Chapter 282 - 2008 Florida Statutes

Home > Laws > 2008 Florida Statutes > Title XIX > Chapter 282

Quick Links

General Laws Conversion Table (2023) [PDF]
Florida Statutes Definitions Index (2023) [PDF]
Table of Section Changes (2023) [PDF]
Preface to the Florida Statutes (2023) [PDF]
Table Tracing Session Laws to Florida Statutes (2023) [PDF]
Index to Special and Local Laws (1971-2023) [PDF]
Index to Special and Local Laws (1845-1970) [PDF]
Statute Search Tips

2008 Florida Statutes

Title XIX PUBLIC BUSINESS

Chapter 282
COMMUNICATIONS AND DATA PROCESSING

Chapter 282, Florida Statutes 2008

CHAPTER 282

COMMUNICATIONS AND DATA PROCESSING

PART I

INFORMATION TECHNOLOGY RESOURCES MANAGEMENT (ss. 282.003-282.33)

PART II

COMMERCE PROTECTION (ss. 282.5001-282.5008)

PART III

ACCESSIBILITY OF INFORMATION AND TECHNOLOGY
(ss. 282.601-282.606)

PART I

INFORMATION TECHNOLOGY
RESOURCES MANAGEMENT

282.003 Short title.

282.0041 Definitions.

282.0055 Assignment of information technology.

282.0056 Development of work plan; development of implementation plans; and policy recommendations.

282.102 Powers and duties.

282.103 SUNCOM Network; exemptions from the required use.

282.104 Use of state SUNCOM Network by municipalities.

282.105 Use of state SUNCOM Network by nonprofit corporations.

282.106 Use of SUNCOM Network by libraries.

282.107 SUNCOM Network; criteria for usage.

282.109 Emergency assumption of control.

282.1095 State agency law enforcement radio system and interoperability network.

282.111 Statewide system of regional law enforcement communications.

282.201 State data center system; agency duties and limitations.

282.203 Primary data centers.

282.204 Northwood Shared Resource Center.

282.205 Southwood Shared Resource Center.

282.21 The State Technology Office's electronic access services.

282.22 State Technology Office; production, dissemination, and ownership of materials and products.

282.3055 Agency chief information officer; appointment; duties.

282.315 Agency Chief Information Officers Council; creation.

282.318 Security of data and information technology resources.

282.322 Special monitoring process for designated information resources management projects.

282.33 Objective standards for data center energy efficiency.

282.003 Short title.--This part may be cited as the "Information Technology Resources Management Act."

History.--s. 8, ch. 87-137; s. 1, ch. 92-98; s. 93, ch. 92-142; s. 4, ch. 96-390; s. 7, ch. 97-286; s. 45, ch. 99-13; s. 4, ch. 2008-116.

282.0041 Definitions.--For the purposes of this part, the term:

(1) "Agency" means those entities described in s. 216.011(1)(qq).

(2) "Agency Chief Information Officer" means the person appointed by the agency head to coordinate and manage the information technology functions and responsibilities applicable to that agency and to participate and represent the agency in developing strategies for implementing enterprise information technology services identified in law and developing recommendations for enterprise information technology policy.

(3) "Agency Chief Information Officers Council" means the council created in s. 282.315.

(4) "Agency for Enterprise Information Technology" means the agency created in s. 14.204.

(5) "Agency information technology service" means a service that directly helps an agency fulfill its statutory or constitutional responsibilities and policy objectives and is usually associated with the agency's primary or core business functions.

(6) "Annual budget meeting" means a meeting of the board of trustees of a primary data center to review data center usage to determine the apportionment of board members for the following fiscal year, review rates for each service provided, and determine any other required changes.

(7) "Business continuity plan" means a plan for disaster recovery which provides for the continued functioning of a primary data center during and after a disaster.

(8) "Computing facility" means agency space containing fewer than 10 servers, any of which supports a strategic or nonstrategic information technology service, as described in budget instructions developed pursuant to s. 216.023, but excluding single-server installations that exclusively perform a utility function such as file and print servers.

(9) "Customer entity" means an entity that obtains services from a primary data center.

(10) "Data center" means agency space containing 10 or more servers any of which supports a strategic or nonstrategic information technology service, as described in budget instructions developed pursuant to s. 216.023.

(11) "Enterprise level" means all executive branch agencies created or authorized in statute to perform legislatively delegated functions.

(12) "Enterprise information technology service" means an information technology service that is used in all agencies or a subset of agencies and is established in law to be designed, delivered, and managed at the enterprise level.

(13) "E-mail, messaging, and calendaring service" means the enterprise information technology service that enables users to send, receive, file, store, manage, and retrieve electronic messages, attachments, appointments, and addresses.

(14) "Information-system utility" means a full-service information-processing facility offering hardware, software, operations, integration, networking, and consulting services.

(15) "Information technology" means equipment, hardware, software, firmware, programs, systems, networks, infrastructure, media, and related material used to automatically, electronically, and wirelessly collect, receive, access, transmit, display, store, record, retrieve, analyze, evaluate, process, classify, manipulate, manage, assimilate, control, communicate, exchange, convert, converge, interface, switch, or disseminate information of any kind or form.

(16) "Information technology policy" means statements that describe clear choices for how information technology will deliver effective and efficient government services to residents and improve state agency operations. A policy may relate to investments, business applications, architecture, or infrastructure. A policy describes its rationale, implications of compliance or noncompliance, the timeline for implementation, metrics for determining compliance, and the accountable structure responsible for its implementation.

(17) "Performance metrics" means the measures of an organization's activities and performance.

(18) "Primary data center" means a state or nonstate agency data center that is a recipient entity for consolidation of nonprimary data centers and computing facilities. A primary data center may be authorized in law or designated by the Agency for Enterprise Information Technology pursuant to s. 282.201.

(19) "Project" means an endeavor that has a defined start and end point; is undertaken to create or modify a unique product, service, or result; and has specific objectives that, when attained, signify completion.

(20) "Service level" means the key performance indicators (KPI) of an organization or service which must be regularly performed, monitored, and achieved.

(21) "Service-level agreement" means a written contract between a data center and a customer entity which specifies the scope of services provided, service level, the duration of the agreement, the responsible parties, and service costs. A service-level agreement is not a rule pursuant to chapter 120.

(22) "Standards" means the use of current, open, nonproprietary, or non-vendor-specific technologies.

(23) "Total cost" means all costs associated with information technology projects or initiatives, including, but not limited to, value of hardware, software, service, maintenance, incremental personnel, and facilities. Total cost of a loan or gift of information technology resources to an agency includes the fair market value of the resources; however, the total cost of loans or gifts of information technology to state universities to be used in instruction or research does not include fair market value.

(24) "Usage" means the billing amount charged by the primary data center, less any pass-through charges, to the customer entity.

(25) "Usage rate" means a customer entity's usage or billing amount as a percentage of total usage.

History.--ss. 3, 11, ch. 83-92; s. 17, ch. 87-137; ss. 10, 11, ch. 90-160; s. 4, ch. 91-171; s. 10, ch. 91-221; s. 5, ch. 91-429; s. 3, ch. 92-98; s. 95, ch. 92-142; s. 14, ch. 94-226; s. 11, ch. 94-340; s. 9, ch. 97-286; s. 16, ch. 2000-164; s. 51, ch. 2001-61; s. 10, ch. 2001-261; s. 4, ch. 2007-105; s. 5, ch. 2008-116.

Note.--Former s. 282.303.

282.0055 Assignment of information technology.--In order to ensure the most effective and efficient use of the state's information technology and information technology resources and notwithstanding other provisions of law to the contrary, policies for the design, planning, project management, and implementation of enterprise information technology services shall be the responsibility of the Agency for Enterprise Information Technology for executive branch agencies created or authorized in statute to perform legislatively delegated functions. The supervision, design, delivery, and management of agency information technology shall remain within the responsibility and control of the individual state agency.

History.--s. 5, ch. 2007-105; s. 6, ch. 2008-116.

282.0056 Development of work plan; development of implementation plans; and policy recommendations.--

(1) For the purposes of carrying out its responsibilities under s. 282.0055, the Agency for Enterprise Information Technology shall develop an annual work plan within 60 days after the beginning of the fiscal year describing the activities that the agency intends to undertake for that year, including proposed outcomes and completion timeframes. The work plan must be presented at a public hearing that includes the Agency Chief Information Officers Council, which may review and comment on the plan. The work plan must thereafter be approved by the Governor and Cabinet and submitted to the President of the Senate and the Speaker of the House of Representatives. The work plan may be amended as needed, subject to approval by the Governor and Cabinet.

(2) By December 31, 2009, the agency shall develop, and submit to the President of the Senate and the Speaker of the House of Representatives, implementation plans for at least one of the following proposed enterprise information technology services to be established in law:

(a) A shared or consolidated enterprise information technology service delivery and support model for the e-mail, messaging, and calendaring service.

(b) Information security.

(3) In developing policy recommendations and implementation plans for established and proposed enterprise information technology services, the agency shall describe the scope of operation, conduct costs and requirements analyses, conduct an inventory of all existing information technology resources that are associated with each service, and develop strategies and timeframes for statewide migration. For purposes of consolidating state-owned or state-operated computer rooms and data centers, the agency shall develop a migration plan for any consolidation effort.

(4) For the purpose of completing its work activities, each state agency shall provide to the agency all requested information, including, but not limited to, the state agency's costs, service requirements, and equipment inventories.

