Florida Data Breach Notification Laws: Reporting Rules & Timelines (2026)
Florida's data breach notification law is one of the strictest in the country. The state imposes a hard 30-day notification deadline, escalating financial penalties, and an unusually broad definition of personal information that covers geolocation data and biometric identifiers.
The law is formally known as the Florida Information Protection Act (FIPA), codified at Fla. Stat. § 501.171. It took effect on July 1, 2014, replacing Florida's earlier breach notification statute. The legislature has amended it multiple times since, most recently through Chapter 2023-201, which expanded the definition of personal information to include geolocation data and biometric data.
For the full picture of Florida's privacy framework, including the Florida Digital Bill of Rights, see the parent guide to [Florida Data Privacy Laws](/us-laws/data-privacy-laws/florida-data-privacy-laws).
What Qualifies as a Breach
Under FIPA, a "breach of security" means unauthorized access of data in electronic form containing personal information. The law applies specifically to electronic records, not paper files (though separate disposal requirements apply to physical records).
The statute includes a good faith exception. If an employee or agent of a covered entity accesses personal information for a legitimate business purpose and does not use the data improperly or share it with unauthorized parties, that access does not count as a reportable breach.
Protected Personal Information
Florida defines personal information in two categories.
Category 1: Name Plus Data Element
An individual's first name or first initial and last name combined with any of the following:
- Social Security number
- Driver's license or state identification card number
- Passport number or military identification number
- Financial account number, credit card number, or debit card number, combined with any required security code, access code, or password that would permit access to the account
- Medical history, mental health treatment information, or related records
- Health insurance policy number or subscriber identification number combined with a unique identifier used by an insurer
- Biometric data (fingerprints, DNA, retina scans, and similar biological or physiological identifiers)
- Geolocation information
Category 2: Online Credentials
A username or email address combined with a password or security question and answer that would permit access to an online account. This category does not require a name to trigger notification.
What Does Not Count
The law excludes two categories from the definition of personal information:
- Information that has been made publicly available by a federal, state, or local government entity
- Data that is encrypted, secured, or modified by any method or technology that removes personally identifying elements or renders the information unusable
This encryption exclusion serves as FIPA's safe harbor. If your organization properly encrypts personal data and that encrypted data is breached, notification is not required.
The 30-Day Notification Timeline
Florida's notification clock starts when a covered entity determines that a breach has occurred or has reason to believe one occurred.
From that point, the entity must notify affected individuals as expeditiously as practicable, but no later than 30 days after the determination.
A covered entity may receive an additional 15 days if it provides good cause for the delay in writing to the Florida Department of Legal Affairs within the original 30-day window. This makes the absolute maximum notification deadline 45 days.
Third-Party Agent Timeline
If a third-party agent (a vendor, contractor, or service provider) maintains personal information on behalf of a covered entity and that agent discovers a breach, the agent must notify the covered entity within 10 days.
The covered entity then has 30 days from receiving that notice to notify affected individuals. The third-party agent is responsible for providing the information the entity needs to comply with notification requirements.
Law Enforcement Delay
Law enforcement can request a delay in individual notification if early disclosure would impede a criminal investigation. The request must be in writing and specify a delay period. Once that period expires, the regular notification timeline applies.
Who Must Be Notified
Affected Individuals
Every Florida resident whose unencrypted personal information was accessed in the breach must receive direct notice. The notice must include:
- The date, estimated date, or date range of the breach
- A description of the personal information that was accessed or reasonably believed to have been accessed
- Contact information the individual can use to get additional details
Florida Department of Legal Affairs
Breaches affecting 500 or more Florida residents require notification to the Florida Department of Legal Affairs (the Attorney General's office) within 30 days. The written notice must include:
- A synopsis of the events surrounding the breach at the time notification is provided
- The number of individuals in Florida who were or may have been affected
- Any services being offered without charge to affected individuals (such as credit monitoring) along with instructions on how to use those services
- A copy of the notice sent to individuals
- Contact information for the entity providing the notice
Consumer Reporting Agencies
When a breach results in notification to more than 1,000 individuals at one time, the covered entity must also notify all nationwide consumer reporting agencies. This notice must cover the timing, distribution, and content of the individual notifications.
Notification Methods
FIPA allows covered entities to provide notice through:
- Written notice sent by mail to the individual's last known address
- Email notice if the entity has the individual's email address on file
Substitute Notice
A covered entity may use substitute notice if it demonstrates that one of the following conditions exists:
- The cost of direct notification would exceed $250,000
- The affected group exceeds 500,000 individuals
- The entity does not have sufficient contact information to provide direct notice
Substitute notice requires all three of the following steps:
- A conspicuous notice on the entity's website
- Notification in print media serving the relevant geographic area
- Notification in broadcast media (television or radio) serving the relevant geographic area
Exception to Individual Notification
A covered entity may avoid individual notification if, after conducting an appropriate investigation and consulting with relevant federal, state, or local law enforcement agencies, it reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to affected individuals.
