Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

FLORIDA DATA PRIVACY REGULATIONS

Did You Know?

 
  • Comprehensive provisions for notifications and 30 day deadline;
  • Limited methods of notification delivery;
  • Report to FL Dept. of Legal Affairs (w/in 30 days) and consumer reporting agencies;
  • Data owners AND third party agents are responsible for breach reporting and notifications;
  • Noncompliance constitutes unfair trade practice.  Penalties up to $500,000;
  • Laws also cover data protection, data disposal, and record retention. 

Who Me?

 

Florida breach and notification laws may apply if you:

  • Are a covered entity that conducts business in Florida and owns, licenses, or maintains computerized data that includes personal information;
  • Maintains PII received from a FL Data Owner.

 There are exemptions.

Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply.

What is PII?

 

PII relevant to a breach in Florida include a person's name plus one of the following:

  • Social Security Number;
  • Driver license or identification number;
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's account;
  • Medical history, mental or physical condition, or medical treatment or diagnosis;
  • Health insurance policy number and unique identifier used by a health insurer.

LAWS

APPLICABLE LAW

A few of these laws include, but are not limited to:

Title XXXIII - Regulation Of Trade, Commerce, Investments, And Solicitations / Chapter 501 / Part 1 / 501.171 - Security of confidential personal information;

Title XXXIII - Regulation Of Trade, Commerce, Investments, And Solicitations / Chapter 501 / 501.207 - Remedies Of Enforcing Authority.

RELATED LAWS

A few of these laws include, but are not limited to:

Title XXXIII - Regulation Of Trade, Commerce, Investments, And Solicitations / Chapter 501 / Part 1 / 501.171 / Section 8 - Requirements For Disposal of Customer Records;

Title XIX - Public Business / Chapter 282 - Communications And Data Processing / Parts I, II, III.

PENALTIES

COMPLIANCE PENALTIES

The attorney general can bring civil action including temporary restraining order, preliminary or permanent injunction, and civil penalties as follows:

  • The combination of personal information breached;
  • For each day the business fails to comply: up to $1,000 per day;
  • For each day the business fails to comply over 60 days: $5,000 per day;
  • For each day the business fails to comply over 90 days: $10,000 per day.

BREACH REPORTING

MULTIPLE FACTORS TO CONSIDER

When considering reporting requirements, it would include, but not be limited to:

  • The combination of personal information breached;
  • If the data was computerized/digital;
  • If the data was encrypted, secured or modified; and
  • If the breach will result in identity theft or any other financial harm.

If a decision is made that determines the breach will not result in identity theft or financial harm, the decision must be documented in writing and maintained for five years. The determination must be sent to the Florida Department of Legal Affairs within 30 days.

TIME LIMITS

Third party has 10 days maximum to report a breach to the FL data owner. The notification may be delayed if law enforcement advises the covered entity, in writing, that it will interfere with an investigation for a specific period, otherwise must be made in the most expedient manner possible and without unreasonable delay, but no later than 30 days. Notification may be required to FL Dept. of Legal Affairs within 30 days. A 15 day extension available with stipulations.

CONSUMER NOTIFICATION

Requires detailed information and potential provision of services

Notification may be required to the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies. There are specific instructions on what should be included.

Disclosure may only be made by written notice, telephone or electronically, with stipulations. A substitute notice, with specific requirements, may be sent if the cost of the notice exceeds $250,000 or the persons to be notified exceeds 500,000 or they do not have sufficient contact information.

Contact the Privacy Experts at CSR