Florida Senate - 2009 SB 1366
By Senator Fasano
11-00636A-09 20091366__
1 A bill to be entitled
2 An act relating to data destruction; providing
3 definitions; requiring all state agencies and private
4 entities that collect personal information to adhere
5 to the procedures provided in the National Institute
6 of Standards and Technology “Guidelines for Media
7 Sanitization” when destroying such information;
8 requiring such agencies and entities to maintain a
9 copy of the guidelines; requiring all state agencies
10 to submit a sampling of sanitized media to a third
11 party vendor for verification of data destruction;
12 authorizing the Department of Management Services to
13 adopt rules; providing an effective date.
14
15 Be It Enacted by the Legislature of the State of Florida:
16
17 Section 1. Media sanitization.—
18 (1) As used in this section, the term:
19 (a) “Media” means:
20 1. “Hard copy information,” which is the physical
21 representation of information, including, but not limited to,
22 paper printouts, printer and facsimile ribbons, drums, and
23 platens; and
24 2. “Electronic information,” which is the bits and bytes
25 contained in hard drives, random-access memory, read-only
26 memory, optical disc storage media, memory devices, telephones,
27 mobile computing devices, networking equipment, and other types
28 of information storage equipment.
29 (b) “Sanitization” or “sanitize” means the process of
30 removing data from media, such that the data may not be
31 retrieved or reconstructed.
32 (2) All state agencies, as defined in s. 119.011, and all
33 private corporations, business trusts, partnerships, limited
34 liability companies, associations, joint ventures, estates,
35 trusts, or any other legal or commercial entity, for profit or
36 not for profit, located in or doing business in this state,
37 which collects any information that: is deemed secret, private,
38 personal, or confidential in nature; contains identifying
39 information, including names, personal or business addresses,
40 social security numbers, credit or debit card numbers, bank
41 account numbers, telephone numbers, or photographs that are
42 recorded on media; and is subject to sanitization or meets the
43 criteria for destruction as set forth in the “Guidelines for
44 Media Sanitization: Recommendation of the National Institute of
45 Standards and Technology,” NIST Special Publication 800-88, must
46 use the purge or physical destruction techniques for media
47 destruction described in that document.
48 (3) All state agencies and private entities subject to
49 subsection (2) must keep a copy of the Guidelines for Media
50 Sanitization available for use. An electronic copy of the
51 document must be kept on the computer desktop of the chief
52 information officer, security officer, records management
53 officer, or other person responsible for the sanitization of the
54 personal or private data at the agency or entity.
55 (4) All state agencies must submit a sampling of sanitized
56 electronic media to a third-party vendor without a stake in the
57 sanitization process for verification of data destruction. The
58 Department of Management Services shall adopt by rule criteria
59 for the selection of such vendor and procedures for the
60 submission and return of such samples.
61 Section 2. This act shall take effect July 1, 2009.