January 18, 2022

Volume XII, Number 18


January 15, 2022

Subscribe to Latest Legal News and Analysis

Florida’s Strict New Data Breach Notification Law Takes Effect

The new law sets up one of the most robust data protection regimes in the United States and is relevant to any business that collects personal information nationwide.

Florida Governor Rick Scott signed into law a new data breach notification statute on June 20, Florida Statutes section 501.171, called the Florida Information Protection Act of 2014 (FIPA). FIPA took effect on July 1 and replaced Florida’s existing data breach notification statute, Florida Statutes section 817.5681. FIPA significantly expands the definitions of what constitutes personal information and a data breach, introduces a shortened deadline for providing notice to affected Florida residents, and creates unique document disclosure requirements.

Key Provisions of FIPA

  • The definition of a “breach” has been expanded from an “unlawful and unauthorized acquisition” of personal information to the “unauthorized access” of personal information. As such, Florida has become one of a few states where mere access to personal information without authorization, as opposed to actual theft, can trigger the breach notification requirement; however, notice to affected individuals will not be required if, after appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the affected company determines that the breach is unlikely to cause identity theft or other financial harm.

  • The deadline to provide notice to individuals affected by a data breach has been shortened to 30 days. This 30-day deadline is now the shortest such deadline among all similar existing state breach notification statutes. A 15-day extension of the 30-day deadline may be obtained from the Florida Department of Legal Affairs (the Department) upon a showing of good cause. Also, as with the old statute, the notice may be delayed at the request of law enforcement so it will not interfere with a criminal investigation. If an affected company determines that identity theft or other financial harm is unlikely, notice of such determination must be made to the Department within 30 days.

  • The definition of “personal information” has been expanded to include not only a name in combination with a Social Security number, driver’s license number, financial account number, credit or debit card number, or similar identification number, but also to include the following new elements: (1) a username or email address in combination with a password or security question with an answer that would permit access to online accounts and (2) a name in combination with a passport number, health insurance policy number, or other health information or conditions. (Encrypted information is expressly excluded from this definition.)

  • In the case of a breach that affects more than 500 Florida residents, notice of the breach must be provided to the Department within 30 days. A 15-day extension of the 30-day deadline may be obtained upon a showing of good cause. Also, in connection with such a breach, there is a unique requirement to provide documentation related to the breach to the Department on request, including copies of any police reports, incident reports, forensic reports, internal policies regarding data breaches, and information about the specific steps that have been taken to rectify the breach. (Another Florida statute, SB 1526, was simultaneously enacted on June 20 and will, subject to certain exceptions, afford confidential treatment under Florida’s public records law to such documents provided to the Department.) This is another reason to have appropriate data protection plans in place before a potential breach occurs.

  • There is a general requirement to take “reasonable measures” to protect and secure personal information and to dispose of records (whether in paper or in electronic form) containing personal information once the records are “no longer to be retained.”

  • Third-party agents that maintain systems containing personal information are required to notify the relevant data owners of a data breach within 10 days. If notice of a breach is sent to more than 1,000 Florida residents, consumer credit reporting agencies must also be notified of the breach.

  • Like the old Florida statute, FIPA treats violations as unfair or deceptive trade practices under Florida law and sets forth civil penalties up to $500,000. However, there is no private right of action under FIPA.


Companies that collect personal information about Florida residents may need to update their data breach policies and procedures to ensure compliance with FIPA. If unauthorized access to personal information of Florida residents occurs, companies must quickly determine (in consultation with authorities) whether identity theft or other financial harm is likely to occur, as various legal obligations may need to be addressed within 30 days. 

Copyright © 2022 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume IV, Number 189

About this Author

Gregory Parks, privacy and cybersecurity lawyer, Morgan Lewis

Gregory T. Parks counsels and defends retail companies and other consumer facing clients in matters related to privacy and cybersecurity, class actions and Attorney General actions, consumer protection laws, loyalty and gift card programs, retail operations, payment mechanisms, product liability, waste management, shoplifting prevention, compliance, antitrust, and commercial disputes. If it is important to a retail company, Greg makes it his business to know it. He handles all phases of litigation, trial, and appeal work arising from these and other areas. Greg is the co...

Barbara Melby, Morgan Lewis, data privacy and cybersecurity lawyer

Barbara Melby has been active in the outsourcing and technology transaction legal market for the last 25 years. As leader of the firm’s technology, outsourcing & commercial transactions practice, she represents clients in such complex transactions as outsourcing, strategic alliances, technology and data-related agreements, and other services transactions. She also advises businesses on privacy and security issues that arise in transactions involving sensitive data and technologies.

W. Reece Hirsch, Morgan Lewis, Regulatory Attorney

W. Reece Hirsch counsels clients on healthcare regulatory and transactional matters and co-heads the firm’s privacy and cybersecurity practice. Representing healthcare organizations such as hospitals, health plans, insurers, physician organizations, healthcare information technology companies, and pharmaceutical and biotech companies, Reece advises clients on issues such as privacy, fraud and abuse, and self-referral issues. This includes healthcare-specific data privacy and security matters, such as compliance with the Health Insurance Portability and Accountability Act...

Ron Dreben, intellectual property lawyer, Morgan Lewis

Ron N. Dreben advises clients on intellectual property and technology issues in business transactions. He provides advice in connection with mergers, acquisitions, and licensing arrangements, as well as trademark, copyright, trade secret, and related IP law. A Certified Information Privacy Professional (CIPP), Ron helps companies address privacy issues and respond to security breaches and advises US companies on the relevance of the EU Data Directive. Ron has experience negotiating with most of the leading technology product and service vendors.

Joseph Washington, Morgan Lewis, Intellectual property lawyer
Senior Attorney

Joseph E. Washington guides clients through the intellectual property matters they face in today’s global, connected environment, including prosecution, licensing, and litigation. These include disputes regarding trademarks, domain names, copyrights, unfair competition, and Internet and computer law. Clients involved with corporate transactions turn to him for guidance on the IP aspects of their deals, including trademark, copyright, and software licenses and related agreements, as well as privacy issues and data protection.

Joseph also counsels...