Florida Senate - 2020 COMMITTEE AMENDMENT
Bill No. CS for SB 1870
Senate . House
The Committee on Banking and Insurance (Hutson) recommended the
1 Senate Amendment (with title amendment)
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. Subsection (2) of section 20.22, Florida
6 Statutes, is amended to read:
7 20.22 Department of Management Services.—There is created a
8 Department of Management Services.
9 (2) The
following divisions and programs within the
10 Department of Management Services shall consist of the following
11 are established:
12 (a) The Facilities Program.
13 (b) The Division of Telecommunications State Technology,
14 the director of which is appointed by the secretary of the
15 department and shall serve as the state chief information
16 officer. The state chief information officer must be a proven,
17 effective administrator who must have at least 10 years of
18 executive-level experience in the public or private sector,
19 preferably with experience in the development of information
20 technology strategic planning and the development and
21 implementation of fiscal and substantive information technology
22 policy and standards.
23 (c) The Workforce Program.
24 (d)1. The Support Program.
25 2. The Federal Property Assistance Program.
26 (e) The Administration Program.
27 (f) The Division of Administrative Hearings.
28 (g) The Division of Retirement.
29 (h) The Division of State Group Insurance.
30 (i) The Florida Digital Service.
31 Section 2. Section 282.0041, Florida Statutes, is amended
32 to read:
33 282.0041 Definitions.—As used in this chapter, the term:
34 (1) “Agency assessment” means the amount each customer
35 entity must pay annually for services from the Department of
36 Management Services and includes administrative and data center
37 services costs.
38 (2) “Agency data center” means agency space containing 10
39 or more physical or logical servers.
40 (3) “Breach” has the same meaning as provided in s.
42 (4) “Business continuity plan” means a collection of
43 procedures and information designed to keep an agency’s critical
44 operations running during a period of displacement or
45 interruption of normal operations.
46 (5) “Cloud computing” has the same meaning as provided in
47 Special Publication 800-145 issued by the National Institute of
48 Standards and Technology.
49 (6) “Computing facility” or “agency computing facility”
50 means agency space containing fewer than a total of 10 physical
51 or logical servers, but excluding single, logical-server
52 installations that exclusively perform a utility function such
53 as file and print servers.
54 (7) “Credential service provider” means a provider
55 competitively procured by the department to supply secure
56 identity management and verification services based on open
57 standards to qualified entities.
58 (8) “Customer entity” means an entity that obtains services
59 from the Department of Management Services.
60 (9) (8) “Data” means a subset of structured information in a
61 format that allows such information to be electronically
62 retrieved and transmitted.
63 (10) “Data-call” means an electronic transaction with the
64 credential service provider that verifies the authenticity of a
65 digital identity by querying enterprise data.
66 (11) (9) “Department” means the Department of Management
68 (12) (10) “Disaster recovery” means the process, policies,
69 procedures, and infrastructure related to preparing for and
70 implementing recovery or continuation of an agency’s vital
71 technology infrastructure after a natural or human-induced
73 (13) “Electronic” means technology having electrical,
74 digital, magnetic, wireless, optical, electromagnetic, or
75 similar capabilities.
76 (14) “Electronic credential” means an electronic
77 representation of the identity of a person, an organization, an
78 application, or a device.
79 (15) “Enterprise” means the collection of state agencies as
80 defined in subsection (35). The term includes the Department of
81 Legal Affairs, the Department of Agriculture and Consumer
82 Services, and the Department of Financial Services.
83 (16) “Enterprise architecture” means a comprehensive
84 operational framework that contemplates the needs and assets of
85 the enterprise to support interoperability across state
87 (17) (11) “Enterprise information technology service” means
88 an information technology service that is used in all agencies
89 or a subset of agencies and is established in law to be
90 designed, delivered, and managed at the enterprise level.
91 (18) (12) “Event” means an observable occurrence in a system
92 or network.
93 (19) (13) “Incident” means a violation or imminent threat of
94 violation, whether such violation is accidental or deliberate,
95 of information technology resources, security, policies, or
96 practices. An imminent threat of violation refers to a situation
97 in which the state agency has a factual basis for believing that
98 a specific incident is about to occur.
99 (20) (14) “Information technology” means equipment,
100 hardware, software, firmware, programs, systems, networks,
101 infrastructure, media, and related material used to
102 automatically, electronically, and wirelessly collect, receive,
103 access, transmit, display, store, record, retrieve, analyze,
104 evaluate, process, classify, manipulate, manage, assimilate,
105 control, communicate, exchange, convert, converge, interface,
106 switch, or disseminate information of any kind or form.
107 (21) (15) “Information technology policy” means a definite
108 course or method of action selected from among one or more
109 alternatives that guide and determine present and future
111 (22) (16) “Information technology resources” has the same
112 meaning as provided in s. 119.011.
113 (23) (17) “Information technology security” means the
114 protection afforded to an automated information system in order
115 to attain the applicable objectives of preserving the integrity,
116 availability, and confidentiality of data, information, and
117 information technology resources.
118 (24) “Interoperability” means the technical ability to
119 share and use data across and throughout the enterprise.
120 (25) (18) “Open data” means data collected or created by a
121 state agency, including the Department of Legal Affairs, the
122 Department of Agriculture and Consumer Services, and the
123 Department of Financial Services, and structured in a way that
124 enables the data to be fully discoverable and usable by the
125 public. The term does not include data that are restricted from
126 public disclosure distribution based on federal or state
127 privacy, confidentiality, and security laws and regulations or
128 data for which a state agency is statutorily authorized to
129 assess a fee for its distribution.
130 (26) (19) “Performance metrics” means the measures of an
131 organization’s activities and performance.
132 (27) (20) “Project” means an endeavor that has a defined
133 start and end point; is undertaken to create or modify a unique
134 product, service, or result; and has specific objectives that,
135 when attained, signify completion.
136 (28) (21) “Project oversight” means an independent review
137 and analysis of an information technology project that provides
138 information on the project’s scope, completion timeframes, and
139 budget and that identifies and quantifies issues or risks
140 affecting the successful and timely completion of the project.
141 (29) “Qualified entity” means a public or private entity or
142 individual that enters into a binding agreement with the
143 department, meets usage criteria, agrees to terms and
144 conditions, and is subsequently and prescriptively authorized by
145 the department to access data under the terms of that agreement
146 as specified in s. 282.0051.
