Florida

Notification requirements applicable to commercial entities that acquire, maintain, store, or use covered info. Some types of businesses may be exempt from some or all of these requirements and non-commercial entities may be subject to different requirements.

First name or first initial and last name, plus: Social Security number; driver's license, state identification card, passport, military identification, or other government-issued number to verify identity; financial account, credit, or debit card number in combination with any required code or password that would permit access to a financial account; info regarding medical history, mental/physical condition, or medical treatment/diagnosis; or health insurance policy or subscriber identification number and any unique identifier used by health insurer.

Covered info also includes a username or email address in combination with password or security question and answer that would permit access to online account.

Electronic Only.

Statute does not apply to information that is encrypted, secured or modified to remove identifying elements or otherwise render it unusable.

Unauthorized access to covered info, excluding certain good-faith access by employees or agents.

Timing: Must be made as expeditiously as practicable and without unreasonable delay, but no later than 30 days after determination of breach or reason to believe breach occurred, consistent with time necessary to determine scope of the breach, identify those affected, and restore the reasonable integrity of the system. May receive 15 more days if good cause for delay provided to Dept. of Legal Affairs within original 30 days.

Content: Notice must include the date(s) of the breach, a description of the covered info that was or is reasonably believed to have been accessed, and the covered entity's contact info.

Method: By written notice or email. Substitute notice is available if certain criteria are satisfied.

Notification may be delayed for a specified period upon written request by law enforcement if law enforcement determines that notice will impede a criminal investigation. A covered entity can also receive an extra 15 days to provide notice to consumers if good cause for delay is provided in writing to the Dept. of Legal Affairs within 30 days of the breach.

Notification not required if, after investigation and consultation with relevant federal, state, or local law enforcement, covered entity reasonably determines breach has not and will not likely result in identity theft or other financial harm. Determination must be documented in writing, maintained for five years, and provided to Dept. of Legal Affairs within 30 days.

If breach affects 500 or more residents, must notify Dept. of Legal Affairs as expeditiously as practicable, but no later than 30 days after determination of breach or reason to believe breach occurred. Notice must include: synopsis of events surrounding breach; number of residents affected/potentially affected; info on services offered to affected individuals free of charge; copy of the notice to residents; and contact info for covered entity. Must provide additional info upon request by Dept.

If more than 1,000 residents notified, must notify all nationwide CRAs without unreasonable delay of timing, distribution and content of the consumer notice.

If you maintain covered info on behalf of another entity, you must notify them as expeditiously as practicable, but no later than 10 days following determination of a breach or reason to believe breach occurred. Must provide all info other entity needs to comply with its notice requirements.

Violations may result in civil penalties.