This determination must be documented in writing and maintained for at least five years. The entity must also provide this written determination to the Department of Legal Affairs within 30 days of the breach determination.
This is not a blanket exemption. The investigation must be genuine, the law enforcement consultation must be documented, and the conclusion must be defensible.
Penalty Structure
FIPA's civil penalty framework escalates based on how long a covered entity fails to comply with notification requirements:
| Period | Penalty |
|---|---|
| Days 1 through 30 after violation | $1,000 per day |
| Days 31 through 60 | $50,000 for the 30-day period |
| Days 61 through 90 | $50,000 for the 30-day period |
| Days 91 through 120 | $50,000 for the 30-day period |
| Days 121 through 150 | $50,000 for the 30-day period |
| Days 151 through 180 | $50,000 for the 30-day period |
| Beyond 180 days | Capped at $500,000 total |
The maximum penalty is $500,000 per breach. Penalties are calculated per breach, not per affected individual.
Violations of FIPA are also treated as unfair or deceptive trade practices under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA), which gives the Attorney General additional enforcement tools.
No Private Right of Action
FIPA does not allow individuals to file lawsuits directly against businesses for failing to provide breach notification. Enforcement authority rests exclusively with the Florida Attorney General through the Department of Legal Affairs.
Consumers who believe a business failed to provide required notification can file complaints through the Florida Attorney General's consumer protection portal or contact the Department of Agriculture and Consumer Services.
FIPA and the Florida Digital Bill of Rights
Florida now has two separate but complementary privacy frameworks. FIPA (§ 501.171) governs data breach notification. The Florida Digital Bill of Rights (FDBR), enacted in 2023, addresses broader data privacy rights including the right to delete personal data and opt out of data processing.
The two laws have different scopes. FIPA applies to all commercial entities and governmental bodies that handle personal information. The FDBR applies only to businesses that meet specific revenue and data processing thresholds.
A data breach could trigger obligations under both statutes. FIPA would require notification, while the FDBR could require the entity to address the breach's impact on consumer data rights.
Disposal of Records
FIPA requires covered entities to dispose of customer records containing personal information by shredding, erasing, or otherwise modifying the data to make it unreadable or undecipherable through any means. This requirement applies to both electronic and physical records.
Failure to properly dispose of records is a separate violation that can trigger penalties under the same enforcement framework.
Steps to Take After a Breach in Florida
If your organization discovers a potential breach involving Florida residents, follow this sequence:
- Investigate immediately. Determine whether unauthorized access of electronic personal information occurred.
- Check encryption status. If all compromised data was properly encrypted or de-identified, the safe harbor may apply and notification may not be required.
- Assess harm potential. If you believe the breach will not result in identity theft or financial harm, document that conclusion and consult with law enforcement before relying on the notification exception.
- Notify individuals within 30 days. Provide the required details about the breach scope and contact information.
- Request an extension if needed. Submit a written good-cause explanation to the Department of Legal Affairs before the 30-day deadline expires.
- Notify the Department of Legal Affairs. If 500 or more Florida residents are affected, submit the required written report within 30 days.
- Notify consumer reporting agencies. If more than 1,000 individuals are notified, inform the three largest nationwide consumer reporting agencies.
More Florida Laws
- Florida Recording Laws
- Florida Data Privacy Laws
- Florida Whistleblower Laws
- Florida Recording Laws
- Florida Recording Laws
- Florida Recording Laws
- Florida Recording Laws
- Florida Recording Laws
This article provides general legal information about Florida's data breach notification requirements under Fla. Stat. § 501.171. It is not legal advice. Consult a qualified attorney licensed in Florida for guidance on specific breach notification obligations.
Sources and References
- Florida Statute § 501.171 - Security of Confidential Personal Information(leg.state.fl.us).gov
- Florida Senate - Chapter 501 Section 171 (2024)(flsenate.gov).gov
- Florida Digital Bill of Rights (SB 262 Enrolled Text)(flsenate.gov).gov
- My Florida Legal - Data Security Consumer Protection(myfloridalegal.com).gov
- Florida Deceptive and Unfair Trade Practices Act - § 501.204(leg.state.fl.us).gov
- Florida Bar Journal - Breach Notice Obligations Under FIPA(floridabar.org)