach occurred. Must provide all info other entity needs to comply with its notice requirements.

Potential Penalties

Violations may result in civil penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on July 26, 2018

DWT logo
©1996-2020 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
NAVIGATE
Home People Expertise Insights
About Locations Careers Events Blogs
STAY CONNECTED

Subscribe to stay informed.

Subscribe
Employee Login
DWT Connect
EEO
Affiliations
Legal notices
Privacy policy
©1996-2020 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
Close
Close

CAUTION - Before you proceed, please note: By clicking “accept” you agree that our review of the information contained in your e-mail and any attachments will not create an attorney-client relationship, and will not prevent any lawyer in our firm from representing a party in any matter where that information is relevant, even if you submitted the information in good faith to retain us.