Florida Privacy Laws

Breach Notification

Mandated Timeframe

Within 30 days

Fines & Penalties

Violations

$1,000 - $500,000 per day

REGULATION LEVELS

Breach Reporting Consumer Notifications
Vendor Management Vendor Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Within 30 days

Fines & Penalties

Violations

$1,000 - $500,000 per day

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Within 30 days

Fines & Penalties

Violations

$1,000 - $500,000 per day

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Quick Facts

Florida Privacy Law Information

  • Definition of “Personal Information”

    Florida’s definition of “personal information” includes a user name or e-mail address in addition to a password or security question that would permit access to an online account.

  • Privacy Program Requirements

    Organizations and Vendors must take reasonable measures to protect and secure personal information in their possession.  Disposal of personal information must involve shredding, erasing, or otherwise modifying the personal information making the information unreadable or undecipherable. Organizations must contract with Vendors to whom the Organization discloses personal information. Organizations and Vendors must have measures in place for the secure disposal of records containing personal information when the records no longer need to be retained.

  • Consumer Notification Requirements

    Individuals must be notified based on the breach notification laws of the jurisdiction where they reside.  

  • Vendor Requirements

    Vendors must provide organizations with all necessary information regarding a breach.  In addition, they must notify organizations within 10 days after discovery of a breach or suspected breach.

  • Breach Reporting

    The Vendor may provide consumer notification and/or regulatory reporting on behalf of the Organization. However, any failure of the Vendor to provide proper consumer notification and/or regulatory reporting is a violation against the Organization. Reporting to the Department of Legal Affairs within the Attorney General’s office must b done if the breach involves over 500 Florida residents. If an Organization discovers circumstances required notice of more than 1,000 individuals at a single time, all consumer reporting agencies that compile and maintain files on those affected consumers must be notified of the incident.

  • Industry Specific

    The DNA Privacy Act requires that a person from whom the DNA is extracted gives “express consent” for a specified use of their genetic information, and the person from whom it is extracted is the “exclusive property” of that person to control. Violation of the Act may constitute a felony violation for unlawful use if a business does not obtain express consent for a specified use of the genetic information.

  • Fines & Penalties

    Organizations may be fined or penalized for Vendor violations. The Department of Legal Affairs within the Office of the Attorney General can fine or penalize an Organization or Vendor for a violation of Florida Statute § 501.171. Violations will be treated as an unfair and deceptive trade practice.

Florida

Statutes and Laws

FL STAT § 282.318

Information Technology Security Act

FL STAT § 322.143

Use of a Driver’s License or ID Identification Card

FL STAT § 408.051

Florida Electronic Health Records Exchange Act

FL STAT § 501.171

Security of Confidential Personal Information

FL STAT § 501.171(1)(H)

Definitions    

FL STAT § 501.171(2)

Requirements for Data Security

FL STAT § 501.171(6)

Notice by Vendors; Duties of Vendors

FL STAT § 501.171(8)

Requirements for Disposal of Personal Information

FL STAT § 501.207

Consumer Protection – Remedies of enforcing authority

FL STAT § 627.4301

Insurance rates and contracts – genetic information for insurance purposes

FL STAT § 760.40

Protecting DNA privacy act; discrimination in the treatment of persons – genetic testing; definitions; express consent required; confidentiality; notice of use of results.

FL STAT § 817.5655

Fraudulent practices – unlawful use of DNA; penalties; exceptions.