Effective July 1, the Florida Information Protection Act (FIPA) replaced Florida’s existing breach notification statute. While the previous law imposed requirements only on companies that conducted business in Florida, the new law applies to any company experiencing a data breach that affects a Florida citizen and applies even when a third-party agent has experienced a breach. FIPA also imposes stricter requirements on businesses that experience data breaches. Upon discovering a breach that creates a greater risk of identity theft or financial harm, a company must notify affected individuals within 30 days (compared to 45 days previously). Companies may seek a 15-day extension on this requirement for good cause. A company must also notify the Florida Legal Affairs Department, whether or not the breach creates an increased risk of identity theft or financial harm. Breaches affecting a larger number of people trigger additional requirements. While the statute explicitly excludes a private cause of action, it imposes penalties starting at $1,000 per day and up to a maximum of $500,000.