(5) Within 60 days after the end of each fiscal year, the agency shall report to the Governor and Cabinet, the President of the Senate, and the Speaker of the House of Representatives on what was achieved or not achieved in the prior year's work plan.

History.--s. 6, ch. 2007-105; s. 7, ch. 2008-116.

¹282.102 Powers and duties.--The Department of Management Services shall have the following powers, duties, and functions:

(1) To publish electronically the portfolio of services available from the department, including pricing information; the policies and procedures of the state communications network governing usage of available services; and a forecast of the priorities and initiatives for the state communications system for the ensuing 2 years.

(2) To adopt technical standards for the state communications network which will ensure the interconnection of computer networks and information systems of agencies.

(3) To enter into agreements related to information technology with state agencies and political subdivisions of the state.

(4) To purchase from or contract with information technology providers for information technology, including private line services.

(5) To apply for, receive, and hold such authorizations, patents, copyrights, trademarks, service marks, licenses, and allocations or channels and frequencies to carry out the purposes of this part.

(6) To purchase, lease, or otherwise acquire and to hold, sell, transfer, license, or otherwise dispose of real, personal, and intellectual property, including, but not limited to, patents, trademarks, copyrights, and service marks.

(7) To cooperate with any federal, state, or local emergency management agency in providing for emergency communications services.

(8) To control and approve the purchase, lease, or acquisition and the use of communications services provided as part of any other total system to be used by the state or any of its agencies.

(9) To adopt rules pursuant to ss. 120.536(1) and 120.54 relating to communications and to administer the provisions of this part.

(10) To apply for and accept federal funds for any of the purposes of this part as well as gifts and donations from individuals, foundations, and private organizations.

(11) To monitor issues relating to communications facilities and services before the Florida Public Service Commission and, when necessary, prepare position papers, prepare testimony, appear as a witness, and retain witnesses on behalf of state agencies in proceedings before the commission.

(12) Unless delegated to the agencies by the department, to manage and control, but not intercept or interpret, communications within the SUNCOM Network by:

(a) Establishing technical standards to physically interface with the SUNCOM Network.

(b) Specifying how communications are transmitted within the SUNCOM Network.

(d) Establishing standards, policies, and procedures for access to the SUNCOM Network.

(e) Ensuring orderly and reliable communications services in accordance with the service level agreements executed with state agencies.

(13) To plan, design, and conduct experiments for communications services, equipment, and technologies, and to implement enhancements in the state communications network when in the public interest and cost-effective. Funding for such experiments shall be derived from SUNCOM Network service revenues and shall not exceed 2 percent of the annual budget for the SUNCOM Network for any fiscal year or as provided in the General Appropriations Act. New services offered as a result of this subsection shall not affect existing rates for facilities or services.

(14) To enter into contracts or agreements, with or without competitive bidding or procurement, to make available, on a fair, reasonable, and nondiscriminatory basis, property and other structures under departmental control for the placement of new facilities by any wireless provider of mobile service as defined in 47 U.S.C. s. 153(n) or s. 332(d) and any telecommunications company as defined in s. 364.02 when it is determined to be practical and feasible to make such property or other structures available. The department may, without adopting a rule, charge a just, reasonable, and nondiscriminatory fee for the placement of the facilities, payable annually, based on the fair market value of space used by comparable communications facilities in the state. The department and a wireless provider or telecommunications company may negotiate the reduction or elimination of a fee in consideration of services provided to the department by the wireless provider or telecommunications company. All such fees collected by the department shall be deposited directly into the Law Enforcement Radio Operating Trust Fund, and may be used by the department to construct, maintain, or support the system.

History.--s. 22, ch. 69-106; s. 1, ch. 70-327; s. 36, ch. 83-334; s. 11, ch. 87-137; s. 220, ch. 92-279; s. 55, ch. 92-326; s. 16, ch. 95-143; s. 1, ch. 96-357; s. 9, ch. 96-390; s. 11, ch. 97-286; s. 65, ch. 98-279; s. 5, ch. 2000-164; s. 11, ch. 2001-261; s. 36, ch. 2002-1; s. 18, ch. 2007-105.

¹Note.--

A. Section 31(4) and (5), ch. 2001-261, provide that:

"(4) The State Technology Office is authorized to charge back to each participating agency an amount equal to the total of all direct and indirect costs of administering the agreement with the agency and the total of all direct and indirect costs of rendering the performances required of the State Technology Office under such agreements.

"(5) Any resources transferred to the State Technology Office which were dedicated to a federally funded system shall remain allocated to that system until the appropriate federal agency or authority confirms in writing that another plan for supporting the system will not result in federal sanctions."

B. Material creating the State Technology Office was stricken from s. 282.102 by s. 18, ch. 2007-105. Some office functions were assumed by the Department of Management Services and other entities pursuant to that law.

C. Section 14, ch. 2007-105, provides that "[u]nless otherwise specified in this act, the Department of Management Services, established in s. 20.22, Florida Statutes, shall assume the duties and responsibilities of the State Technology Office as set forth in ss. 215.322(2), 282.102, 282.103, 282.104, 282.105, 282.106, 282.107, 282.1095, 282.111, 282.21, 282.22, 288.1092, 288.1093, 365.171, 365.172, and 365.173, Florida Statutes."

Note.--Former s. 287.25.

¹282.103 SUNCOM Network; exemptions from the required use.--

(1) There is created within the Department of Management Services the SUNCOM Network which shall be developed to serve as the state communications system for providing local and long-distance communications services to state agencies, political subdivisions of the state, municipalities, state universities, and nonprofit corporations pursuant to ss. 282.102-282.111. The SUNCOM Network shall be developed to transmit all types of communications signals, including, but not limited to, voice, data, video, image, and radio. State agencies shall cooperate and assist in the development and joint use of communications systems and services.

(2) The State Technology Office shall design, engineer, implement, manage, and operate through state ownership, commercial leasing, or some combination thereof, the facilities and equipment providing SUNCOM Network services, and shall develop a system of equitable billings and charges for communication services.

(3) All state agencies and state universities are required to use the SUNCOM Network for agency and state university communications services as the services become available; however, no agency or university is relieved of responsibility for maintaining communications services necessary for effective management of its programs and functions. If a SUNCOM Network service does not meet the communications requirements of an agency or university, the agency or university shall notify the State Technology Office in writing and detail the requirements for that communications service. If the office is unable to meet an agency's or university's requirements by enhancing SUNCOM Network service, the office may grant the agency or university an exemption from the required use of specified SUNCOM Network services.

History.--s. 22, ch. 69-106; s. 13, ch. 87-137; s. 3, ch. 91-171; s. 222, ch. 92-279; s. 55, ch. 92-326; s. 10, ch. 96-390; s. 66, ch. 98-279; s. 6, ch. 2000-164; s. 12, ch. 2001-261; s. 935, ch. 2002-387; s. 19, ch. 2007-105.

¹Note.--Section 14, ch. 2007-105, provides that "[u]nless otherwise specified in this act, the Department of Management Services, established in s. 20.22, Florida Statutes, shall assume the duties and responsibilities of the State Technology Office as set forth in ss. 215.322(2), 282.102, 282.103, 282.104, 282.105, 282.106, 282.107, 282.1095, 282.111, 282.21, 282.22, 288.1092, 288.1093, 365.171, 365.172, and 365.173, Florida Statutes."

Note.--Former s. 287.27.

¹282.104 Use of state SUNCOM Network by municipalities.--Any municipality may request the State Technology Office to provide any or all of the SUNCOM Network's portfolio of communications services upon such terms and under such conditions as the office may establish. The requesting municipality shall pay its share of installation and recurring costs according to the published rates for SUNCOM Network services and as invoiced by the office. Such municipality shall also pay for any requested modifications to existing SUNCOM Network services, if any charges apply.

History.--s. 3, ch. 82-56; s. 1, ch. 83-70; s. 14, ch. 87-137; s. 11, ch. 96-390; s. 67, ch. 98-279; s. 7, ch. 2000-164; s. 13, ch. 2001-261.

Note.--Former s. 287.251.

¹282.105 Use of state SUNCOM Network by nonprofit corporations.--

(1) The State Technology Office shall provide a means whereby private nonprofit corporations under contract with state agencies or political subdivisions of the state may use the state SUNCOM Network, subject to the limitations in this section. In order to qualify to use the state SUNCOM Network, a nonprofit corporation shall:

(a) Expend the majority of its total direct revenues for the provision of contractual services to the state, a municipality, or a political subdivision of the state; and

(b) Receive only a small portion of its total revenues from any source other than a state agency, a municipality, or a political subdivision of the state during the period of time SUNCOM Network services are requested.

(2) Each nonprofit corporation seeking authorization to use the state SUNCOM Network pursuant to this section shall provide to the office, upon request, proof of compliance with subsection (1).

(3) Nonprofit corporations established pursuant to general law and an association of municipal governments which is wholly owned by the municipalities shall be eligible to use the state SUNCOM Network, subject to the terms and conditions of the office.

(4) Institutions qualified to participate in the William L. Boyd, IV, Florida Resident Access Grant Program pursuant to s. 1009.89 shall be eligible to use the state SUNCOM Network, subject to the terms and conditions of the office. Such entities shall not be required to satisfy the other criteria of this section.

(5) Private, nonprofit elementary and secondary schools shall be eligible for rates and services on the same basis as public schools, providing these nonpublic schools do not have an endowment in excess of $50 million.