147 (30) (22) “Risk assessment” means the process of identifying
148 security risks, determining their magnitude, and identifying
149 areas needing safeguards.
150 (31) (23) “Service level” means the key performance
151 indicators (KPI) of an organization or service which must be
152 regularly performed, monitored, and achieved.
153 (32) (24) “Service-level agreement” means a written contract
154 between the Department of Management Services and a customer
155 entity which specifies the scope of services provided, service
156 level, the duration of the agreement, the responsible parties,
157 and service costs. A service-level agreement is not a rule
158 pursuant to chapter 120.
159 (33) (25) “Stakeholder” means a person, group, organization,
160 or state agency involved in or affected by a course of action.
161 (34) (26) “Standards” means required practices, controls,
162 components, or configurations established by an authority.
163 (35) (27) “State agency” means any official, officer,
164 commission, board, authority, council, committee, or department
165 of the executive branch of state government; the Justice
166 Administrative Commission; and the Public Service Commission.
167 The term does not include university boards of trustees or state
168 universities. As used in part I of this chapter, except as
169 otherwise specifically provided, the term does not include the
170 Department of Legal Affairs, the Department of Agriculture and
171 Consumer Services, or the Department of Financial Services.
172 (36) (28) “SUNCOM Network” means the state enterprise
173 telecommunications system that provides all methods of
174 electronic or optical telecommunications beyond a single
175 building or contiguous building complex and used by entities
176 authorized as network users under this part.
177 (37) (29) “Telecommunications” means the science and
178 technology of communication at a distance, including electronic
179 systems used in the transmission or reception of information.
180 (38) (30) “Threat” means any circumstance or event that has
181 the potential to adversely impact a state agency’s operations or
182 assets through an information system via unauthorized access,
183 destruction, disclosure, or modification of information or
184 denial of service.
185 (39) (31) “Variance” means a calculated value that
186 illustrates how far positive or negative a projection has
187 deviated when measured against documented estimates within a
188 project plan.
189 Section 3. Section 282.0051, Florida Statutes, is amended
190 to read:
191 282.0051 Florida Digital Service Department of Management
192 Services; powers, duties, and functions.—There is established
193 the Florida Digital Service within the department to create
194 innovative solutions that securely modernize state government,
195 achieve value through digital transformation and
196 interoperability, and fully support the cloud-first policy as
197 specified in s. 282.206.
198 (1) The Florida Digital Service department shall have the
199 following powers, duties, and functions:
200 (a) (1) Develop and publish information technology policy
201 for the management of the state’s information technology
203 (b) (2) Develop an enterprise architecture that:
204 1. Acknowledges the unique needs of those included within
205 the enterprise, resulting in the publication of standards,
206 terminologies, and procurement guidelines to facilitate digital
208 2. Supports the cloud-first policy as specified in s.
209 282.206; and
210 3. Addresses how information technology infrastructure may
211 be modernized to achieve cloud-first objectives Establish and
212 publish information technology architecture standards to provide
213 for the most efficient use of the state’s information technology
214 resources and to ensure compatibility and alignment with the
215 needs of state agencies. The department shall assist state
216 agencies in complying with the standards .
217 (c) (3) Establish project management and oversight standards
218 with which state agencies must comply when implementing projects
219 that have an information technology component projects. The
220 Florida Digital Service department shall provide training
221 opportunities to state agencies to assist in the adoption of the
222 project management and oversight standards. To support data
223 driven decisionmaking, the standards must include, but are not
224 limited to:
225 1. (a) Performance measurements and metrics that objectively
226 reflect the status of a project with an information technology
227 component project based on a defined and documented project
228 scope, cost, and schedule.
229 2. (b) Methodologies for calculating acceptable variances in
230 the projected versus actual scope, schedule, or cost of a
231 project with an information technology component project.
232 3. (c) Reporting requirements, including requirements
233 designed to alert all defined stakeholders that a project with
234 an information technology component project has exceeded
235 acceptable variances defined and documented in a project plan.
236 4. (d) Content, format, and frequency of project updates.
237 (d) (4) Perform project oversight on all state agency
238 information technology projects that have an information
239 technology component with a total project cost costs of $10
240 million or more and that are funded in the General
241 Appropriations Act or any other law. The Florida Digital Service
242 department shall report at least quarterly to the Executive
243 Office of the Governor, the President of the Senate, and the
244 Speaker of the House of Representatives on any project with an
245 information technology component project that the Florida
246 Digital Service department identifies as high-risk due to the
247 project exceeding acceptable variance ranges defined and
248 documented in a project plan. The report must include a risk
249 assessment, including fiscal risks, associated with proceeding
250 to the next stage of the project, and a recommendation for
251 corrective actions required, including suspension or termination
252 of the project. The Florida Digital Service shall establish a
253 process for state agencies to apply for an exception to the
254 requirements of this paragraph for a specific project with an
255 information technology component.
256 (e) (5) Identify opportunities for standardization and
257 consolidation of information technology services that support
258 interoperability and the cloud-first policy as specified in s.
259 282.206, business functions and operations, including
260 administrative functions such as purchasing, accounting and
261 reporting, cash management, and personnel, and that are common
262 across state agencies. The Florida Digital Service department
263 shall biennially on April 1 provide recommendations for
264 standardization and consolidation to the Executive Office of the
265 Governor, the President of the Senate, and the Speaker of the
266 House of Representatives.
267 (f) (6) Establish best practices for the procurement of
268 information technology products and cloud-computing services in
269 order to reduce costs, increase the quality of data center
270 services, or improve government services.
271 (g) (7) Develop standards for information technology reports
272 and updates, including, but not limited to, operational work
273 plans, project spend plans, and project status reports, for use
274 by state agencies.
275 (h) (8) Upon request, assist state agencies in the
276 development of information technology-related legislative budget
278 (i) (9) Conduct annual assessments of state agencies to
279 determine compliance with all information technology standards
280 and guidelines developed and published by the Florida Digital
281 Service department and provide results of the assessments to the
282 Executive Office of the Governor, the President of the Senate,
283 and the Speaker of the House of Representatives.
