Florida β municipal breach notification
Florida Information Protection Act (FIPA) is one of the tightest US clocks at 30 days.
30 days to affected residents; AG notification if >500 affected.
- Police-report exception allows extension only with documented law-enforcement request.
- Risk-of-harm assessment must be in writing and retained for five years.
What this means for a Florida municipality
Small and mid-sized municipalities in Florida sit at the intersection of federal frameworks (CIRCIA, HIPAA where EMS or public-health clinics are in scope, CJIS for police records) and the state breach-notification statute enforced by the Florida Dept. of Legal Affairs (AG). The clock starts when your team has a reasonable belief that resident PII was acquired by an unauthorized party β not when the investigation finishes.
For a town under 100,000 residents, the practical question is rarely "do we have to notify?" β it's "what's the cleanest path that satisfies Florida Dept. of Legal Affairs (AG), our cyber-insurance carrier, and our open-meeting obligations, in that order." The HackFirstAid triage walks through that decision tree; the matching playbooks include first-hour scripts that have already been screened against Florida's statute.
If you're a Florida clerk, CAO, IT director, or council member reading this during a live incident, open the free triage first. If you're reading it on a quiet Tuesday, it's also a tabletop exercise β most municipalities run it once before they need it, then once for real, six months later.
Tax, permits, utility billing, and court scheduling encrypted on the same morning.
Fraudulent wire instructions on a vendor payment or payroll change.
Vital records, property assessments, or business licenses exposed or altered.