Florida Senate - 2020 COMMITTEE AMENDMENT
Bill No. CS for CS for SB 1870
Ì228190$Î228190
LEGISLATIVE ACTION
Senate . House
Comm: RCS .
03/04/2020 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Committee on Appropriations (Hutson) recommended the
following:
1 Senate Amendment (with title amendment)
2
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. Subsection (2) of section 20.22, Florida
6 Statutes, is amended to read:
7 20.22 Department of Management Services.—There is created a
8 Department of Management Services.
9 (2) The following divisions, and programs, and services
10 within the Department of Management Services are established:
11 (a) Facilities Program.
12 (b) The Florida Digital Service Division of State
13 Technology, the director of which is appointed by the secretary
14 of the department and shall serve as the state chief information
15 officer. The state chief information officer must be a proven,
16 effective administrator who must have at least 10 years of
17 executive-level experience in the public or private sector,
18 preferably with experience in the development of information
19 technology strategic planning and the development and
20 implementation of fiscal and substantive information technology
21 policy and standards.
22 (c) Workforce Program.
23 (d)1. Support Program.
24 2. Federal Property Assistance Program.
25 (e) Administration Program.
26 (f) Division of Administrative Hearings.
27 (g) Division of Retirement.
28 (h) Division of State Group Insurance.
29 (i) Division of Telecommunications.
30 Section 2. Paragraph (e) of subsection (2) of section
31 110.205, Florida Statutes, is amended to read:
32 110.205 Career service; exemptions.—
33 (2) EXEMPT POSITIONS.—The exempt positions that are not
34 covered by this part include the following:
35 (e) The state chief information officer, the state chief
36 data officer, and the state chief information security officer.
37 Unless otherwise fixed by law, The Department of Management
38 Services shall set the salary and benefits of these positions
39 this position in accordance with the rules of the Senior
40 Management Service.
41 Section 3. Section 282.0041, Florida Statutes, is amended
42 to read:
43 282.0041 Definitions.—As used in this chapter, the term:
44 (1) “Agency assessment” means the amount each customer
45 entity must pay annually for services from the Department of
46 Management Services and includes administrative and data center
47 services costs.
48 (2) “Agency data center” means agency space containing 10
49 or more physical or logical servers.
50 (3) “Breach” has the same meaning as provided in s.
51 501.171.
52 (4) “Business continuity plan” means a collection of
53 procedures and information designed to keep an agency’s critical
54 operations running during a period of displacement or
55 interruption of normal operations.
56 (5) “Cloud computing” has the same meaning as provided in
57 Special Publication 800-145 issued by the National Institute of
58 Standards and Technology.
59 (6) “Computing facility” or “agency computing facility”
60 means agency space containing fewer than a total of 10 physical
61 or logical servers, but excluding single, logical-server
62 installations that exclusively perform a utility function such
63 as file and print servers.
64 (7) “Customer entity” means an entity that obtains services
65 from the Department of Management Services.
66 (8) “Data” means a subset of structured information in a
67 format that allows such information to be electronically
68 retrieved and transmitted.
69 (9) “Data governance” means the practice of organizing,
70 classifying, securing, and implementing policies, procedures,
71 and standards for the effective use of an organization’s data.
72 (10) “Department” means the Department of Management
73 Services.
74 (11)(10) “Disaster recovery” means the process, policies,
75 procedures, and infrastructure related to preparing for and
76 implementing recovery or continuation of an agency’s vital
77 technology infrastructure after a natural or human-induced
78 disaster.
79 (12) “Electronic” means technology having electrical,
80 digital, magnetic, wireless, optical, electromagnetic, or
81 similar capabilities.
82 (13) “Electronic credential” means an electronic
83 representation of the identity of a person, an organization, an
84 application, or a device.
85 (14) “Enterprise” means state agencies and the Department
86 of Legal Affairs, the Department of Financial Services, and the
87 Department of Agriculture and Consumer Services.
88 (15) “Enterprise architecture” means a comprehensive
89 operational framework that contemplates the needs and assets of
90 the enterprise to support interoperability.
