Florida has enacted a new data breach notification law (S. 1524) that adds significant new requirements for companies that suffer breaches. Among other things, the law adds to the definition of "personal information" medical and health insurance data and information that permits access to a person’s online account. It also shortens the period in which notification must be made to 30 days (from 45) and requires that the Department of Legal Affairs be notified whenever a breach affects 500 or more Florida residents. Moreover, the new law requires businesses to "take reasonable measures" to protect personal information in electronic form. The law explicitly says that it does not establish a private right of action. However, like the old law, it provides for substantial penalties – up to $500,000 for failure to make the requisite notifications in a timely and proper way. The new law took effect on July 1, 2014.