Cybersecurity Attorneys Explain Florida’s Data Breach Notification Rules

Dinsmore cybersecurity attorneys Craig Horbus and Fuxing (Amber) Sai* have authored a Privacy Impact Assessment (PIA) Guidance Note for Florida in collaboration with OneTrust DataGuidance. The note is designed to help legal and compliance professionals understand and manage data breach notification requirements across jurisdictions. Their work contributes to DataGuidance's broader initiative to deliver jurisdiction-specific insights that simplify complex regulatory frameworks.

The Note offers a clear, structured explanation of breach notification obligations, including:

• When organizations are required to notify authorities or affected individuals-typically when there's a risk or high risk to individuals' rights and freedoms.
• What details must be included in the notification, such as the nature of the breach, number of individuals affected and mitigation steps.
• Who must be notified, whether it's a supervisory authority, impacted individuals or both.
• How quickly notification must occur, often within 72 hours of becoming aware of the breach.

In an excerpt from the article, Craig and Amber write, "Organizations must assess whether a breach triggers notification obligations under applicable law, considering factors such as the sensitivity of the data, the number of individuals affected, and the potential harm…

Where a controller becomes aware of a personal data breach which may result in any risk to the rights and freedoms of data subjects, they must make a notification to the DPC 'without undue delay'; where feasible, not later than 72 hours after the breach."

Read the entire Florida - Privacy Impact Assessment (PIA) Guidance Note on OneTrust's website here.

*Fuxing (Amber) Sai contributed to this article, but is not currently licensed to practice law in Florida.