Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 30 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- $1,000 per day up to $500,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Florida’s definition of “personal information” includes: a user name or e-mail address in addition to a password or security question that would permit access to an online account.
  • Reporting to the Department of Legal Affairs within the Attorney General’s office must be done if the breach involves over 500 Florida residents.
  • If an Organization discovers circumstances requiring notice of more than 1,000 individuals at a single time, all consumer reporting agencies that compile and maintain files on those affected consumers must be notified of the incident.
  • Vendors must notify Organizations within 10 days after discovery of a breach or suspected breach.
  • Vendors must provide Organizations with all necessary information about a breach incident.
  • The Vendor may provide consumer notification and/or regulatory reporting on behalf of the Organization. However, any failure of the Vendor to provide proper consumer notification and/or regulatory reporting is a violation against the Organization.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Organizations must contract with Vendors to whom the Organization discloses personal information.
  • Organizations and Vendors must take reasonable measures to protect and secure personal information in their possession.
  • Organizations and Vendors must have measures in place for the secure disposal of records containing personal information when the records no longer need to be retained.
  • Disposal must involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
  • Organizations may be fined or penalized for Vendor violations.
  • Department of Legal Affairs within the Office of the Attorney General may bring an action against an Organization or Vendor for a violation of Florida Statute § 501.171. Violations will be treated as an unfair and deceptive trade practice.
  • Specific requirements are associated regarding driver’s licenses and the personal information conveyed through “swiping” the ID card.
  • Specific health information requirements may be applicable.
Statutes and Laws
  • FL Stat § 282.318 Information Technology Security Act
  • FL Stat § 322.143 Use of a driver license or identification card
  • FL Stat § 408.051 Florida Electronic Health Records Exchange Act
  • FL Stat § 501.171 Security of Confidential Personal Information
  • FL Stat § 501.171(1)(h) Definitions
  • FL Stat § 501.171(2) Requirements for Data Security
  • FL Stat § 501.171(6) Notice by Vendors; Duties of Vendors
  • FL Stat § 501.171(8) Requirements for Disposal
  • FL Stat § 501.207 Consumer Protection – Remedies of enforcing authority
BAck to map