284 (j) (10) Provide operational management and oversight of the
285 state data center established pursuant to s. 282.201, which
287 1. (a) Implementing industry standards and best practices
288 for the state data center’s facilities, operations, maintenance,
289 planning, and management processes.
290 2. (b) Developing and implementing cost-recovery or other
291 payment mechanisms that recover the full direct and indirect
292 cost of services through charges to applicable customer
293 entities. Such cost-recovery or other payment mechanisms must
294 comply with applicable state and federal regulations concerning
295 distribution and use of funds and must ensure that, for any
296 fiscal year, no service or customer entity subsidizes another
297 service or customer entity.
298 3. (c) Developing and implementing appropriate operating
299 guidelines and procedures necessary for the state data center to
300 perform its duties pursuant to s. 282.201. The guidelines and
301 procedures must comply with applicable state and federal laws,
302 regulations, and policies and conform to generally accepted
303 governmental accounting and auditing standards. The guidelines
304 and procedures must include, but need not be limited to:
305 a. 1. Implementing a consolidated administrative support
306 structure responsible for providing financial management,
307 procurement, transactions involving real or personal property,
308 human resources, and operational support.
309 b. 2. Implementing an annual reconciliation process to
310 ensure that each customer entity is paying for the full direct
311 and indirect cost of each service as determined by the customer
312 entity’s use of each service.
313 c. 3. Providing rebates that may be credited against future
314 billings to customer entities when revenues exceed costs.
315 d. 4. Requiring customer entities to validate that
316 sufficient funds exist in the appropriate data processing
317 appropriation category or will be transferred into the
318 appropriate data processing appropriation category before
319 implementation of a customer entity’s request for a change in
320 the type or level of service provided, if such change results in
321 a net increase to the customer entity’s cost for that fiscal
323 e. 5. By November 15 of each year, providing to the Office
324 of Policy and Budget in the Executive Office of the Governor and
325 to the chairs of the legislative appropriations committees the
326 projected costs of providing data center services for the
327 following fiscal year.
328 f. 6. Providing a plan for consideration by the Legislative
329 Budget Commission if the cost of a service is increased for a
330 reason other than a customer entity’s request made pursuant to
331 sub-subparagraph d. subparagraph 4. Such a plan is required only
332 if the service cost increase results in a net increase to a
333 customer entity for that fiscal year.
334 g. 7. Standardizing and consolidating procurement and
335 contracting practices.
336 4. (d) In collaboration with the Department of Law
337 Enforcement, developing and implementing a process for
338 detecting, reporting, and responding to information technology
339 security incidents, breaches, and threats.
340 5. (e) Adopting rules relating to the operation of the state
341 data center, including, but not limited to, budgeting and
342 accounting procedures, cost-recovery or other payment
343 methodologies, and operating procedures.
344 (f) Conducting an annual market analysis to determine
345 whether the state’s approach to the provision of data center
346 services is the most effective and cost-efficient manner by
347 which its customer entities can acquire such services, based on
348 federal, state, and local government trends; best practices in
349 service provision; and the acquisition of new and emerging
350 technologies. The results of the market analysis shall assist
351 the state data center in making adjustments to its data center
352 service offerings.
353 (k) (11) Recommend other information technology services
354 that should be designed, delivered, and managed as enterprise
355 information technology services. Recommendations must include
356 the identification of existing information technology resources
357 associated with the services, if existing services must be
358 transferred as a result of being delivered and managed as
359 enterprise information technology services.
360 (l) (12) In consultation with state agencies, propose a
361 methodology and approach for identifying and collecting both
362 current and planned information technology expenditure data at
363 the state agency level.
364 (m)1. (13)(a) Notwithstanding any other law, provide project
365 oversight on any project with an information technology
366 component project of the Department of Financial Services, the
367 Department of Legal Affairs, and the Department of Agriculture
368 and Consumer Services which has a total project cost of $25
369 million or more and which impacts one or more other agencies.
370 Such projects with an information technology component projects
371 must also comply with the applicable information technology
372 architecture, project management and oversight, and reporting
373 standards established by the Florida Digital Service department.
374 The Florida Digital Service shall establish a process for the
375 Department of Financial Services, the Department of Legal
376 Affairs, and the Department of Agriculture and Consumer Services
377 to apply for an exception to the requirements of this paragraph
378 for a specific project with an information technology component.
379 2. (b) When performing the project oversight function
380 specified in subparagraph 1. paragraph (a), report at least
381 quarterly to the Executive Office of the Governor, the President
382 of the Senate, and the Speaker of the House of Representatives
383 on any project with an information technology component project
384 that the Florida Digital Service department identifies as high
385 risk due to the project exceeding acceptable variance ranges
386 defined and documented in the project plan. The report shall
387 include a risk assessment, including fiscal risks, associated
388 with proceeding to the next stage of the project and a
389 recommendation for corrective actions required, including
390 suspension or termination of the project.
391 (n) (14) If a project with an information technology
392 component project implemented by a state agency must be
393 connected to or otherwise accommodated by an information
394 technology system administered by the Department of Financial
395 Services, the Department of Legal Affairs, or the Department of
396 Agriculture and Consumer Services, consult with these
397 departments regarding the risks and other effects of such
398 projects on their information technology systems and work
399 cooperatively with these departments regarding the connections,
400 interfaces, timing, or accommodations required to implement such
402 (o) (15) If adherence to standards or policies adopted by or
403 established pursuant to this section causes conflict with
404 federal regulations or requirements imposed on a state agency
405 and results in adverse action against the state agency or
406 federal funding, work with the state agency to provide
407 alternative standards, policies, or requirements that do not
408 conflict with the federal regulation or requirement. The Florida
409 Digital Service department shall annually report such
410 alternative standards to the Governor, the President of the
411 Senate, and the Speaker of the House of Representatives.
412 (p)1. (16)(a) Establish an information technology policy for
413 all information technology-related state contracts, including
414 state term contracts for information technology commodities,
415 consultant services, and staff augmentation services. The
416 information technology policy must include:
417 a. 1. Identification of the information technology product
418 and service categories to be included in state term contracts.
419 b. 2. Requirements to be included in solicitations for state
420 term contracts.
421 c. 3. Evaluation criteria for the award of information
422 technology-related state term contracts.
423 d. 4. The term of each information technology-related state
424 term contract.