History.--s. 1, ch. 80-107; s. 2, ch. 82-56; s. 3, ch. 83-70; s. 15, ch. 87-137; s. 223, ch. 92-279; s. 55, ch. 92-326; s. 197, ch. 95-148; s. 12, ch. 96-390; s. 19, ch. 97-296; s. 68, ch. 98-279; s. 36, ch. 99-399; s. 8, ch. 2000-164; s. 14, ch. 2001-261; s. 936, ch. 2002-387.

Note.--Former s. 287.272.

¹282.106 Use of SUNCOM Network by libraries.--The State Technology Office may provide SUNCOM Network services to any library in the state, including libraries in public schools, community colleges, state universities, and nonprofit private postsecondary educational institutions, and libraries owned and operated by municipalities and political subdivisions.

History.--s. 2, ch. 96-357; s. 9, ch. 2000-164; s. 15, ch. 2001-261; s. 937, ch. 2002-387.

¹282.107 SUNCOM Network; criteria for usage.--

(1) The Department of Management Services shall periodically review the qualifications of subscribers using the state SUNCOM Network and shall terminate services provided to any facility not qualified pursuant to ss. 282.102-282.111 or rules adopted hereunder. In the event of nonpayment of invoices by subscribers whose SUNCOM Network invoices are paid from sources other than legislative appropriations, such nonpayment represents good and sufficient reason to terminate service.

(2) The Department of Management Services shall adopt rules for implementing and operating the state SUNCOM Network, which shall include its procedures for withdrawing and restoring authorization to use the state SUNCOM Network. Such rules shall provide a minimum of 30 days' notice to affected parties prior to termination of voice communications service.

(3) Nothing in this section shall be construed to limit or restrict the ability of the Florida Public Service Commission to set jurisdictional tariffs of telecommunications companies.

History.--s. 1, ch. 82-56; s. 2, ch. 83-70; s. 16, ch. 87-137; s. 13, ch. 96-390; s. 33, ch. 2000-152; s. 10, ch. 2000-164; s. 20, ch. 2007-105.

Note.--Former s. 287.255.

282.109 Emergency assumption of control.--In the event of an emergency, the Governor may direct emergency management assumption of control over all or part of the state communications system.

History.--s. 22, ch. 69-106; s. 37, ch. 83-334.

Note.--Former s. 287.28.

¹282.1095 State agency law enforcement radio system and interoperability network.--

(1) The State Technology Office may acquire and implement a statewide radio communications system to serve law enforcement units of state agencies, and to serve local law enforcement agencies through mutual aid channels. The Joint Task Force on State Agency Law Enforcement Communications is established in the State Technology Office to advise the office of member-agency needs for the planning, designing, and establishment of the joint system. The State Agency Law Enforcement Radio System Trust Fund is established in the State Technology Office. The trust fund shall be funded from surcharges collected under ss. 320.0802 and 328.72.

(2)(a) The Joint Task Force on State Agency Law Enforcement Communications shall consist of eight members, as follows:

1. A representative of the Division of Alcoholic Beverages and Tobacco of the Department of Business and Professional Regulation who shall be appointed by the secretary of the department.

2. A representative of the Division of Florida Highway Patrol of the Department of Highway Safety and Motor Vehicles who shall be appointed by the executive director of the department.

3. A representative of the Department of Law Enforcement who shall be appointed by the executive director of the department.

4. A representative of the Fish and Wildlife Conservation Commission who shall be appointed by the executive director of the commission.

5. A representative of the Division of Law Enforcement of the Department of Environmental Protection who shall be appointed by the secretary of the department.

6. A representative of the Department of Corrections who shall be appointed by the secretary of the department.

7. A representative of the Division of State Fire Marshal of the Department of Financial Services who shall be appointed by the State Fire Marshal.

8. A representative of the Department of Transportation who shall be appointed by the secretary of the department.

(b) Each appointed member of the joint task force shall serve at the pleasure of the appointing official. Any vacancy on the joint task force shall be filled in the same manner as the original appointment. Any joint task force member may, upon notification to the chair prior to the beginning of any scheduled meeting, appoint an alternative to represent the member on the task force and vote on task force business in his or her absence.

(c) The joint task force shall elect a chair from among its members to serve a 1-year term. A vacancy in the chair of the joint task force must be filled for the remainder of the unexpired term by an election of the joint task force members.

(d) The joint task force shall meet as necessary, but at least quarterly, at the call of the chair and at the time and place designated by him or her.

(e) The per diem and travel expenses incurred by a member of the joint task force in attending its meetings and in attending to its affairs shall be paid pursuant to s. 112.061, from funds budgeted to the state agency that the member represents.

(f) The State Technology Office is hereby authorized to rent or lease space on any tower under its control. The office may also rent, lease, or sublease ground space as necessary to locate equipment to support antennae on the towers. The costs for use of such space shall be established by the office for each site, when it is determined to be practicable and feasible to make space available. The office may refuse to lease space on any tower at any site. All moneys collected by the office for such rents, leases, and subleases shall be deposited directly into the Law Enforcement Radio Operating Trust Fund and may be used by the office to construct, maintain, or support the system.

(g) The State Technology Office is hereby authorized to rent, lease, or sublease ground space on lands acquired by the office for the construction of privately owned or publicly owned towers. The office may, as a part of such rental, lease, or sublease agreement, require space on said tower or towers for antennae as may be necessary for the construction and operation of the state agency law enforcement radio system or any other state need. The positions necessary for the office to accomplish its duties under this paragraph and paragraph (f) shall be established in the General Appropriations Act and shall be funded by the Law Enforcement Radio Operating Trust Fund or other revenue sources.

(h) The State Technology Office may make the mutual aid channels in the statewide radio communications system available to federal agencies, state agencies, and agencies of the political subdivisions of the state for the purpose of public safety and domestic security. The office shall exercise its powers and duties, as specified in this chapter, to plan, manage, and administer the mutual aid channels. The office shall, in implementing such powers and duties, act in consultation and conjunction with the Department of Law Enforcement and the Division of Emergency Management of the Department of Community Affairs, and shall manage and administer the mutual aid channels in a manner that reasonably addresses the needs and concerns of the involved law enforcement agencies and emergency response agencies and entities.

(3) Upon appropriation, moneys in the trust fund may be used by the office to acquire by competitive procurement the equipment; software; and engineering, administrative, and maintenance services it needs to construct, operate, and maintain the statewide radio system. Moneys in the trust fund collected as a result of the surcharges set forth in ss. 320.0802 and 328.72 shall be used to help fund the costs of the system. Upon completion of the system, moneys in the trust fund may also be used by the office to provide for payment of the recurring maintenance costs of the system.

(4)(a) The office shall, in conjunction with the Department of Law Enforcement and the Division of Emergency Management of the Department of Community Affairs, establish policies, procedures, and standards which shall be incorporated into a comprehensive management plan for the use and operation of the statewide radio communications system.

(b) The joint task force, in consultation with the office, shall have the authority to permit other state agencies to use the communications system, under terms and conditions established by the joint task force.

(5) The office shall provide technical support to the joint task force and shall bear the overall responsibility for the design, engineering, acquisition, and implementation of the statewide radio communications system and for ensuring the proper operation and maintenance of all system common equipment.

(6)(a) The State Technology Office may create and implement an interoperability network to enable interoperability between various radio communications technologies and to serve federal agencies, state agencies, and agencies of political subdivisions of the state for the purpose of public safety and domestic security. The office shall, in conjunction with the Department of Law Enforcement and the Division of Emergency Management of the Department of Community Affairs, exercise its powers and duties pursuant to this chapter to plan, manage, and administer the interoperability network. The office may:

1. Enter into mutual aid agreements among federal agencies, state agencies, and political subdivisions of the state for the use of the interoperability network.

2. Establish the cost of maintenance and operation of the interoperability network and charge subscribing federal and local law enforcement agencies for access and use of the network. The State Technology Office may not charge state law enforcement agencies identified in paragraph (2)(a) to use the network.

3. In consultation with the Department of Law Enforcement and the Division of Emergency Management of the Department of Community Affairs, amend and enhance the statewide radio communications system as necessary to implement the interoperability network.

(b) The State Technology Office, in consultation with the Joint Task Force on State Agency Law Enforcement Communications, and in conjunction with the Department of Law Enforcement and the Division of Emergency Management of the Department of Community Affairs, shall establish policies, procedures, and standards to incorporate into a comprehensive management plan for the use and operation of the interoperability network.

History.--s. 1, ch. 88-144; s. 1, ch. 92-72; s. 224, ch. 92-279; s. 55, ch. 92-326; s. 30, ch. 94-218; s. 111, ch. 94-356; s. 860, ch. 95-148; s. 5, ch. 95-283; s. 1, ch. 96-312; s. 5, ch. 96-357; s. 10, ch. 96-388; s. 14, ch. 96-390; s. 6, ch. 98-251; s. 69, ch. 98-279; s. 81, ch. 99-245; s. 3, ch. 99-289; s. 37, ch. 99-399; s. 11, ch. 2000-164; s. 16, ch. 2001-261; s. 2, ch. 2003-153; s. 308, ch. 2003-261.

¹282.111 Statewide system of regional law enforcement communications.--

(1) It is the intent and purpose of the Legislature that a statewide system of regional law enforcement communications be developed whereby maximum efficiency in the use of existing radio channels is achieved in order to deal more effectively with the apprehension of criminals and the prevention of crime generally. To this end, all law enforcement agencies within the state are directed to provide the State Technology Office with any information the office requests for the purpose of implementing the provisions of subsection (2).

