HB 279

1
A bill to be entitled
2An act relating to data destruction; providing
3definitions; requiring all public agencies and private
4entities that collect personal information to adhere to
5the procedures provided in the National Institute of
6Standards and Technology's "Guidelines for Media
7Sanitization" when destroying such information; requiring
8such agencies and entities to maintain a copy of the
9guidelines; requiring all state agencies to submit a
10sampling of sanitized media to a third-party vendor for
11verification of data destruction; requiring the Department
12of Management Services to adopt rules; providing an
13effective date.
14
15Be It Enacted by the Legislature of the State of Florida:
16
17     Section 1.  Media sanitization.--
18     (1)  As used in this section, the term:
19     (a)  "Media" means:
20     1.  Hard copy information, which is the physical
21representation of information, including, but not limited to,
22paper printouts, printer and facsimile ribbons, drums, and
23platens; and
24     2.  Electronic information, which is the bits and bytes
25contained in hard drives, random-access memory, read-only
26memory, optical disc storage media, memory devices, telephones,
27mobile computing devices, networking equipment, and other types
28of information storage equipment.
29     (b)  "Sanitization" means the process of removing data from
30media in a manner that prevents the retrieval or reconstruction
31of the data.
32     (c)  "Sanitized" means having undergone the process of
33sanitization described in paragraph (b).
34     (2)  All agencies, as defined in s. 119.011, Florida
35Statutes, and all private corporations, business trusts,
36partnerships, limited liability companies, associations, joint
37ventures, estates, trusts, or any other legal or commercial
38entities, for profit or not for profit, located in or doing
39business in this state, which collect any information that is
40deemed secret, private, personal, or confidential in nature;
41contains identifying information, including names, personal or
42business addresses, social security numbers, credit or debit
43card numbers, bank account numbers, telephone numbers, or
44photographs that are recorded on media; and is subject to
45sanitization or meets the criteria for destruction as set forth
46in the "Guidelines for Media Sanitization: Recommendation of the
47National Institute of Standards and Technology," NIST Special
48Publication 800-88, must use the purge or physical destruction
49techniques for media destruction described in that document.
50     (3)  All state agencies and private entities subject to
51subsection (2) must keep a copy of the Guidelines for Media
52Sanitization available for use. An electronic copy of the
53document must be kept on the computer desktop of the chief
54information officer, security officer, records management
55officer, or other person responsible for the sanitization of the
56personal or private data at the agency or entity.
57     (4)  All state agencies must submit a sampling of sanitized
58electronic media to a third-party vendor that has no stake in
59the sanitization process or conflict of interest for
60verification of data destruction. The Department of Management
61Services shall adopt by rule criteria for the selection of
62third-party vendors to be used to verify data destruction and
63procedures for the submission and return of samples of sanitized
64electronic media.
65     Section 2.  This act shall take effect July 1, 2010.


CODING: Words stricken are deletions; words underlined are additions.