425 e. 5. The maximum number of vendors authorized on each state
426 term contract.
427 2. (b) Evaluate vendor responses for information technology
428 related state term contract solicitations and invitations to
430 3. (c) Answer vendor questions on information technology
431 related state term contract solicitations.
432 4. (d) Ensure that the information technology policy
433 established pursuant to subparagraph 1. paragraph (a) is
434 included in all solicitations and contracts that are
435 administratively executed by the department.
436 (q) (17) Recommend potential methods for standardizing data
437 across state agencies which will promote interoperability and
438 reduce the collection of duplicative data.
439 (r) (18) Recommend open data technical standards and
440 terminologies for use by the enterprise state agencies.
441 (2)(a) The Secretary of Management Services shall designate
442 a state chief information officer, who shall administer the
443 Florida Digital Service and is included in the Senior Management
445 (b) The state chief information officer shall designate a
446 chief data officer, who shall report to the state chief
447 information officer and is included in the Senior Management
449 (3) The Florida Digital Service shall, pursuant to
450 legislative appropriation:
451 (a) Create and maintain a comprehensive indexed data
452 catalog that lists what data elements are housed within the
453 enterprise and in which legacy system or application these data
454 elements are located.
455 (b) Develop and publish, in collaboration with the
456 enterprise, a data dictionary for each agency which reflects the
457 nomenclature in the comprehensive indexed data catalog.
458 (c) Review and document use cases across the enterprise
460 (d) Develop and publish standards that support the creation
461 and deployment of application programming interfaces to
462 facilitate integration throughout the enterprise.
463 (e) Publish standards necessary to facilitate a secure
464 ecosystem of data interoperability which is compliant with the
465 enterprise architecture and allows for a qualified entity to
466 access the enterprise’s data under the terms of the agreements
467 with the department. However, enterprise data do not include
468 data that are restricted from public distribution based on
469 federal or state privacy, confidentiality, or security laws and
471 (f) Publish standards that facilitate the deployment of
472 applications or solutions to existing enterprise obligations in
473 a controlled and phased approach, including, but not limited to:
474 1. Electronic credentials, including digital proofs of a
475 driver license as specified in s. 322.032.
476 2. Interoperability that enables supervisors of elections
477 to authenticate voter eligibility in real time at the point of
479 3. The criminal justice database.
480 4. Motor vehicle insurance cancellation integration between
481 insurers and the Department of Highway Safety and Motor
483 5. Interoperability solutions between agencies, including,
484 but not limited to, the Department of Health, the Agency for
485 Health Care Administration, the Agency for Persons with
486 Disabilities, the Department of Education, the Department of
487 Elderly Affairs, and the Department of Children and Families.
488 6. Interoperability solutions to support military members,
489 veterans, and their families.
490 (4) Pursuant to legislative authorization and subject to
492 (a) The department may procure a credential service
493 provider through a competitive process pursuant to s. 287.057.
494 The terms of the contract developed from such procurement must
495 pay for the value on a per-data-call or subscription basis, and
496 there shall be no cost to the enterprise or law enforcement for
497 using the services provided by the credential service provider.
498 (b) The department may enter into agreements with qualified
499 entities that have the technological capabilities necessary to
500 integrate with the credential service provider; ensure secure
501 validation and authentication of data; meet usage criteria; and
502 agree to terms and conditions, privacy policies, and uniform
503 remittance terms relating to the consumption of enterprise data.
504 Enterprise data do not include data that are restricted from
505 public disclosure based on federal or state privacy,
506 confidentiality, or security laws and regulations. These
507 agreements must include clear, enforceable, and significant
508 penalties for violations of the agreements.
509 (c) The terms of the agreements between the department and
510 the credential service provider and between the department and
511 the qualified entities must be based on the per-data-call or
512 subscription charges to validate and authenticate an electronic
513 credential and allow the department to recover any state costs
514 for implementing and administering an electronic credential
515 solution. Credential service provider and qualifying entity
516 revenues may not be derived from any other transactions that
517 generate revenue for the enterprise outside of the per-data-call
518 or subscription charges.
519 (d) All revenues generated from the agreements with the
520 credential service provider and qualified entities shall be
521 remitted to the department, and the department shall deposit
522 these revenues into the Department of Management Services
523 Operating Trust Fund for distribution pursuant to a legislative
524 appropriation and department agreements with the credential
525 service provider and qualified entities.
526 (e) Upon the signing of the agreement and the enterprise
527 architecture terms of service and privacy policies with a
528 qualified entity, the department shall facilitate authorized
529 integrations between the qualified entity and the credential
530 service provider.
531 (5) Upon the adoption of the enterprise architecture, the
532 Florida Digital Service may develop a process to:
533 (a) Receive written notice from the enterprise of any
534 procurement of an information technology project that is subject
535 to enterprise architecture standards.
536 (b) Participate in the development of specifications and
537 recommend modifications of any procurement by state agencies so
538 that the procurement complies with the enterprise architecture.
539 (6) (19) The Florida Digital Service may adopt rules to
540 administer this section.
541 Section 4. Section 282.00515, Florida Statutes, is amended
542 to read:
543 282.00515 Duties of Cabinet agencies.—
544 (1) The Department of Legal Affairs, the Department of
545 Financial Services, and the Department of Agriculture and
546 Consumer Services shall adopt the standards established in s.
547 282.0051(1)(b), (c), (g), (r), and (3)(e) s. 282.0051(2), (3),
548 and (7) or adopt alternative standards based on best practices
549 and industry standards that allow for the interoperability of
550 open data within the enterprise.
551 (2) If the Department of Legal Affairs, the Department of
552 Financial Services, or the Department of Agriculture and
553 Consumer Services adopts alternative standards in lieu of the
554 enterprise architecture standards in s. 282.0051, such agency
555 shall notify the Governor, the President of the Senate, and
556 Speaker of the House of Representatives in writing before the
557 adoption of the alternative standards and annually thereafter,
558 until such agency adopts the enterprise architecture standards
559 in s. 282.0051. The notification must include the following:
560 (a) A detailed plan of how such agency will comply with the
561 interoperability requirements referenced in this chapter.
