Search form

New Florida Data Security and Breach Law Effective July 1

  • June 26, 2014

Businesses that maintain individuals’ confidential, personal information may need to be more alert in protecting this data under the Florida Information Protection Act of 2014, signed into law by Governor Rick Scott. 

The new law, which some have called one of the broadest and most encompassing data security breach laws in the nation, imposes on covered entities a statutory requirement to safeguard Floridians’ personal information, to report a breach to the state attorney general, and to comply with other affirmative obligations. The new law becomes effective July 1, 2014; the previous statute (Section 817.5681, Florida Statutes) is repealed. 

Key provisions of the new law state:

  • A “covered entity” means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.
  • “Personal information” means an individual’s first name or initial and last name, in combination with (i) a social security number, (ii) drivers’ license or identification card number, or (iii) account number, credit or debit card number in combination with any required security code or password to access the account OR an individual’s user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.
  • Covered entities must safeguard the personal information they maintain. Other states with this requirement include California, Connecticut, Maryland, Massachusetts, and Oregon. 
  • An individual affected by a breach must be notified as expeditiously as possible, but no later than 30 days from discovery of the breach when the individual’s personal information was, or the covered entity reasonably believes it was, accessed as a result of a breach.
  • If the breach affects at least 500 Floridians, the state’s Attorney General must be notified no later than 30 days after determination that a breach has occurred or reason to believe one had occurred. In addition, the attorney general may require covered entities to provide copies of their policies regarding breaches, steps taken to rectify the breach, and a police report, incident report, or computer forensics report.

On the passage of the law by the state Senate, current Attorney General Pam Bondi promised greater enforcement of the data breach law. 

Businesses in Florida (and possibly those outside the Sunshine State) that maintain personal information about Florida residents should take steps to be sure they have reasonable policies and procedures in writing to safeguard such information.  

Jackson Lewis attorneys are available to answer questions about employers’ compliance obligations. Please contact a member of our Privacy, Data and Cybersecurity practice or the Jackson Lewis attorney with whom you regularly work.

©2014 Jackson Lewis P.C. This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Jackson Lewis and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.

Focused on labor and employment law since 1958, Jackson Lewis P.C.'s 950+ attorneys located in major cities nationwide consistently identify and respond to new ways workplace law intersects business. We help employers develop proactive strategies, strong policies and business-oriented solutions to cultivate high-functioning workforces that are engaged, stable and diverse, and share our clients' goals to emphasize inclusivity and respect for the contribution of every employee. For more information, visit