State Data Breach Notification Policy
The lack of a federal Consumer Privacy Bill of Rights means states must pass their own policies to protect their residents from data breaches and mishandling of personal information. Florida's Information Protection Act is one of the most comprehensive data breach notification laws in the United States.
Exemplary Law: Florida Information Protection Act of 2014
In 2014, Florida enhanced the protections afforded consumer data of Florida residents with the passage of the Florida Information Protection Act (FIPA). Florida's data breach law is exemplary as one of the most comprehensive data protection laws in the nation. Its strong provisions include:
- If a data breach incident compromises the personal information (including usernames/passwords for online accounts) of over 500 Florida residents, the company or entity breached must inform the Florida Department of Legal Affairs as well as each affected or likely affected resident within 30 days of the breach discovery. Florida's 30-day breach notification deadline is the strictest in the country.
- The breached company or entity is required to make certain materials available to the state government upon request, such as remedial procedures, incident reports, and computer forensic reports.
- The definition of "personal information" was expanded to include individuals' first name or first initial and last name, in combination with any one of the following: passport number; medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional; or health insurance policy number, subscriber identification number, or any unique identifier health insurers use to classify individuals. FIPA also includes in its definition of "personal information" a user name or email address coupled with a password or a security question and answer that would permit access to an online account.
- Mandated disposal standards for customer data no longer to be retained, to prevent against unauthorized access post-disposal.
- Proactive measures: a requirement for businesses and entities that collect customer data to "take reasonable measures to protect and secure data in electronic form containing personal information" on Florida residents.
What's Missing from Florida's Law?
While Florida's data breach law is quite comprehensive, it would be improved by requiring that companies implement certain baseline data security processes, rather than give companies wide latitude to determine what constitutes reasonable security measures.
- EPIC: Big Data
- National Conference of State Legislatures (NCSL): Security Breach Notification Laws.
- NCSL: 2015 Security Breach Legislation.
- NCSL: Data Disposal Laws
- "What Makes Florida's New Data Breach Law Unique" (Law360)
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
by Ryan Calo, A. Michael Froomkin,