562 (b) An estimated cost and time difference between adhering
563 to the enterprise architecture or choosing alternative
565 (c) A detailed security risk assessment of adopting
566 alternative standards versus adopting the enterprise
568 (d) Certification by the agency head or the agency head’s
569 designated representative that the agency’s strategic and
570 operational information technology security plans as required by
571 s. 282.318(4) include provisions related to interoperability.
572 (3) The Department of Legal Affairs, the Department of
573 Financial Services, or the Department of Agriculture and
574 Consumer Services may contract with the department to provide or
575 perform any of the services and functions described in s.
577 (4)(a) This section or s. 282.0051 does not require the
578 Department of Legal Affairs, the Department of Financial
579 Services, or the Department of Agriculture and Consumer Services
580 to integrate with any information technology outside its own
581 department or contract with a credential service provider.
582 (b) The Florida Digital Service may not retrieve or publish
583 data without a data sharing agreement in place between the
584 Florida Digital Service and the Department of Legal Affairs, the
585 Department of Financial Services, or the Department of
586 Agriculture and Consumer Services , and may contract with the
587 department to provide or perform any of the services and
588 functions described in s. 282.0051 for the Department of Legal
589 Affairs, the Department of Financial Services, or the Department
590 of Agriculture and Consumer Services.
591 Section 5. Paragraph (a) of subsection (3) of section
592 282.318, Florida Statutes, is amended to read:
593 282.318 Security of data and information technology.—
594 (3) The department is responsible for establishing
595 standards and processes consistent with generally accepted best
596 practices for information technology security, to include
597 cybersecurity, and adopting rules that safeguard an agency’s
598 data, information, and information technology resources to
599 ensure availability, confidentiality, and integrity and to
600 mitigate risks. The department shall also:
601 (a) Designate a state chief information security officer
602 who shall report to the state chief information officer of the
603 Florida Digital Service and is in the Senior Management Service.
604 The state chief information security officer must have
605 experience and expertise in security and risk management for
606 communications and information technology resources.
607 Section 6. Subsection (4) of section 287.0591, Florida
608 Statutes, is amended to read:
609 287.0591 Information technology.—
610 (4) If the department issues a competitive solicitation for
611 information technology commodities, consultant services, or
612 staff augmentation contractual services, the Florida Digital
613 Service Division of State Technology within the department shall
614 participate in such solicitations.
615 Section 7. Paragraph (a) of subsection (3) of section
616 365.171, Florida Statutes, is amended to read:
617 365.171 Emergency communications number E911 state plan.—
618 (3) DEFINITIONS.—As used in this section, the term:
619 (a) “Office” means the Division of Telecommunications State
620 Technology within the Department of Management Services, as
621 designated by the secretary of the department.
622 Section 8. Paragraph (s) of subsection (3) of section
623 365.172, Florida Statutes, is amended to read:
624 365.172 Emergency communications number “E911.”—
625 (3) DEFINITIONS.—Only as used in this section and ss.
626 365.171, 365.173, 365.174, and 365.177, the term:
627 (s) “Office” means the Division of Telecommunications State
628 Technology within the Department of Management Services, as
629 designated by the secretary of the department.
630 Section 9. Paragraph (a) of subsection (1) of section
631 365.173, Florida Statutes, is amended to read:
632 365.173 Communications Number E911 System Fund.—
633 (1) REVENUES.—
634 (a) Revenues derived from the fee levied on subscribers
635 under s. 365.172(8) must be paid by the board into the State
636 Treasury on or before the 15th day of each month. Such moneys
637 must be accounted for in a special fund to be designated as the
638 Emergency Communications Number E911 System Fund, a fund created
639 in the Division of Telecommunications State Technology, or other
640 office as designated by the Secretary of Management Services.
641 Section 10. Subsection (5) of section 943.0415, Florida
642 Statutes, is amended to read:
643 943.0415 Cybercrime Office.—There is created within the
644 Department of Law Enforcement the Cybercrime Office. The office
646 (5) Consult with the Florida Digital Service Division of
647 State Technology within the Department of Management Services in
648 the adoption of rules relating to the information technology
649 security provisions in s. 282.318.
650 Section 11. Effective January 1, 2021, section 559.952,
651 Florida Statutes, is created to read:
652 559.952 Financial Technology Sandbox.—
653 (1) SHORT TITLE.—This section may be cited as the
654 “Financial Technology Sandbox.”
655 (2) CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—There is
656 created the Financial Technology Sandbox within the Office of
657 Financial Regulation to allow financial technology innovators to
658 test new products and services in a supervised, flexible
659 regulatory sandbox using exceptions to specified general law and
660 waivers of the corresponding rule requirements under defined
661 conditions. The creation of a supervised, flexible regulatory
662 sandbox provides a welcoming business environment for technology
663 innovators and may lead to significant business growth.
664 (3) DEFINITIONS.—As used in this section, the term:
665 (a) “Business entity” means a domestic corporation or other
666 organized domestic entity with a physical presence, other than
667 that of a registered office or agent or virtual mailbox, in this
669 (b) “Commission” means the Financial Services Commission.
670 (c) “Consumer” means a person in this state, whether a
671 natural person or a business entity, who purchases, uses,
672 receives, or enters into an agreement to purchase, use, or
673 receive an innovative financial product or service made
674 available through the Financial Technology Sandbox.
675 (d) “Control person” means an individual, a partnership, a
676 corporation, a trust, or other organization that possesses the
677 power, directly or indirectly, to direct the management or
678 policies of a company, whether through ownership of securities,
679 by contract, or through other means. A person is presumed to
680 control a company if, with respect to a particular company, that
682 1. Is a director, a general partner, or an officer
683 exercising executive responsibility or having similar status or
685 2. Directly or indirectly may vote 10 percent or more of a
686 class of a voting security or sell or direct the sale of 10
687 percent or more of a class of voting securities; or
688 3. In the case of a partnership, may receive upon
689 dissolution or has contributed 10 percent or more of the
691 (e) “Financial product or service” means a product or
692 service related to a consumer finance loan, as defined in s.
