When a company experiences a data breach involving your personal information, it does not have unlimited discretion in how—or whether—it tells you. Both federal expectations and Florida law require businesses to provide notice when certain types of data are exposed.
That said, not every breach triggers the same obligations. The scope of the incident, the type of information involved, and the risk of harm all affect what must be disclosed and when. Understanding those distinctions helps you evaluate whether a company responded appropriately.
When Is a Company Required to Notify You of a Data Breach?
In Florida, companies must notify individuals when a breach involves personal information and creates a risk of identity theft or financial harm.
This requirement comes from the Florida Information Protection Act (FIPA), which governs how businesses handle and report data breaches affecting Florida residents.
Not every security incident qualifies. For example:
- A breach involving encrypted data may not require notice if the encryption key was not compromised
- Internal access without evidence of misuse may not meet the legal threshold
- Incidents involving non-sensitive data may fall outside notification rules
The key question is whether the breach involves protected information and presents a meaningful risk.
What Information Must Be Included in a Breach Notification?
When notice is required, companies must provide specific information so you can understand what happened and what it means for you.
Under Florida law, a notification typically must include:
- The date or estimated date of the breach
- A description of the incident
- The types of personal information involved
- Steps the company is taking to address the breach
- Guidance on what you can do to protect yourself
The goal is not to provide a technical explanation. It is to give you enough detail to assess your risk and take action if needed.
Some notices are more detailed than others. The law sets a baseline, not a uniform script.
How Quickly Must Companies Notify You?
Timing is a central part of compliance.
Under the FIPA, companies must provide notice within 30 days of determining that a breach has occurred.
There are exceptions:
- Law enforcement may request a delay if notification would interfere with an investigation
- Additional time may be allowed if the company demonstrates good cause
Still, the expectation is that companies act promptly once a breach is confirmed. Delayed or unclear communication can raise questions about whether the response met legal standards.
What Is “Personal Information” in Florida?
Not all data is treated the same under breach notification laws.
In Florida, “personal information” generally includes a person’s name in combination with sensitive data such as:
- Social Security numbers
- Driver’s license or state ID numbers
- Financial account numbers with access credentials
- Health or medical information
- Insurance policy details
If this type of information is exposed, notification obligations are more likely to apply.
By contrast, basic contact information alone may not trigger the same requirements.
Does a Breach Automatically Mean You Have a Legal Claim?
Not necessarily.
A data breach can be serious without giving rise to a viable legal claim. Several factors typically determine whether legal action is appropriate:
- Whether the company failed to use reasonable security measures
- Whether required notifications were delayed or incomplete
- Whether you suffered actual harm, such as identity theft or financial loss
- Whether your information was misused after the breach
In some situations, a company may respond quickly, provide proper notice, and offer mitigation steps. In others, the response may fall short. The distinction matters.
What Should You Do After Receiving a Breach Notification?
A breach notice is not just informational. It is an opportunity to act.
Depending on the situation, that may include:
- Reviewing the notice carefully to understand what data was involved
- Monitoring financial accounts and credit activity
- Placing a fraud alert or credit freeze if appropriate
- Keeping records of the notice and any related issues
Not every breach leads to identity theft, but the risk is not theoretical. Some situations support legal claims. Others do not. If you are evaluating your options after receiving a breach notice in Florida, Lehrman Law can help you determine whether the company’s response met legal requirements and whether your situation supports a claim.