(2) The State Technology Office is hereby authorized and directed to develop and maintain a statewide system of regional law enforcement communications. In formulating such a system, the office shall divide the state into appropriate regions and shall develop a program which shall include, but not be limited to, the following provisions:

(a) The communications requirements for each county and municipality comprising the region.

(b) An interagency communications provision which shall depict the communication interfaces between municipal, county, and state law enforcement entities which operate within the region.

(c) Frequency allocation and use provision which shall include, on an entity basis, each assigned and planned radio channel and the type of operation, simplex, duplex, or half-duplex, on each channel.

(3) The office shall adopt any necessary rules and regulations for implementing and coordinating the statewide system of regional law enforcement communications.

(4) The Chief Information Officer of the State Technology Office or his or her designee is designated as the director of the statewide system of regional law enforcement communications and, for the purpose of carrying out the provisions of this section, is authorized to coordinate the activities of the system with other interested state agencies and local law enforcement agencies.

(5) No law enforcement communications system shall be established or present system expanded without the prior approval of the State Technology Office.

(6) Within the limits of its capability, the Department of Law Enforcement is encouraged to lend assistance to the State Technology Office in the development of the statewide system of regional law enforcement communications proposed by this section.

History.--ss. 1, 2, 3, 4, 5, 6, ch. 72-296; s. 1, ch. 77-174; s. 12, ch. 79-8; s. 225, ch. 92-279; s. 55, ch. 92-326; s. 11, ch. 96-388; s. 15, ch. 96-390; s. 7, ch. 98-251; s. 70, ch. 98-279; s. 42, ch. 99-399; s. 12, ch. 2000-164; s. 17, ch. 2001-261.

Note.--Former s. 287.29.

282.201 State data center system; agency duties and limitations.--A state data center system that includes all primary data centers, other nonprimary data centers, and computing facilities, and that provides an enterprise information technology service as defined in s. 282.0041, is established.

(1) INTENT.--The Legislature finds that the most efficient and effective means of providing quality utility data processing services to state agencies requires that computing resources be concentrated in quality facilities that provide the proper security, infrastructure, and staff resources to ensure that the state's data is maintained reliably, safely, and is recoverable in the event of a disaster. Efficiencies resulting from such consolidation include the increased ability to leverage technological expertise, hardware and software capabilities; increased savings through consolidated purchasing decisions; and the enhanced ability to deploy technology improvements and implement new policies consistently throughout the consolidated organization. Therefore it is the intent of the Legislature that agency data centers and computing facilities be consolidated into primary data centers to the maximum extent possible by 2019.

(2) AGENCY FOR ENTERPRISE INFORMATION TECHNOLOGY DUTIES.--The Agency for Enterprise Information Technology shall:

(a) Collect and maintain information necessary for developing policies relating to the data center system, including, but not limited to, an inventory of facilities.

(b) Annually approve cost-recovery mechanisms and rate structures for primary data centers which recover costs through charges to customer entities.

(c) By December 31 of each year beginning in 2009, submit to the Legislature recommendations to improve the efficiency and effectiveness of computing services provided by state data center system facilities. Such recommendations may include, but need not be limited to:

1. Policies for improving the cost-effectiveness and efficiency of the state data center system.

2. Infrastructure improvements supporting the consolidation of facilities or preempting the need to create additional data center facilities or computing facilities.

3. Standards for an objective, credible energy performance rating system that data center boards of trustees can use to measure state data center energy consumption and efficiency on a biannual basis.

4. Uniform disaster recovery standards.

5. Standards for providing transparent financial data to user agencies.

6. Consolidation of contract practices or coordination of software, hardware, or other technology-related procurements.

7. Improvements to data center governance structures.

(d) By December 31 of each year beginning in 2009, identify at least two nonprimary data centers or computing facilities for consolidation into a primary data center or nonprimary data center facility. The consolidation proposal must provide a transition plan, including estimated transition costs, timeframes for the transition, proposed budgetary savings, and substantive legislative changes necessary to implement the transition.

1. Recommendations shall be based on the goal of maximizing current and future cost savings. The agency shall consider the following criteria in selecting consolidations that maximize efficiencies by providing the ability to:

a. Consolidate purchase decisions;

b. Leverage expertise and other resources to gain economies of scale;

c. Implement state information technology policies more effectively;

d. Maintain or improve the level of service provision to customer entities; and

e. Make progress towards the state's goal of consolidating data centers and computing facilities into primary data centers.

2. The agency shall establish workgroups as necessary to ensure participation by affected agencies in the development of recommendations related to consolidations.

3. By December 31, 2010, the agency shall develop and submit to the Legislature an overall consolidation plan for state data centers and computing facilities. The plan shall indicate a timeframe for the consolidation of all remaining facilities into primary data centers, including existing and proposed data centers, by 2019.

4. This paragraph expires July 1, 2017.

(e) Develop and establish policies by rule relating to the operation of the state data center system which must comply with applicable federal regulations, including 2 C.F.R. part 225 and 45 C.F.R. The policies may address:

1. Ensuring that financial information is captured and reported consistently and accurately.

2. Requiring the establishment of service-level agreements executed between a data center and its customer entities for services provided.

3. Requiring annual full cost recovery on an equitable rational basis. The cost-recovery methodology must ensure that no service is subsidizing another service and may include adjusting the subsequent year's rates as a means to recover deficits or refund surpluses from a prior year.

4. Requiring that any special assessment imposed to fund expansion is based on a methodology that apportions the assessment according to the proportional benefit to each customer entity.

5. Requiring that rebates be given when revenues have exceeded costs, that rebates be applied to offset charges to those customer entities that have subsidized the costs of other customer entities, and that such rebates may be in the form of credits against future billings.

6. Requiring that all service-level agreements have a contract term of up to 3 years, but may include an option to renew for up to 3 additional years contingent on approval by the board, and require at least a 180-day notice of termination.

7. Designating any nonstate data centers as primary data centers if the center:

a. Has an established governance structure that represents customer entities proportionally.

b. Maintains an appropriate cost-allocation methodology that accurately bills a customer entity based on the actual direct and indirect costs to the customer entity and prohibits the subsidization of one customer entity's costs by another entity.

c. Has sufficient raised floor space, cooling, redundant power capacity, including uninterruptible power supply and backup power generation, to accommodate the computer processing platforms and support necessary to host the computing requirements of additional customer entities.

(3) STATE AGENCY DUTIES.--

(a) For the purpose of completing its work activities as described in subsection (1), each state agency shall provide to the Agency for Enterprise Information Technology all requested information and any other information relevant to the agency's ability to effectively transition its computer services into a primary data center. The agency shall also participate as required in workgroups relating to specific consolidation planning and implementation tasks as assigned by the Agency for Enterprise Information Technology and determined necessary to accomplish consolidation goals.

(b) Each state agency shall submit to the Agency for Enterprise Information Technology information relating to its data centers and computing facilities as required in instructions issued by July 1 of each year by the Agency for Enterprise Information Technology. The information required may include:

1. The amount of floor space used and available.

2. The numbers and capacities of mainframes and servers.

3. Storage and network capacity.

4. Amount of power used and the available capacity.

5. Estimated expenditures by service area, including hardware and software, numbers of full-time equivalent positions, personnel turnover, and position reclassifications.

6. A list of contracts in effect for the fiscal year, including, but not limited to, contracts for hardware, software and maintenance, including the expiration date, the contract parties, and the cost of the contract.

7. Service-level agreements by customer entity.

(c) The Chief Information Officer of each state agency shall assist the Agency for Enterprise Information Technology as required by the agency.

(4) AGENCY LIMITATIONS.--

(a) Unless authorized by the Legislature or as provided in paragraph (b), a state agency may not:

1. Create a new computing facility or data center, or expand the capability to support additional computer equipment in an existing computing facility or nonprimary data center;

2. Transfer existing computer services to a nonprimary data center or computing facility;

3. Terminate services with a primary data center or transfer services between primary data centers without giving written notice of intent to terminate or transfer services 180 days before such termination or transfer; or

4. Initiate a new computer service if it does not currently have an internal data center except with a primary data center.

(b) Exceptions to the limitations in paragraph (a) may be granted by the agency head of the Agency for Enterprise Information Technology if there is insufficient capacity in a primary data center to absorb the workload associated with agency computing services.

(5) RULES.--The Agency for Enterprise Information Technology is authorized to adopt rules pursuant to ss. 120.536(1) and 120.54 to administer the provisions of this part relating to the state data center system including the primary data centers.

History.--s. 8, ch. 2008-116.

282.203 Primary data centers.--

(1) DATA CENTER DUTIES.--Each primary data center shall:

(a) Serve customer entities as an information-system utility.

(b) Cooperate with customer entities to offer, develop, and support the services and applications as defined and provided by the center's board of trustees and customer entities.

(c) Comply with rules adopted by the Agency for Enterprise Information Technology, pursuant to this section, and coordinate with the agency in the consolidation of data centers.

(d) Provide transparent financial statements to customer entities and the Agency for Enterprise Information Technology.

(e) Maintain the performance of the facility, which includes ensuring proper data backup, data backup recovery, an effective disaster recovery plan, and appropriate security, power, cooling and fire suppression, and capacity.

(f) Develop a business continuity plan and conduct a live exercise of the plan at least annually. The plan must be approved by the board and the Agency for Enterprise Information Technology.

