Compliance

Florida Information Protection Act (FIPA) — What Small Businesses Get Wrong About the 30-Day Breach Clock

May 28, 20268 min readSteve Condit — Founder, Simply IT

Compliance

Most Florida small businesses know HIPAA. Many know FTC Safeguards. Almost none know the Florida Information Protection Act — FIPA. Which is a problem, because FIPA applies to any Florida business that holds personal information of a Florida resident, regardless of industry. The 30-day breach notification window is shorter than HIPAA’s 60 days. The Florida Attorney General can impose civil penalties of up to $500,000 for a single failure to notify. Business owners who knowingly delay can face personal liability.

And no, the Florida Digital Bill of Rights (FDBR) does not change this. FDBR is the Big-Tech privacy law — the $1 billion revenue threshold excludes virtually every small business in the state. FIPA is the law that actually applies to a Florida medical practice, CPA firm, law office, or contractor when personal information of Florida residents is involved in a breach. Here is what FIPA requires, the four things small businesses consistently get wrong, and the response runbook every Florida operator should have on file before an incident.

30 days

FIPA notification window

$500K

Max civil penalty per breach

$1,000

Per day delay penalty cap

500

Affected residents triggers AG notice

What FIPA Actually Applies To

FIPA covers any “covered entity” — defined as any commercial entity or government agency that acquires, maintains, stores, or uses personal information. There is no minimum size, revenue, or industry. A two-person Ocala bookkeeping firm holding a single client’s SSN is covered. A 50-attorney Daytona Beach law firm with thousands of clients is covered. A construction subcontractor in The Villages with employee W-9 records is covered.

The relevant statute is Florida Statute § 501.171. The Florida Attorney General enforces. Civil penalties run up to $500,000 per breach, plus a per-day penalty of up to $1,000 for delays beyond 30 days. Business owners can face personal liability for knowingly failing to notify on time.

What Counts as “Personal Information” Under FIPA

FIPA’s definition is broader than the federal HIPAA Protected Health Information definition. A Florida resident’s first name or initial plus last name in combination with any one of the following triggers FIPA:

Social Security number
Driver’s license / Florida ID number / passport number / military ID
Financial account, credit card, or debit card number with any required access code, security code, or password
Health insurance policy / subscriber identification number
Any information regarding an individual’s medical history, mental or physical condition, or medical treatment by a healthcare professional
User name or email address in combination with a password or security question and answer

Notably: the last element — email plus password — means a breach of an email-and-password file is a FIPA event even if no SSNs were touched. Many small businesses miss this.

The 30-Day Clock — When It Starts and What Stops It

The clock starts on determination of a breach, not on the date of compromise. “Determination” means knowing or reasonably believing that an unauthorized access has occurred. Florida courts and the AG have consistently treated this as objective — the determination clock is not subjective to when the business decides to call it a breach.

Two narrow grounds for delay:

Law enforcement request. A written request from law enforcement that notification would interfere with a criminal investigation can pause the clock. The pause continues only as long as law enforcement requests it. Document the request in writing.
Reasonable forensic investigation. The 30-day window allows time for a reasonable investigation to determine scope — what data was affected, which residents, whether there is any reason to believe identity theft is unlikely. The investigation must be documented and can’t be used to indefinitely extend the clock.

Importantly: a hurricane, business interruption, ransomware encryption, or any other operational chaos does not pause the FIPA clock. If a tropical storm takes out your office during the response window, you still owe the notification on the original timeline — from a temp office, a borrowed laptop, the manager’s home, wherever. See our Florida hurricane IT continuity plan for the hurricane-resilience side.

The Four Things Florida Small Businesses Consistently Get Wrong

Treating FIPA as a subset of HIPAA

It isn't. FIPA applies to non-medical industries (CPA firms, law firms, contractors, retail, etc.) that have no HIPAA exposure but still hold Florida residents' personal information. The deadlines are shorter than HIPAA's. A practice that complies with HIPAA's 60-day rule is already late by FIPA's 30-day rule.