693 516.01, or a money transmitter and payment instrument seller, as
694 defined in s. 560.103, including mediums of exchange that are in
695 electronic or digital form, which is subject to general law or
696 corresponding rule requirements in the sections enumerated in
697 paragraph (4)(a) and which is under the jurisdiction of the
699 (f) “Financial Technology Sandbox” means the program
700 created in this section which allows a licensee to make an
701 innovative financial product or service available to consumers
702 as a person who makes and collects consumer finance loans, as
703 defined in s. 516.01, or as a money transmitter or payment
704 instrument seller, as defined in s. 560.103, during a sandbox
705 period through an exception to general laws or a waiver of rule
706 requirements, or portions thereof, as specified in this section.
707 (g) “Innovative” means new or emerging technology, or new
708 uses of existing technology, which provides a product, service,
709 business model, or delivery mechanism to the public and which is
710 not known to have a comparable offering in this state outside
711 the Financial Technology Sandbox.
712 (h) “Licensee” means a person who has been approved by the
713 office to participate in the Financial Technology Sandbox.
714 (i) “Office” means, unless the context clearly indicates
715 otherwise, the Office of Financial Regulation.
716 (j) “Sandbox period” means the period, initially not longer
717 than 24 months, in which the office has:
718 1. Authorized an innovative financial product or service to
719 be made available to consumers.
720 2. Granted the licensee who makes the innovative financial
721 product or service available an exception to general law or a
722 waiver of the corresponding rule requirements, as determined by
723 the office, so that the authorization under subparagraph 1. is
725 (4) EXCEPTIONS TO GENERAL LAW AND WAIVERS OF RULE
727 (a) Notwithstanding any other law, upon approval of a
728 Financial Technology Sandbox application, the office shall grant
729 an applicant a license and a waiver of a requirement, or a
730 portion thereof, which is imposed by rule as authorized by any
731 of the following provisions of general law, if all of the
732 conditions in paragraph (b) are met. If the application is
733 approved for a person who otherwise would be subject to chapter
734 516 or chapter 560, the following provisions are not applicable
735 to the licensee:
736 1. Section 516.03, except for the application fee for a
737 license, the investigation fee, evidence of liquid assets of at
738 least $25,000, and the office’s authority to make an
739 investigation of the facts concerning the applicant’s background
740 as provided in s. 516.03(1). The office may prorate the license
741 renewal fees for an extension granted under subsection (7).
742 2. Section 516.05, except for s. 516.05(4), (5), and (7)
744 3. Section 560.109, to the extent that it requires the
745 office to examine a licensee at least once every 5 years.
746 4. Section 560.118, except for s. 560.118(1).
747 5. Section 560.125(1), to the extent that subsection would
748 prohibit a licensee from engaging in the business of a money
749 services business during the sandbox period; and s. 560.125(2),
750 to the extent that subsection would prohibit a licensee from
751 appointing an authorized vendor during the sandbox period.
752 6. Section 560.128.
753 7. Section 560.141, except for s. 560.141(1)(a)3., 8., 9.,
754 and 10. and (1)(b), (c), and (d).
755 8. Section 560.142, except that the office may prorate, but
756 may not entirely waive, the license renewal fees provided in ss.
757 560.142 and 560.143 for an extension granted under subsection
759 9. Section 560.143(2), to the extent necessary for
760 proration of the renewal fee under subparagraph 8.
761 10. Section 560.204(1), to the extent that subsection would
762 prohibit a licensee from engaging in, or advertising it engages
763 in, the selling or issuing of payment instruments or in the
764 activity of a money transmitter during the sandbox period.
765 11. Section 560.205, except for s. 560.205(1), (3), and
767 12. Section 560.208, except for s. 560.208(3)-(6).
768 13. Section 560.209, except that the office may modify, but
769 may not entirely waive, the net worth, corporate surety bond,
770 and collateral deposit amounts required under that section. The
771 modified amounts must be in such lower amounts that the office
772 determines to be commensurate with the considerations under
773 paragraph (5)(d) and the maximum number of consumers authorized
774 to receive the financial product or service under this section.
775 (b) The office may grant, during a sandbox period, an
776 exception of a requirement, or a portion thereof, imposed by a
777 general law or waiver of a corresponding rule in any section
778 enumerated in paragraph (a) to a licensee, if all of the
779 following conditions are met:
780 1. The general law or corresponding rule currently prevents
781 the innovative financial product or service from being made
782 available to consumers.
783 2. The exceptions or rule waivers are not broader than
784 necessary to accomplish the purposes and standards specified in
785 this section, as determined by the office.
786 3. No provision relating to the liability of an
787 incorporator, a director, or an officer of the applicant is
788 eligible for a waiver.
789 4. The other requirements of this section are met.
790 (5) FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS FOR
792 (a) Before filing an application for licensure under this
793 section, a substantially affected person may seek a declaratory
794 statement pursuant to s. 120.565 regarding the applicability of
795 a statute, a rule, or an agency order to the petitioner’s
796 particular set of circumstances.
797 (b) Before making an innovative financial product or
798 service available to consumers in the Financial Technology
799 Sandbox, a person must file an application for licensure with
800 the office. The commission shall, by rule, prescribe the form
801 and manner of the application.
802 1. In the application, the person must specify the general
803 law or rule requirements for which an exception or waiver is
804 sought and the reasons why these requirements prevent the
805 innovative financial product or service from being made
806 available to consumers.
807 2. The application also must contain the information
808 specified in paragraph (d).
809 (c)1. A business entity may file an application for
811 2. Before a person applies on behalf of a business entity
812 intending to make an innovative financial product or service
813 available to consumers, the person must obtain the consent of
814 the business entity.
815 (d) The office shall approve or deny in writing a Financial
816 Technology Sandbox application within 60 days after receiving
817 the completed application. The office and the applicant may
818 jointly agree to extend the time beyond 60 days. Consistent with
819 this section, the office may impose conditions on any approval.
820 In deciding whether to approve or deny an application for
821 licensure, the office must consider each of the following:
822 1. The nature of the innovative financial product or
823 service proposed to be made available to consumers in the
824 Financial Technology Sandbox, including all relevant technical
826 2. The potential risk to consumers and the methods that
827 will be used to protect consumers and resolve complaints during
828 the sandbox period.
829 3. The business plan proposed by the applicant, including
830 company information, market analysis, and financial projections
831 or pro forma financial statements.
832 4. Whether the applicant has the necessary personnel,
833 adequate financial and technical expertise, and a sufficient
834 plan to test, monitor, and assess the innovative financial
835 product or service.