(g) Enter into a service-level agreement with each customer entity to provide services as defined and approved by the board in compliance with rules of the Agency for Enterprise Information Technology. A service-level agreement may not have a term exceeding 3 years but may include an option to renew for up to 3 years contingent on approval by the board.

1. A service-level agreement, at a minimum, must:

a. Identify the parties and their roles, duties, and responsibilities under the agreement;

b. Identify the legal authority under which the service-level agreement was negotiated and entered into by the parties;

c. State the duration of the contractual term and specify the conditions for contract renewal;

d. Prohibit the transfer of computing services between primary data center facilities without at least 180 days' notice of service cancellation;

e. Identify the scope of work;

f. Identify the products or services to be delivered with sufficient specificity to permit an external financial or performance audit;

g. Establish the services to be provided, the business standards that must be met for each service, the cost of each service, and the process by which the business standards for each service are to be objectively measured and reported;

h. Identify applicable funds and funding streams for the services or products under contract;

i. Provide a timely billing methodology for recovering the cost of services provided to the customer entity;

j. Provide a procedure for modifying the service-level agreement to address changes in projected costs of service;

k. Provide that a service-level agreement may be terminated by either party for cause only after giving the other party and the Agency for Enterprise Information Technology notice in writing of the cause for termination and an opportunity for the other party to resolve the identified cause within a reasonable period; and

l. Provide for mediation of disputes by the Division of Administrative Hearings pursuant to s. 120.573.

2. A service-level agreement may include:

a. A dispute resolution mechanism, including alternatives to administrative or judicial proceedings;

b. The setting of a surety or performance bond for service-level agreements entered into with nonstate agency primary data centers, which may be designated by the Agency for Enterprise Information Technology; or

c. Additional terms and conditions as determined advisable by the parties if such additional terms and conditions do not conflict with the requirements of this section or rules adopted by the Agency for Enterprise Information Technology.

3. The failure to execute a service-level agreement within 60 days after service commencement shall, in the case of an existing customer entity, result in a continuation of the terms of the service-level agreement from the prior fiscal year, including any amendments that were formally proposed to the customer entity by the primary data center within the 3 months before service commencement, and a revised cost-of-service estimate. If a new customer entity fails to execute an agreement within 60 days after service commencement, the data center may cease services.

(h) Plan, design, establish pilot projects for, and conduct experiments with information technology resources, and implement enhancements in services if such implementation is cost-effective and approved by the board.

(i) Enter into a memorandum of understanding with the agency where the data center is administratively located which establishes the services to be provided by that agency to the data center and the cost of such services.

(2) BOARD OF TRUSTEES.--Each primary data center shall be headed by a board of trustees as defined in s. 20.03.

(a) The members of the board shall be appointed by the agency head or chief executive officer of the representative customer entities of the primary data center and shall serve at the pleasure of the appointing customer entity. The initial appointments of members shall be made as soon as practicable, but not later than July 1, 2008.

1. For each of the first 2 fiscal years that a center is in operation, membership shall be apportioned as provided in subparagraph 3. based on projected customer entity usage rates for the fiscal operating year of the primary data center. However, at a minimum:

a. During the Southwood Shared Resource Center's first 2 operating years, the Department of Transportation, the Department of Highway Safety and Motor Vehicles, the Department of Health, and the Department of Revenue must each have at least one trustee.

b. During the Northwood Shared Resource Center's first operating year, the Department of State and the Department of Education must each have at least one trustee.

2. After the second full year of operation, membership shall be apportioned as provided in subparagraph 3. based on the most recent estimate of customer entity usage rates for the prior year and a projection of usage rates for the first 9 months of the next fiscal year. Such calculation must be completed before the annual budget meeting held before the beginning of the next fiscal year so that any decision to add or remove board members can be voted on at the budget meeting and become effective on July 1 of the subsequent fiscal year.

3. Membership shall be apportioned using the following criteria:

a. Customer entities of a primary data center whose usage rate represents 4 to 14 percent of total usage shall have one trustee.

b. Customer entities of a primary data center whose usage rate represents 15 to 29 percent of total usage shall have two trustees.

c. Customer entities of a primary data center whose usage rate represents 30 to 49 percent of total usage shall have three trustees.

d. A customer entity of a primary data center whose usage rate represents 50 percent or more of total usage shall have four trustees.

e. A single trustee shall represent those customer entities that represent less than 4 percent of the total usage. The trustee shall be selected by a process determined by the board.

f. The executive director of the Agency for Enterprise Information Technology shall serve as a voting member of the board.

(b) Before July 1 of each year, each board of trustees of a primary data center shall elect a chair and a vice chair to a term of 1 year or until a successor is elected. The vice chair shall serve in the absence of the chair. The vice chair may not be from the same customer entity as the chair. The chair may be elected to serve one additional successive term.

(c) Members of the board representing customer entities who fail to timely pay for data center services do not have voting rights.

(d) The board shall take action by majority vote. If there is a tie, the chair shall be on the prevailing side.

(3) BOARD DUTIES.--Each board of trustees of a primary data center shall:

(a) Employ an executive director, pursuant to s. 20.05, who serves at the pleasure of the board. The executive director is responsible for the daily operation of the primary data center, ensuring compliance with all laws and rules regulating the primary data center, managing primary data center employees, and the performance of the primary data center.

(b) Establish procedures for the primary data center to ensure that budgeting and accounting procedures, cost-recovery methodologies, and operating procedures are in compliance with laws governing the state data center system, rules adopted by the Agency for Enterprise Information Technology, and applicable federal regulations, including 2 C.F.R. part 225 and 45 C.F.R.

(c) Monitor the operation of the primary data center to ensure compliance by the executive director and employees with laws and rules governing the primary data center, and ensure that staff members are accountable for the performance of the primary data center.

(d) Provide each customer entity with full disclosure concerning plans for new, additional, or reduced service requirements, including expected achievable service levels and performance metrics.

(e) Ensure the sufficiency and transparency of the primary data center financial information by:

1. Establishing policies that ensure that cost-recovery methodologies, billings, receivables, expenditure, budgeting, and accounting data are captured and reported timely, consistently, accurately, and transparently and, upon adoption of rules by the Agency for Enterprise Information Technology, are in compliance with such rules.

2. Requiring execution of service-level agreements by the data center and each customer entity for services provided by the data center to the customer entity.

3. Requiring cost recovery for the full cost of services, including direct and indirect costs. The cost-recovery methodology must ensure that no service is subsidizing another service without an affirmative vote of approval by the customer entity providing the subsidy.

4. Establishing special assessments to fund expansions based on a methodology that apportions the assessment according to the proportional benefit to each customer entity.

5. Providing rebates to customer entities when revenues exceed costs and offsetting charges to those who have subsidized other customer entity costs based on actual prior year final expenditures. Rebates may be credited against future billings.

6. Approving all expenditures committing over $50,000 in a fiscal year.

7. Projecting costs and revenues at the beginning of the third quarter of each fiscal year through the end of the fiscal year. If in any given fiscal year the primary data center is projected to earn revenues that are below costs for that fiscal year after first reducing operating costs where possible, the board shall implement any combination of the following remedies to cover the shortfall:

a. The board may direct the primary data center to adjust current year chargeback rates through the end of the fiscal year to cover the shortfall. The rate adjustments shall be implemented using actual usage rate and billing data from the first three quarters of the fiscal year and the same principles used to set rates for the fiscal year.

b. The board may direct the primary data center to levy one-time charges on all customer entities to cover the shortfall. The one-time charges shall be implemented using actual usage rate and billing data from the first three quarters of the fiscal year and the same principles used to set rates for the fiscal year.

c. The customer entities represented by each board member may provide payments to cover the shortfall in proportion to the amounts each entity paid in the prior fiscal year.

(f) Meet as often as necessary, but not less than once per quarter, and hold the annual budget meeting between April 1 and June 30 of each year.

(g) Approve the portfolio of services offered by the data center.

(h) By July 1 of each year, submit to the Agency for Enterprise Information Technology proposed cost-recovery mechanisms and rate structures for all customer entities for the fiscal year including the cost-allocation methodology for administrative expenditures and the calculation of administrative expenditures as a percent of total costs.

(i) Consider energy-efficient products and their total cost of ownership when replacing, upgrading, or expanding:

1. Data center facilities, including, but not limited to, environmental, power, and control systems; and

2. Data center network, storage, and computer equipment. If the total cost of ownership, including initial acquisition cost, is estimated to be equal to or lower than existing infrastructure, technical specifications for energy-efficient products should be incorporated into the replacement, upgrade, or expansion planning and acquisition process.

History.--s. 9, ch. 2008-116.

282.204 Northwood Shared Resource Center.--

(1) Beginning July 1, 2008, a workgroup shall be established within the Department of Children and Family Services for the purpose of developing a plan for converting its data center to a primary data center. The workgroup shall be chaired by a member appointed by the secretary of the department. Workgroup members may include other state agencies who will be customers of the data center during the 2009-2010 fiscal year. The workgroup shall include staff members who have appropriate financial and technical skills as determined by the chair of the workgroup. The conversion plan shall address organizational changes, personnel changes, cost-allocation plan changes, and any other changes necessary to effectively convert to a primary state data center capable of providing computer services as required by s. 282.201. The workgroup shall submit recommendations for facilitating the conversion to the Governor and Cabinet, the President of the Senate, and the Speaker of the House of Representatives by December 31, 2008.