Missing the AG notification threshold

If 500+ Florida residents are affected, the AG must be notified by the same 30-day deadline as the individuals. Many small businesses notify residents but forget the AG. The AG notice goes to FloridaAG.gov with specific required content: name, contact, type of PI involved, dates of unauthorized access, brief description of incident, services offered.

Failing to document the reasonable investigation

If your investigation took 18 of the 30 days and you cannot show what you actually investigated, the AG may treat it as a knowing delay. Document: who investigated, what systems they examined, what logs they pulled, what they found, when they concluded. The contemporaneous record is the only defense.

Not having a written incident response plan

FIPA requires reasonable security measures. The AG can ask to see your IR plan during an investigation. A practice that responds to a breach for the first time without a written plan is a practice whose response will look unreasonable in retrospect. Have a plan written before you need it.

"The single most damaging mistake we see is a practice that hides behind ‘we’re still investigating’ for three weeks, then notifies on day 31. That 24-hour delay can flip an AG response from supervisory to enforcement."

Steve Condit, Simply IT

The 30-Day FIPA Response Runbook

Day 0

Containment + clock start

Determine whether a breach has occurred. Isolate affected systems. Document the time of determination — this is when the 30-day clock starts. Notify legal counsel and cyber insurance carrier immediately.

Day 1–5

Forensic scoping

Engage qualified incident response. Identify exactly which personal information was accessed, copied, or exfiltrated. Count Florida residents affected. Determine whether 500-resident AG threshold is crossed. Begin drafting notification language.

Day 10

Pre-notification compliance review

Counsel reviews draft notifications. Confirm IRS / FTC Safeguards / HIPAA parallel obligations if applicable (different deadlines may apply). Finalize content of resident notice and AG notice.

Day 15–20

Resident notification dispatch

Send written notification via mail or email to every affected Florida resident. Content must include type of information involved, contact information for affected individuals, and any identity-protection services being offered (12 months credit monitoring is standard for breaches involving SSNs).

Day 25

AG notification if 500+ affected

Submit FIPA notice to Florida AG via FloridaAG.gov breach reporting portal. Include the specific required fields. Keep timestamped confirmation of submission.

Day 30

Buffer + remediation start

Day 30 is the deadline, not the target. Aim to complete notifications by Day 25. Use the buffer for late-discovered affected individuals. Begin documented remediation: root-cause analysis, security improvements, employee training, IR plan update.

FIPA vs HIPAA vs FTC Safeguards — Which Trumps Which?

Short answer: none of them preempts the others. A Florida medical practice that suffers a breach involving PHI is subject to HIPAA Breach Notification Rule (60 days) and FIPA (30 days). The shorter deadline wins. A Florida CPA firm covered by FTC Safeguards also owes FIPA notification. A Florida law firm with no HIPAA exposure still owes FIPA when client SSNs are exposed.

For the federal sides, see our HIPAA cybersecurity guide for Florida medical practices and our FTC Safeguards Rule implementation guide for CPA firms. For law firms, see our Florida Bar Rule 4-1.6 cybersecurity guide. The cyber insurance side is covered in our cyber insurance 10-control checklist.

// Key Takeaway

FIPA applies to every Florida small business that holds personal information of Florida residents. The 30-day notification window is shorter than HIPAA’s 60-day window. The AG can impose up to $500,000 in civil penalties plus personal liability for knowing delays. Have a written incident response plan now. Know who’s on your forensic, legal, and PR call list before the day of the breach. The documented response is your defense.

Get an Incident Response Readiness Assessment →

// Written By

STEVE CONDIT

Founder & Owner, Simply IT · US Marine Veteran · 30+ Years IT Experience

Steve Condit founded Simply IT to bring enterprise-grade IT management to small and mid-sized businesses across North Central Florida. With over 30 years of IT experience and a background in the US Marine Corps, Steve built Simply IT around the principle that local businesses deserve the same quality of technology partnership that large companies take for granted — without long-term contracts or national call center support.

Full Bio →LinkedIn →About Simply IT →

// Continue Reading

READY TO SOLVE YOUR IT CHALLENGES?

Get a free technology assessment and find out exactly where your business stands.

Get a Free Assessment →See Our Pricing →