top of page

Florida Statutes § 501.171

Enacted:  7.1.2014

Type of Data Covered: Computerized or electronic data. 

Is Breach Defined?

Florida defines a breach under § 501.171(1)(a) as "unauthorized access of data in electronic form containing personal information."

When is notice required?

Florida has a multi-pronged notice requirement in their statute. Notice may be required to the Department of Legal Affairs, each resident, and credit reporting agencies (breaches affecting over 1,000 residents). While the increased reporting requirements are an improvement from other statutes, Florida also specifically exempts portions of the notice requirements from public record requests. There is certainly good cause for this exemption, like protecting proprietary business information, but it could be an a hinderance to transparency.

  • Notice to Department of Legal Affairs

    • Breaches affecting 500 or more residents​

    • Required as soon as possible, but not later than 30 days after discovery unless a good faith reason is given for delay prior to the expiration of the 30 day window, in which a 15 day grace period is added.

    • Written notice must include synopsis of the breach, number of residents affected, services being offered as a result of the breach, a copy of the notice to residents, and contact information for the company.

  • Notice to individual residents

    • All residents affected​

    • Required as soon as possible, but not later than 30 days after discovery unless there is a law enforcement delay or there is not a reasonable belief that identity theft or financial harm would be caused to residents.

    • Notice may be written or electronic and must include when the breach occurred, a description of the information that was compromised, and information the resident may use to contact the company about the breach.

What are the penalties for non-compliance?

The Department of Legal Affairs has enforcement authority and violations are treated as unfair or deceptive trade practices in any action brought by the department. There is no private cause of action but there are additional statutory damages up to $500,000, depending on the circumstances. All penalties are deposited into the General Revenue Fund for Florida. 

bottom of page