(2) Effective July 1, 2009, the Northwood Shared Resource Center is established within the Department of Children and Family Services for administrative purposes only. The center is designated as a primary data center and shall be a separate budget entity that is not subject to control, supervision, or direction of the department in any manner, including, but not limited to, purchasing, transactions involving real or personal property, personnel, or budgetary matters.

(3) The center shall be headed by a board of trustees as provided in s. 282.203, who shall comply with all requirements of that section related to the operation of the center and with the policies of the Agency for Enterprise Information Technology related to the design and delivery of enterprise information technology services.

History.--s. 10, ch. 2008-116.

282.205 Southwood Shared Resource Center.--

(1) Effective July 1, 2008, the Southwood Shared Resource Center is established within the Department of Management Services for administrative purposes only. The center is designated as a primary data center and shall be a separate budget entity that is not subject to control, supervision, or direction of the department in any manner, including, but not limited to, purchasing, transactions involving real or personal property, personnel, or budgetary matters.

(2) The Department of Management Services and the center shall identify resources associated with information technology functions which are not related to the support, management, and operation of the data center but which currently exist within the same budget entity as the data center. By October 1, 2008, the center shall submit a budget amendment to transfer resources associated with these functions to the Department of Management Services.

History.--s. 11, ch. 2008-116.

¹282.21 The State Technology Office's electronic access services.--The State Technology Office may collect fees for providing remote electronic access pursuant to s. 119.07(2). The fees may be imposed on individual transactions or as a fixed subscription for a designated period of time. All fees collected under this section shall be deposited in the appropriate trust fund of the program or activity that made the remote electronic access available.

History.--s. 13, ch. 97-241; s. 14, ch. 2000-164; s. 19, ch. 2001-261; s. 37, ch. 2004-335.

¹282.22 State Technology Office; production, dissemination, and ownership of materials and products.--

(1) It is the intent of the Legislature that when materials, products, information, and services are acquired or developed by or under the direction of the State Technology Office, through research and development or other efforts, including those subject to copyright, patent, or trademark, they shall be made available for use by state and local government entities at the earliest practicable date and in the most economical and efficient manner possible and consistent with chapter 119.

(2) To accomplish this objective the office is authorized to publish or partner with private sector entities to produce or have produced materials and products and to make them readily available for appropriate use. The office is authorized to charge an amount or receive value-added services adequate to cover the essential cost of producing and disseminating such materials, information, services, or products and is authorized to sell services.

(3) In cases in which the materials or products are of such nature, or the circumstances are such, that it is not practicable or feasible for the office to produce or have produced materials and products so developed, it is authorized, after review and approval by the Executive Office of the Governor, to license, lease, assign, sell, or otherwise give written consent to any person, firm, or corporation for the manufacture or use thereof, on a royalty basis, or for such other consideration as the office shall deem proper and in the best interest of the state; the office is authorized and directed to protect same against improper or unlawful use or infringement and to enforce the collection of any sums due for the manufacture or use thereof by any other party.

(4) All proceeds from the sale of such materials and products or other money collected pursuant to this section shall be deposited into the Operating Trust Fund of the office and, when properly budgeted as approved by the Legislature and the Executive Office of the Governor, used to pay the cost of producing and disseminating materials and products to carry out the intent of this section.

History.--s. 14, ch. 97-241; s. 49, ch. 99-13; s. 15, ch. 2000-164; s. 20, ch. 2001-261; s. 17, ch. 2006-79.

282.3055 Agency chief information officer; appointment; duties.--

(1)(a) Each agency head shall appoint or contract for an agency chief information officer.

(b) The agency chief information officer must, at a minimum, have knowledge and experience in both management and information technology resources.

(2) The duties of the agency chief information officer include, but are not limited to:

(a) Coordinating and facilitating the planning and management of agency information technology services.

(b) Implementing agency information technology planning and management procedures, guidelines, and standards that are consistent with the procedures and standards adopted by the Agency for Enterprise Information Technology.

(c) Advising agency senior management as to the information technology resource planning and management needs of the agency.

(d) Assisting in the development and prioritization of the information technology resource needs for the agency's legislative budget request.

(e) Assisting the Agency for Enterprise Information Technology in the development of strategies for implementing the enterprise information technology services established in law and developing recommendations for enterprise information technology policy.

History.--s. 10, ch. 97-286; s. 20, ch. 2000-164; s. 23, ch. 2001-261; s. 8, ch. 2007-105.

282.315 Agency Chief Information Officers Council; creation.--The Legislature finds that enhancing communication, consensus building, coordination, and facilitation with respect to issues concerning enterprise information technology resources are essential to improving the management of such resources.

(1) There is created an Agency Chief Information Officers Council to:

(a) Enhance communication and collaboration among the Agency Chief Information Officers and the Agency for Enterprise Information Technology.

(b) Identify and recommend best practices that are characteristic of highly successful technology organizations, as well as exemplary information technology applications for use by state agencies, and assist the Agency for Enterprise Information Technology in developing strategies for implementing the enterprise information technology services established in law and developing recommendations for enterprise information technology policy.

(c) Identify efficiency opportunities among state agencies and make recommendations for action to the Agency for Enterprise Information Technology. This includes recommendations relating to the consolidation of agency data center and computing facilities, including operational policies, procedures and standards for the consolidated facilities, and procedures and standards for planning the migration to consolidated facilities.

(d) Assist the Agency for Enterprise Information Technology in identifying critical enterprise information technology issues and, when appropriate, make recommendations for solving enterprise resource planning and management deficiencies.

(2) Members of the council shall include the Agency Chief Information Officers, including the Chief Information Officers of the agencies and governmental entities, except that there shall be one Chief Information Officer selected by the state attorneys and one Chief Information Officer selected by the public defenders. The council shall appoint a chair, vice chair, and secretary from among its members to a 1-year term each. The council shall establish procedures governing council business.

(3) The Agency for Enterprise Information Technology shall provide administrative support to the council.

History.--s. 10, ch. 97-286; s. 24, ch. 2000-164; s. 25, ch. 2001-261; s. 9, ch. 2007-105; s. 12, ch. 2008-116.

282.318 Security of data and information technology resources.--

(1) This section may be cited as the "Security of Data and Information Technology Infrastructure Act."

(2)(a) The Agency for Enterprise Information Technology, in consultation with each agency head, is responsible for assessing and recommending minimum operating procedures for ensuring an adequate level of security for all data and information technology resources for executive branch agencies created or authorized in statute to perform legislatively delegated functions. To assist the agency in carrying out this responsibility, each agency head shall, at a minimum:

1. Designate an information security manager who shall administer the security program of the agency for its data and information technology resources.

2. Conduct, and update every 3 years, a comprehensive risk analysis to determine the security threats to the data, information, and information technology resources of the agency. The risk analysis information is confidential and exempt from the provisions of s. 119.07(1), except that such information shall be available to the Auditor General and the Agency for Enterprise Information Technology in performing postauditing duties.

3. Develop, and periodically update, written internal policies and procedures, which shall include procedures for notifying the Agency for Enterprise Information Technology when an information security incident occurs or data is compromised. Such policies and procedures must be consistent with the standard operating procedures adopted by the Agency for Enterprise Information Technology in order to ensure the security of the data, information, and information technology resources of the agency. The internal policies and procedures that, if disclosed, could facilitate the unauthorized modification, disclosure, or destruction of data or information technology resources are confidential information and exempt from the provisions of s. 119.07(1), except that such information shall be available to the Auditor General and the Agency for Enterprise Information Technology in performing postauditing duties.

4. Implement appropriate cost-effective safeguards to reduce, eliminate, or recover from the identified risks to the data, information, and information technology resources of the agency.

5. Ensure that periodic internal audits and evaluations of the agency's security program for the data, information, and information technology resources of the agency are conducted. The results of such internal audits and evaluations are confidential information and exempt from the provisions of s. 119.07(1), except that such information shall be available to the Auditor General and the Agency for Enterprise Information Technology in performing postauditing duties.

6. Include appropriate security requirements in the written specifications for the solicitation of information technology and information technology resources which are consistent with the standard security operating procedures adopted by the Agency for Enterprise Information Technology.

(b) In those instances under this subsection in which the state agency or department develops state contracts, the state agency or department shall include appropriate security requirements in the specifications for the solicitation for state contracts for procuring information technology or information technology resources.

(3) The Agency for Enterprise Information Technology shall designate a chief information security officer.

(4) The Agency for Enterprise Information Technology shall develop standards and templates for conducting comprehensive risk analyses and information security audits by state agencies, assist agencies in their compliance with the provisions of this section, pursue appropriate funding provided for the purpose of enhancing domestic security, establish minimum guidelines and procedures for the recovery of information technology following a disaster, and provide training for agency information security managers. Standards, templates, guidelines, and procedures shall be published annually, no later than September 30 each year, to enable agencies to incorporate them in their planning for the following fiscal year.

(5) The Agency for Enterprise Information Technology may adopt rules pursuant to ss. 120.536(1) and 120.54 relating to information security and to administer the provisions of this section.

History.--ss. 1, 2, 3, ch. 84-236; s. 28, ch. 87-137; s. 1, ch. 89-14; s. 7, ch. 90-160; s. 13, ch. 91-171; s. 234, ch. 92-279; s. 55, ch. 92-326; s. 22, ch. 94-340; s. 863, ch. 95-148; s. 131, ch. 96-406; s. 15, ch. 97-286; s. 25, ch. 2000-164; s. 26, ch. 2001-261; s. 18, ch. 2006-26; s. 10, ch. 2007-105.

