Mandated Timeframe for Breach Reporting and/or Consumer Notification
Within 30 days
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Third Party: Specific Obligations
Third Party: Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach and notification laws from $1,000 up to $500,000
Third Party Management
None to minimal
Reporting must be done, if the breach involves 500 residents or more.
Florida has a rather extensive definition of “personal information”, which includes: a user name or e-mail address in addition to a password or security question that would permit access to an online account.
If an entity discovers circumstances requiring notice of more than 1,0000 individuals at a single time, all consumer reporting agencies that compile and maintain files on those affected consumers must be notified of the incident.
Vendors are held to the same data protection requirements as data owners and must report a breach to the data owner within 10 days upon discovery.
Reporting to the consumer reporting agencies may be required with specific information.
Specific requirements are associated regarding driver’s licences and the personal information conveyed through “swiping” the ID card.
Specific health information requirements may be applicable.
If a vendor is breached, they report it to the data owner. The data owner is still required to cooperate.
If the breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
FL Stat § 282.318 Information Technology Security Act (2016)
FL Stat § 322.143 Use of a driver license or identification card (2014)
FL Stat § 408.051 Florida Electronic Health Records Exchange Act (2013)
FL Stat § 501.171 Security of confidential personal information (2014)