836 5. If any control person of the applicant’s innovative
837 financial product or service has pled no contest to, has been
838 convicted or found guilty of, or is currently under
839 investigation for, fraud, a state or federal securities
840 violation, a property-based offense, or a crime involving moral
841 turpitude or dishonest dealing, the application to the Financial
842 Technology Sandbox must be denied. A plea of no contest, a
843 conviction, or a finding of guilt must be reported under this
844 subparagraph regardless of adjudication.
845 6. A copy of the disclosures that will be provided to
846 consumers under paragraph (6)(c).
847 7. The financial responsibility of any control person.
848 8. Any other factor that the office determines to be
850 (e) The office may not approve an application if:
851 1. The applicant had a prior Financial Technology Sandbox
852 application that was approved and that related to a
853 substantially similar financial product or service; or
854 2. Any control person substantially involved in the
855 development, operation, or management of the applicant’s
856 innovative financial product or service was substantially
857 involved in such with another Financial Technology Sandbox
858 applicant whose application was approved and whose application
859 related to a substantially similar financial product or service.
860 (f) Upon approval of an application, the office shall
861 specify the general law or rule requirements, or portions
862 thereof, for which an exception or a waiver is granted during
863 the sandbox period and the length of the initial sandbox period,
864 not to exceed 24 months. The office shall post on its website
865 notice of the approval of the application, a summary of the
866 innovative financial product or service, and the contact
867 information of the person making the financial product or
868 service available.
869 (6) OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—
870 (a) A licensee under this section may make an innovative
871 financial product or service available to consumers during the
872 sandbox period.
873 (b) The office, on a case-by-case basis, may specify the
874 maximum number of consumers authorized to receive an innovative
875 financial product or service, after consultation with the person
876 who makes the financial product or service available to
877 consumers. The office may not authorize more than 15,000
878 consumers to receive the financial product or service until the
879 licensee who makes the financial product or service available to
880 consumers has filed the first report required under subsection
881 (8). After the filing of that report, if the licensee
882 demonstrates adequate financial capitalization, risk management
883 processes, and management oversight, the office may authorize up
884 to 25,000 consumers to receive the financial product or service.
885 (c)1. Before a consumer purchases, uses, receives, or
886 enters into an agreement to purchase, use, or receive an
887 innovative financial product or service through the Financial
888 Technology Sandbox, the licensee making the financial product or
889 service available must provide a written statement of all of the
890 following to the consumer:
891 a. The name and contact information of the person making
892 the financial product or service available to consumers.
893 b. That the financial product or service has been
894 authorized to be made available to consumers for a temporary
895 period by the office, under the laws of this state.
896 c. That the state does not endorse the financial product or
898 d. That the financial product or service is undergoing
899 testing, may not function as intended, and may entail financial
901 e. That the licensee making the financial product or
902 service available to consumers is not immune from civil
903 liability for any losses or damages caused by the financial
904 product or service.
905 f. The expected end date of the sandbox period.
906 g. The contact information for the office and notification
907 that suspected legal violations, complaints, or other comments
908 related to the financial product or service may be submitted to
909 the office.
910 h. Any other statements or disclosures required by rule of
911 the commission which are necessary to further the purposes of
912 this section.
913 2. The written statement must contain an acknowledgement
914 from the consumer, which must be retained for the duration of
915 the sandbox period by the licensee making the financial product
916 or service available.
917 (d) The office may enter into an agreement with a state,
918 federal, or foreign regulatory agency to allow persons who make
919 an innovative financial product or service available in this
920 state through the Financial Technology Sandbox to make their
921 products or services available in other jurisdictions. The
922 commission shall adopt rules to implement this paragraph.
923 (e) The office may examine the records of a licensee at any
924 time, with or without prior notice.
925 (7) EXTENSIONS AND CONCLUSION OF SANDBOX PERIOD.—
926 (a) A licensee may apply for an extension of the initial
927 sandbox period for up to 12 additional months for a purpose
928 specified in subparagraph (b)1. or subparagraph (b)2. A complete
929 application for an extension must be filed with the office at
930 least 90 days before the conclusion of the initial sandbox
931 period. The office shall approve or deny the application for
932 extension in writing at least 35 days before the conclusion of
933 the initial sandbox period. In deciding to approve or deny an
934 application for extension of the sandbox period, the office
935 must, at a minimum, consider the current status of the factors
936 previously considered under paragraph (5)(d).
937 (b) An application for an extension under paragraph (a)
938 must cite one of the following reasons as the basis for the
939 application and must provide all relevant supporting information
941 1. Amendments to general law or rules are necessary to
942 offer the innovative financial product or service in this state
944 2. An application for a license that is required in order
945 to offer the innovative financial product or service in this
946 state permanently has been filed with the office, and approval
947 is pending.
948 (c) At least 30 days before the conclusion of the initial
949 sandbox period or the extension, whichever is later, a licensee
950 shall provide written notification to consumers regarding the
951 conclusion of the initial sandbox period or the extension and
952 may not make the financial product or service available to any
953 new consumers after the conclusion of the initial sandbox period
954 or the extension, whichever is later, until legal authority
955 outside of the Financial Technology Sandbox exists for the
956 licensee to make the financial product or service available to
957 consumers. After the conclusion of the sandbox period or the
958 extension, whichever is later, the licensee may:
959 1. Collect and receive money owed to the person or pay
960 money owed by the person, based on agreements with consumers
961 made before the conclusion of the sandbox period or the
963 2. Take necessary legal action.
964 3. Take other actions authorized by commission rule which
965 are not inconsistent with this subsection.
966 (8) REPORT.—A licensee shall submit a report to the office
967 twice a year as prescribed by commission rule. The report must,
968 at a minimum, include financial reports and the number of
969 consumers who have received the financial product or service.
970 (9) CONSTRUCTION.—A person whose Financial Technology
971 Sandbox application is approved is deemed licensed under this
972 section and is subject to chapter 516 or chapter 560 with the
973 applicable exceptions to general law or waiver of the rule
974 requirements of chapter 516 or chapter 560 specified under
975 paragraph (4)(a), unless the person’s license has been revoked
976 or suspended. Notwithstanding s. 560.204(2), a licensee may not
977 engage in activities authorized under part III of chapter 560.
