Florida Senate - 2010 SB 586
By Senator Fasano
11-00473A-10 2010586__
1 A bill to be entitled
2 An act relating to data destruction; providing
3 definitions; requiring all public agencies and private
4 entities that collect personal information to adhere
5 to the procedures provided in the National Institute
6 of Standards and Technology “Guidelines for Media
7 Sanitization” when destroying such information;
8 requiring such agencies and entities to maintain a
9 copy of the guidelines; requiring all state agencies
10 to submit a sampling of sanitized media to a third
11 party vendor for verification of data destruction;
12 requiring the Department of Management Services to
13 adopt rules; providing an effective date.
14
15 Be It Enacted by the Legislature of the State of Florida:
16
17 Section 1. Media sanitization.—
18 (1) As used in this section, the term:
19 (a) “Media” means:
20 1. Hard copy information, which is the physical
21 representation of information, including, but not limited to,
22 paper printouts, printer and facsimile ribbons, drums, and
23 platens; and
24 2. Electronic information, which is the bits and bytes
25 contained in hard drives, random-access memory, read-only
26 memory, optical disc storage media, memory devices, telephones,
27 mobile computing devices, networking equipment, and other types
28 of information storage equipment.
29 (b) “Sanitization” or “sanitized” means the process of
30 removing data from media such that the data may not be retrieved
31 or reconstructed.
32 (2) All agencies, as defined in s. 119.011, Florida
33 Statutes, and all private corporations, business trusts,
34 partnerships, limited liability companies, associations, joint
35 ventures, estates, trusts, or any other legal or commercial
36 entities, for profit or not for profit, located in or doing
37 business in this state, which collect any information that is
38 deemed secret, private, personal, or confidential in nature;
39 contains identifying information, including names, personal or
40 business addresses, social security numbers, credit or debit
41 card numbers, bank account numbers, telephone numbers, or
42 photographs that are recorded on media; and is subject to
43 sanitization or meets the criteria for destruction as set forth
44 in the “Guidelines for Media Sanitization: Recommendation of the
45 National Institute of Standards and Technology,” NIST Special
46 Publication 800-88, must use the purge or physical destruction
47 techniques for media destruction described in that document.
48 (3) All state agencies and private entities subject to
49 subsection (2) must keep a copy of the Guidelines for Media
50 Sanitization available for use. An electronic copy of the
51 document must be kept on the computer desktop of the chief
52 information officer, security officer, records management
53 officer, or other person responsible for the sanitization of the
54 personal or private data at the agency or entity.
55 (4) All state agencies must submit a sampling of sanitized
56 electronic media to a third-party vendor without a stake in the
57 sanitization process for verification of data destruction. The
58 Department of Management Services shall adopt by rule criteria
59 for the selection of such vendor and procedures for the
60 submission and return of such samples.
61 Section 2. This act shall take effect July 1, 2010.