282.322 Special monitoring process for designated information resources management projects.--For each information resources management project which is designated for special monitoring in the General Appropriations Act, with a proviso requiring a contract with a project monitor, the Technology Review Workgroup established pursuant to s. 216.0446, in consultation with each affected agency, shall be responsible for contracting with the project monitor. Upon contract award, funds equal to the contract amount shall be transferred to the Technology Review Workgroup upon request and subsequent approval of a budget amendment pursuant to s. 216.292. With the concurrence of the Legislative Auditing Committee, the office of the Auditor General shall be the project monitor for other projects designated for special monitoring. However, nothing in this section precludes the Auditor General from conducting such monitoring on any project designated for special monitoring. In addition to monitoring and reporting on significant communications between a contracting agency and the appropriate federal authorities, the project monitoring process shall consist of evaluating each major stage of the designated project to determine whether the deliverables have been satisfied and to assess the level of risks associated with proceeding to the next stage of the project. The major stages of each designated project shall be determined based on the agency's information systems development methodology. Within 20 days after an agency has completed a major stage of its designated project or at least 90 days, the project monitor shall issue a written report, including the findings and recommendations for correcting deficiencies, to the agency head, for review and comment. Within 20 days after receipt of the project monitor's report, the agency head shall submit a written statement of explanation or rebuttal concerning the findings and recommendations of the project monitor, including any corrective action to be taken by the agency. The project monitor shall include the agency's statement in its final report, which shall be forwarded, within 7 days after receipt of the agency's statement, to the agency head, the inspector general's office of the agency, the Executive Office of the Governor, the appropriations committees of the Legislature, the Joint Legislative Auditing Committee, the Technology Review Workgroup, the President of the Senate, the Speaker of the House of Representatives, and the Office of Program Policy Analysis and Government Accountability. The Auditor General shall also receive a copy of the project monitor's report for those projects in which the Auditor General is not the project monitor.

History.--s. 23, ch. 94-340; s. 11, ch. 97-100; s. 16, ch. 97-286; s. 23, ch. 98-73; s. 30, ch. 98-136; s. 40, ch. 99-399; s. 27, ch. 2001-261; s. 11, ch. 2007-105; s. 20, ch. 2008-116.

282.33 Objective standards for data center energy efficiency.--

(1) By July 1, 2009, the Agency for Enterprise Information Technology shall define objective standards for:

(a) Measuring data center energy consumption and efficiency, including, but not limited to, airflow and cooling, power consumption and distribution, and environmental control systems in a data center facility.

(b) Calculating total cost of ownership of energy-efficient information technology products, including initial purchase, installation, ongoing operation and maintenance, and disposal costs over the life cycle of the product.

(2) State shared resource data centers and other data centers that the Agency for Enterprise Information Technology has determined will be recipients for consolidating data centers, which are designated by the Agency for Enterprise Information Technology, shall evaluate their data center facilities for energy efficiency using the standards established in this section.

(a) Results of these evaluations shall be reported to the Agency for Enterprise Information Technology, the President of the Senate, and the Speaker of the House of Representatives. Reports shall enable the tracking of energy performance over time and comparisons between facilities.

(b) By December 31, 2010, and biannually thereafter, the Agency for Enterprise Information Technology shall submit to the Legislature recommendations for reducing energy consumption and improving the energy efficiency of state data centers.

(3) The primary means of achieving maximum energy savings across all state data centers and computing facilities shall be the consolidation of data centers and computing facilities as determined by the Agency for Enterprise Information Technology. State data centers and computing facilities in the state data center system shall be established as an enterprise information technology service as defined in s. 282.0041. The Agency for Enterprise Information Technology shall make recommendations on consolidating state data centers and computing facilities, pursuant to s. 282.0056, by December 31, 2009.

(4) When the total cost of ownership of an energy-efficient product is less than or equal to the cost of the existing data center facility or infrastructure, technical specifications for energy-efficient products should be incorporated in the plans and processes for replacing, upgrading, or expanding data center facilities or infrastructure, including, but not limited to, network, storage, or computer equipment and software.

History.--s. 111, ch. 2008-227.

PART II

COMMERCE PROTECTION

282.5001 Short title.

282.5002 Definitions.

282.5003 Exclusive remedies for failure to be year 2000 compliant.

282.5004 Damages for failure to be year 2000 compliant; mediation; limitation on class actions; statute of limitations.

282.5005 Immunity from liability for directors and officers of businesses.

282.5006 Antitrust exemption with respect to exchanges of information.

282.5007 Alternative dispute resolution procedures.

282.5008 Construction of act.

282.5001 Short title.--This act may be cited as the "Commerce Protection Act."

History.--s. 1, ch. 99-230.

282.5002 Definitions.--For the purposes of this act, the following terms have the following meanings:

(1) BUSINESS.--The term "business" means a person or an entity engaged in providing goods or services in this state, but the term excludes any governmental agency or any agency of the legislative or judicial branch of state government.

(2) DATE DATA.--The term "date data" means data that contain dates or that contain both dates and times.

(3) DIRECT ECONOMIC DAMAGES.--The term "direct economic damages" includes only economic compensatory damages that follow both immediately and necessarily from the failure of the information technology products of a business or governmental agency to be year 2000 compliant. The term excludes special damages, incidental damages, and exemplary or punitive damages.

(4) GOVERNMENTAL AGENCY.--The term "governmental agency" includes any agency of the executive branch of state government or any political subdivision of the state as defined in s. 1.01 or any agency of such a political subdivision. For purposes of this section, the term also includes any public or private university school of medicine that is part of a public or private university supported in whole or in part by state funds and that has an affiliation with a local government or state instrumentality under which the medical school's computer systems, or diagnostic or therapeutic equipment dependent upon date logic, are used to provide clinical patient care services to the public.

(5) INFORMATION TECHNOLOGY PRODUCT.--

(a) The term "information technology product" includes software, firmware, microcode, hardware, and equipment containing embedded chips or microprocessors that create, read, write, calculate, compare, sequence, or otherwise operate on date data.

(b) The "information technology products" of a business or governmental agency are those that are owned, leased, or licensed by or under the exclusive control of the business or governmental agency and are used by it in providing its goods or services.

(6) YEAR 2000 COMPLIANT.--An information technology product is "year 2000 compliant" if the product, when used in accordance with its associated documentation or recommended user intervention, is capable of correctly processing, providing, and receiving date data, and will do so for all dates occurring between February 28, 1996, and March 1, 2000, when all other information technology products that are used with the product properly exchange date data with it. An information technology product does not fail to be year 2000 compliant merely because it contains a defect that is unrelated to the manner in which the product processes, provides, or receives date data and that only incidentally causes the product to fail to properly process, provide, or receive date data.

History.--s. 2, ch. 99-230.

282.5003 Exclusive remedies for failure to be year 2000 compliant.--The exclusive remedies in this state for recovering from a business or governmental agency damages resulting from the failure of its information technology products to be year 2000 compliant are those available for breach of a contract with or a tariff filed by the business or governmental agency; and all terms of that contract or tariff, including limitations on and exclusions of liability and disclaimers of warranty, remain fully enforceable and are unaffected by the provisions of this act. If there is no contract or tariff, the exclusive remedies in this state for recovering from a business or governmental agency damages resulting from the failure of its information technology products to be year 2000 compliant are those provided in s. 282.5004.

History.--s. 3, ch. 99-230.

282.5004 Damages for failure to be year 2000 compliant; mediation; limitation on class actions; statute of limitations.--

(1) Unless otherwise provided by a contract or tariff, any business may be liable only for direct economic damages caused by the failure of its information technology products to be year 2000 compliant, as provided in this section.

(2) Unless otherwise provided by a contract or tariff, any governmental agency may be liable only for direct economic damages caused by the failure of its information technology products to be year 2000 compliant, and only within the limits on the waiver of sovereign immunity established in s. 768.28.

(3) The provisions of s. 768.81 apply to the award of damages under this section.

(4) Damages awarded under this section shall exclude any damages that the plaintiff:

(a) Could have avoided or mitigated with the exercise of reasonable care; or

(b) Could have reasonably avoided or mitigated as a result of any written or otherwise communicated disclosure actually made by the defendant before December 1, 1999, in a manner consistent with that used in the past to give notifications to the plaintiff or persons similarly situated, concerning whether any of the information technology products of the business or governmental agency was year 2000 compliant.

(5)(a) A business or governmental agency is not liable for direct economic damages if it proves by a preponderance of the evidence that it has:

1. Secured an assessment, by a person who possesses the technical skills, experience, or competence with respect to information technology resources to evaluate information technology products for year 2000 compliance, to determine actions necessary to make the information technology products of the business or governmental agency year 2000 compliant and, based on that assessment, holds before December 1, 1999, a reasonable good faith belief that those products are year 2000 compliant; or

2. Before December 1, 1999, conducted a date-data test of its information technology products and as a result of such test has a reasonable good faith belief that they are year 2000 compliant; or

3. If it has five or fewer employees and has a net worth of $100,000 or less, made reasonable efforts to assess whether the entities on whose goods or services it relies and with whom it is in privity have provided information technology products that are year 2000 compliant and, with respect to each such entity, either:

a. Holds before December 1, 1999, a reasonable good faith belief, based on the response to inquiries or on research, that the entity has provided information technology products that are year 2000 compliant; or

b. Discloses in writing to the other party before December 1, 1999, in a manner consistent with that used in the past to give written notifications to that party, that the entity has provided information technology products that are presumed not to be year 2000 compliant or that, based on the response to inquiries, the entity is making reasonable good faith efforts to make its information technology products become year 2000 compliant.