978 (10) VIOLATIONS AND PENALTIES.—
979 (a) A licensee who makes an innovative financial product or
980 service available to consumers in the Financial Technology
981 Sandbox is:
982 1. Not immune from civil damages for acts and omissions
983 relating to this section.
984 2. Subject to all criminal and any other statute not
985 specifically excepted under paragraph (4)(a).
986 (b)1. The office may, by order, revoke or suspend a license
987 of a person to make an innovative financial product or service
988 available to consumers if:
989 a. The person has violated or refused to comply with this
990 section, a rule of the commission, an order of the office, or a
991 condition placed by the office on the approval of the person’s
992 Financial Technology Sandbox application;
993 b. A fact or condition exists that, if it had existed or
994 become known at the time that the Financial Technology Sandbox
995 application was pending, would have warranted denial of the
996 application or the imposition of material conditions;
997 c. A material error, false statement, misrepresentation, or
998 material omission was made in the Financial Technology Sandbox
999 application; or
1000 d. After consultation with the licensee, the office
1001 determines that continued testing of the innovative financial
1002 product or service would:
1003 (I) Be likely to harm consumers; or
1004 (II) No longer serve the purposes of this section because
1005 of the financial or operational failure of the financial product
1006 or service.
1007 2. Written notice of a revocation or suspension order made
1008 under subparagraph 1. must be served using any means authorized
1009 by law. If the notice relates to a suspension, the notice must
1010 include any condition or remedial action that the person must
1011 complete before the office lifts the suspension.
1012 (c) The office may refer any suspected violation of law to
1013 an appropriate state or federal agency for investigation,
1014 prosecution, civil penalties, and other appropriate enforcement
1016 (d) If service of process on a person making an innovative
1017 financial product or service available to consumers in the
1018 Financial Technology Sandbox is not feasible, service on the
1019 office is deemed service on such person.
1020 (11) RULES AND ORDERS.—
1021 (a) The commission shall adopt rules to administer this
1023 (b) The office may issue all necessary orders to enforce
1024 this section and may enforce these orders in accordance with
1025 chapter 120 or in any court of competent jurisdiction. These
1026 orders include, but are not limited to, orders for payment of
1027 restitution for harm suffered by consumers as a result of an
1028 innovative financial product or service.
1029 Section 12. For the 2020-2021 fiscal year, the sum of
1030 $50,000 in nonrecurring funds is appropriated from the
1031 Administrative Trust Fund to the Office of Financial Regulation
1032 to implement s. 559.952, Florida Statutes, as created by this
1034 Section 13. Except as otherwise expressly provided in this
1035 act, this act shall take effect July 1, 2020.
1037 ================= T I T L E A M E N D M E N T ================
1038 And the title is amended as follows:
1039 Delete everything before the enacting clause
1040 and insert:
1041 A bill to be entitled
1042 An act relating to technology innovation; amending s.
1043 20.22, F.S.; renaming the Division of State Technology
1044 within the Department of Management Services as the
1045 Division of Telecommunications; deleting provisions
1046 relating to the appointment of the Division of State
1047 Technology’s director and qualifications for the state
1048 chief information officer; adding the Florida Digital
1049 Service to the department; amending s. 282.0041, F.S.;
1050 defining terms; revising the definition of the term
1051 “open data”; amending s. 282.0051, F.S.; establishing
1052 the Florida Digital Service within the department;
1053 transferring specified powers, duties, and functions
1054 of the department to the Florida Digital Service and
1055 revising such powers, duties, and functions; providing
1056 for designations of a state chief information officer
1057 and a chief data officer and specifying their duties;
1058 specifying duties of, and authorized actions by, the
1059 Florida Digital Service pursuant to legislative
1060 appropriation; providing duties of, and authorized
1061 actions by, the department, subject to legislative
1062 authorization and appropriation; authorizing the
1063 Florida Digital Service to adopt rules; amending s.
1064 282.00515, F.S.; revising standards that the
1065 Department of Legal Affairs, the Department of
1066 Financial Services, and the Department of Agriculture
1067 and Consumer Services must adopt; specifying
1068 notification requirements to the Governor and the
1069 Legislature if such an agency adopts alternative
1070 standards; providing construction; prohibiting the
1071 Florida Digital Service from retrieving or publishing
1072 data without a data sharing agreement with such an
1073 agency; amending ss. 282.318, 287.0591, 365.171,
1074 365.172, 365.173, and 943.0415, F.S.; conforming
1075 provisions to changes made by the act; creating s.
1076 559.952, F.S.; providing a short title; creating the
1077 Financial Technology Sandbox within the Office of
1078 Financial Regulation; defining terms; requiring the
1079 office, if certain conditions are met, to grant a
1080 license to a Financial Technology Sandbox applicant,
1081 grant exceptions to specified provisions of general
1082 law relating to consumer finance loans and money
1083 services businesses, and grant waivers of certain
1084 rules; authorizing a substantially affected person to
1085 seek a declaratory statement before applying to the
1086 Financial Technology Sandbox; specifying application
1087 requirements and procedures; specifying requirements,
1088 restrictions, and procedures for the office in
1089 reviewing and approving or denying applications;
1090 requiring the office to post on its website certain
1091 information relating to approved applications;
1092 specifying authorized actions of, limitations on, and
1093 requirements for licensees operating in the Financial
1094 Technology Sandbox; specifying disclosure requirements
1095 for licensees to consumers; authorizing the office to
1096 enter into certain agreements with other regulatory
1097 agencies; authorizing the office to examine licensee
1098 records; authorizing a licensee to apply for an
1099 extension of an initial sandbox period for a certain
1100 timeframe; specifying requirements and procedures for
1101 applying for an extension; specifying requirements and
1102 procedures for, and authorized actions of, licensees
1103 when concluding a sandbox period or extension;
1104 requiring licensees to submit certain reports to the
1105 office at specified intervals; providing construction;
1106 specifying the liability of a licensee; authorizing
1107 the office to take certain disciplinary actions
1108 against a licensee under certain circumstances;
1109 providing construction relating to service of process;
1110 specifying the rulemaking authority of the Financial
1111 Services Commission; providing the office authority to
1112 issue orders and enforce the orders; providing an
1113 appropriation; providing effective dates.