| 1 | A bill to be entitled |
| 2 | An act relating to data destruction; providing |
| 3 | definitions; requiring all public agencies and private |
| 4 | entities that collect personal information to adhere to |
| 5 | the procedures provided in the National Institute of |
| 6 | Standards and Technology's "Guidelines for Media |
| 7 | Sanitization" when destroying such information; requiring |
| 8 | such agencies and entities to maintain a copy of the |
| 9 | guidelines; requiring all state agencies to submit a |
| 10 | sampling of sanitized media to a third-party vendor for |
| 11 | verification of data destruction; requiring the Department |
| 12 | of Management Services to adopt rules; providing an |
| 13 | effective date. |
| 14 |
|
| 15 | Be It Enacted by the Legislature of the State of Florida: |
| 16 |
|
| 17 | Section 1. Media sanitization.-- |
| 18 | (1) As used in this section, the term: |
| 19 | (a) "Media" means: |
| 20 | 1. Hard copy information, which is the physical |
| 21 | representation of information, including, but not limited to, |
| 22 | paper printouts, printer and facsimile ribbons, drums, and |
| 23 | platens; and |
| 24 | 2. Electronic information, which is the bits and bytes |
| 25 | contained in hard drives, random-access memory, read-only |
| 26 | memory, optical disc storage media, memory devices, telephones, |
| 27 | mobile computing devices, networking equipment, and other types |
| 28 | of information storage equipment. |
| 29 | (b) "Sanitization" means the process of removing data from |
| 30 | media in a manner that prevents the retrieval or reconstruction |
| 31 | of the data. |
| 32 | (c) "Sanitized" means having undergone the process of |
| 33 | sanitization described in paragraph (b). |
| 34 | (2) All agencies, as defined in s. 119.011, Florida |
| 35 | Statutes, and all private corporations, business trusts, |
| 36 | partnerships, limited liability companies, associations, joint |
| 37 | ventures, estates, trusts, or any other legal or commercial |
| 38 | entities, for profit or not for profit, located in or doing |
| 39 | business in this state, which collect any information that is |
| 40 | deemed secret, private, personal, or confidential in nature; |
| 41 | contains identifying information, including names, personal or |
| 42 | business addresses, social security numbers, credit or debit |
| 43 | card numbers, bank account numbers, telephone numbers, or |
| 44 | photographs that are recorded on media; and is subject to |
| 45 | sanitization or meets the criteria for destruction as set forth |
| 46 | in the "Guidelines for Media Sanitization: Recommendation of the |
| 47 | National Institute of Standards and Technology," NIST Special |
| 48 | Publication 800-88, must use the purge or physical destruction |
| 49 | techniques for media destruction described in that document. |
| 50 | (3) All state agencies and private entities subject to |
| 51 | subsection (2) must keep a copy of the Guidelines for Media |
| 52 | Sanitization available for use. An electronic copy of the |
| 53 | document must be kept on the computer desktop of the chief |
| 54 | information officer, security officer, records management |
| 55 | officer, or other person responsible for the sanitization of the |
| 56 | personal or private data at the agency or entity. |
| 57 | (4) All state agencies must submit a sampling of sanitized |
| 58 | electronic media to a third-party vendor that has no stake in |
| 59 | the sanitization process or conflict of interest for |
| 60 | verification of data destruction. The Department of Management |
| 61 | Services shall adopt by rule criteria for the selection of |
| 62 | third-party vendors to be used to verify data destruction and |
| 63 | procedures for the submission and return of samples of sanitized |
| 64 | electronic media. |
| 65 | Section 2. This act shall take effect July 1, 2010. |