(b) All defenses that would otherwise be available to a business or governmental agency in any other action, including an action based on negligence, remain available with respect to an action under this section. Moreover, the failure of a business or governmental agency to comply with paragraph (a) shall not create a presumption of liability and no inference may be drawn from such failure.

(6) Beginning January 1, 2000, upon the filing of any lawsuit or the presentation of a claim for arbitration under s. 282.5007 seeking damages under this section, and prior to the filing of an answer or response, the court having jurisdiction shall refer the claim to mediation under s. 44.102 unless the court determines that the interests of justice would not be served. The time to file the answer or response shall be tolled for up to 60 days after service of process on the defendant or until the conclusion of the mediation, whichever is earlier.

(7) A class action may not be maintained in this state:

(a) Against a governmental agency for damages caused by the failure of its information technology products to be year 2000 compliant.

(b) Against a business for damages caused by the failure of its information technology products to be year 2000 compliant, unless each member of the class has suffered direct economic damages in excess of $50,000.

(8) Any action for damages under this section must be commenced on or before March 1, 2002, but the running of this time is tolled from the date any offer is made to submit the claim to mediation until the conclusion of mediation.

History.--s. 4, ch. 99-230.

282.5005 Immunity from liability for directors and officers of businesses.--

(1) A director or officer of a business has absolute and complete immunity from personal liability for any damages resulting from the failure of the information technology products of the business to be year 2000 compliant if the officer or director has either instructed the business or received written assurance from another officer or director that the business has been instructed to:

(a) Take steps to determine whether those products are year 2000 compliant;

(b) Develop and implement a plan to take actions necessary to make those products year 2000 compliant; and

(c) Inquire whether the information technology products of the entities on whose goods or services the business relies are year 2000 compliant.

(2) A director or officer who does not have absolute and complete immunity from personal liability under subsection (1) nevertheless has immunity from personal liability to the extent provided in chapter 607 or chapter 617.

History.--s. 5, ch. 99-230.

282.5006 Antitrust exemption with respect to exchanges of information.--The exchange of information among businesses concerning measures that have been taken or are to be taken in order for a business to make its information technology products year 2000 compliant does not constitute an activity or conduct in restraint of trade or commerce under chapter 542.

History.--s. 6, ch. 99-230.

282.5007 Alternative dispute resolution procedures.--

(1) VOLUNTARY BINDING ARBITRATION.--

(a) Any party to a dispute under this act for which there is no prior arbitration agreement may, before a lawsuit has been filed, make an offer to the other party to submit the dispute to voluntary binding arbitration under s. 44.104. An offer made under this paragraph must set out the maximum amount of damages that may be imposed pursuant to arbitration.

(b) If at trial the court finds that an offer was made under paragraph (a) and was rejected, the court shall award attorney's fees and costs in accordance with this paragraph.

1. If the offer was made by the plaintiff and rejected by the defendant, and if the defendant is ultimately found to be liable for damages in an amount equal to or exceeding that specified in the plaintiff's highest offer, the defendant must pay the plaintiff's costs and reasonable attorney's fees.

2. If the offer was made by the defendant and rejected by the plaintiff, and if the plaintiff is not ultimately awarded damages in an amount exceeding that specified in the defendant's highest offer, the plaintiff must pay the defendant's costs and reasonable attorney's fees.

(2) MEDIATION.--

(a) The court may submit a claim for damages under this act to mediation pursuant to s. 44.102.

(b) A party may serve its last best offer made in mediation upon another party as an offer of judgment under s. 768.79, and may make use of all the rights and remedies provided by this section.

History.--s. 7, ch. 99-230; s. 35, ch. 2000-152.

282.5008 Construction of act.--This act shall not be construed to create a new cause of action or a duty to provide notice concerning year 2000 compliance nor be construed to mandate the content or timing of any notice concerning year 2000 compliance.

History.--s. 8, ch. 99-230.

PART III

ACCESSIBILITY OF INFORMATION
AND TECHNOLOGY

282.601 Accessibility of electronic information and information technology.

282.602 Definitions.

282.603 Access to electronic and information technology for persons with disabilities; undue burden; limitations.

282.604 Adoption of rules.

282.605 Exceptions.

282.606 Intent.

282.601 Accessibility of electronic information and information technology.--

(1) In order to improve the accessibility of electronic information and information technology and increase the successful education, employment, access to governmental information and services, and involvement in community life, the executive, legislative, and judicial branches of state government shall, when developing, competitively procuring, maintaining, or using electronic information or information technology acquired on or after July 1, 2006, ensure that state employees with disabilities have access to and are provided with information and data comparable to the access and use by state employees who are not individuals with disabilities, unless an undue burden would be imposed on the agency.

(2) Individuals with disabilities who are members of the public seeking information or services from state agencies that are subject to this part shall be provided with access to and use of information and data comparable to that provided to the public who are not individuals with disabilities, unless an undue burden would be imposed on the agency.

History.--s. 73, ch. 2006-227.

282.602 Definitions.--As used in this part, the term:

(1) "Accessible electronic information and information technology" means electronic information and information technology that conforms to the standards for accessible electronic information and information technology as set forth by s. 508 of the Rehabilitation Act of 1973, as amended, and 29 U.S.C. s. 794(d), including the regulations set forth under 36 C.F.R. part 1194.

(2) "Alternate methods" means a different means of providing information to people with disabilities, including product documentation. The term includes, but is not limited to, voice, facsimile, relay service, TTY, Internet posting, captioning, text-to-speech synthesis, and audio description.

(3) "Electronic information and information technology" includes information technology and any equipment or interconnected system or subsystem of equipment that is used in creating, converting, or duplicating data or information. The term includes, but is not limited to, telecommunications products such as telephones, information kiosks and transaction machines, Internet websites, multimedia systems, and office equipment such as copiers and facsimile machines. The term does not include any equipment that contains embedded information technology that is an integral part of the product if the principal function of the technology is not the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.

(4) "Information technology" means any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. The term includes computers, ancillary equipment, software, firmware and similar procedures, services, and support services, and related resources.

(5) "Undue burden" means significant difficulty or expense. In determining whether an action would result in an undue burden, a state agency shall consider all agency resources that are available to the program or component for which the product is being developed, procured, maintained, or used.

(6) "State agency" means any agency of the executive, legislative, or judicial branch of state government.

History.--s. 73, ch. 2006-227.

282.603 Access to electronic and information technology for persons with disabilities; undue burden; limitations.--

(1) Each state agency shall develop, procure, maintain, and use accessible electronic information and information technology acquired on or after July 1, 2006, that conforms to the applicable provisions set forth by s. 508 of the Rehabilitation Act of 1973, as amended, and 29 U.S.C. s. 794(d), including the regulations set forth under 36 C.F.R. part 1194, except when compliance with this section imposes an undue burden; however, in such instance, a state agency must provide individuals with disabilities with the information and data involved by an alternative method of access that allows the individual to use the information and data.

(2) This section does not require a state agency to install specific accessibility-related software or attach an assistive technology device at a work station of a state employee who is not an individual with a disability.

(3) This section does not require a state agency, when providing the public with access to information or data through electronic information technology, to make products owned by the state agency available for access and use by individuals with disabilities at a location other than the location at which the electronic information and information technology are normally provided to the public. This section does not require a state agency to purchase products for access and use by individuals with disabilities at a location other than at the location where the electronic information and information technology are normally provided to the public.

History.--s. 73, ch. 2006-227.

282.604 Adoption of rules.--The Department of Management Services shall, with input from stakeholders, adopt rules pursuant to ss. 120.536(1) and 120.54 for the development, procurement, maintenance, and use of accessible electronic information technology by governmental units.

History.--s. 73, ch. 2006-227.

282.605 Exceptions.--

(1) This part does not apply to electronic information and information technology of the Department of Military Affairs or the Florida National Guard if the function, operation, or use of the information or technology involves intelligence activities or cryptologic activities related to national security, the command and control of military forces, equipment that is an integral part of a weapon or weapons system, or systems that are critical to the direct fulfillment of military or intelligence missions. Systems that are critical to the direct fulfillment of military or intelligence missions do not include a system that is used for routine administrative and business applications, including, but not limited to, payroll, finance, logistics, and personnel management applications.

(2) This part does not apply to electronic information and information technology of a state agency if the function, operation, or use of the information or technology involves criminal intelligence activities. Such activities do not include information or technology that is used for routine administrative and business applications, including, but not limited to, payroll, finance, logistics, and personnel management applications.

(3) This part does not apply to electronic information and information technology that is acquired by a contractor and that is incidental to the contract.

(4) This part applies to competitive solicitations issued or new systems developed by a state agency on or after July 1, 2006.

History.--s. 73, ch. 2006-227.

282.606 Intent.--It is the intent of the Legislature that, in construing this part, due consideration and great weight be given to the interpretations of the federal courts relating to comparable provisions of s. 508 of the Rehabilitation Act of 1973, as amended, and 29 U.S.C. s. 794(d), including the regulations set forth under 36 C.F.R. part 1194, as of July 1, 2006.

History.--s. 73, ch. 2006-227.