91 (16)(11) “Enterprise information technology service” means
92 an information technology service that is used in all agencies
93 or a subset of agencies and is established in law to be
94 designed, delivered, and managed at the enterprise level.
95 (17)(12) “Event” means an observable occurrence in a system
96 or network.
97 (18)(13) “Incident” means a violation or imminent threat of
98 violation, whether such violation is accidental or deliberate,
99 of information technology resources, security, policies, or
100 practices. An imminent threat of violation refers to a situation
101 in which the state agency has a factual basis for believing that
102 a specific incident is about to occur.
103 (19)(14) “Information technology” means equipment,
104 hardware, software, firmware, programs, systems, networks,
105 infrastructure, media, and related material used to
106 automatically, electronically, and wirelessly collect, receive,
107 access, transmit, display, store, record, retrieve, analyze,
108 evaluate, process, classify, manipulate, manage, assimilate,
109 control, communicate, exchange, convert, converge, interface,
110 switch, or disseminate information of any kind or form.
111 (20)(15) “Information technology policy” means a definite
112 course or method of action selected from among one or more
113 alternatives that guide and determine present and future
114 decisions.
115 (21)(16) “Information technology resources” has the same
116 meaning as provided in s. 119.011.
117 (22)(17) “Information technology security” means the
118 protection afforded to an automated information system in order
119 to attain the applicable objectives of preserving the integrity,
120 availability, and confidentiality of data, information, and
121 information technology resources.
122 (23) “Interoperability” means the technical ability to
123 share and use data across and throughout the enterprise.
124 (24)(18) “Open data” means data collected or created by a
125 state agency, the Department of Legal Affairs, the Department of
126 Financial Services, and the Department of Agriculture and
127 Consumer Services, and structured in a way that enables the data
128 to be fully discoverable and usable by the public. The term does
129 not include data that are restricted from public disclosure
130 distribution based on federal or state privacy, confidentiality,
131 and security laws and regulations, including, but not limited
132 to, those related to privacy, confidentiality, security,
133 personal health, business or trade secret information, and
134 exemptions from state public records laws; or data for which a
135 state agency, the Department of Legal Affairs, the Department of
136 Financial Services, or the Department of Agriculture and
137 Consumer Services is statutorily authorized to assess a fee for
138 its distribution.
139 (25)(19) “Performance metrics” means the measures of an
140 organization’s activities and performance.
141 (26)(20) “Project” means an endeavor that has a defined
142 start and end point; is undertaken to create or modify a unique
143 product, service, or result; and has specific objectives that,
144 when attained, signify completion.
145 (27)(21) “Project oversight” means an independent review
146 and analysis of an information technology project that provides
147 information on the project’s scope, completion timeframes, and
148 budget and that identifies and quantifies issues or risks
149 affecting the successful and timely completion of the project.
150 (28)(22) “Risk assessment” means the process of identifying
151 security risks, determining their magnitude, and identifying
152 areas needing safeguards.
153 (29)(23) “Service level” means the key performance
154 indicators (KPI) of an organization or service which must be
155 regularly performed, monitored, and achieved.
156 (30)(24) “Service-level agreement” means a written contract
157 between the Department of Management Services and a customer
158 entity which specifies the scope of services provided, service
159 level, the duration of the agreement, the responsible parties,
160 and service costs. A service-level agreement is not a rule
161 pursuant to chapter 120.
162 (31)(25) “Stakeholder” means a person, group, organization,
163 or state agency involved in or affected by a course of action.
164 (32)(26) “Standards” means required practices, controls,
165 components, or configurations established by an authority.
166 (33)(27) “State agency” means any official, officer,
167 commission, board, authority, council, committee, or department
168 of the executive branch of state government; the Justice
169 Administrative Commission; and the Public Service Commission.
170 The term does not include university boards of trustees or state
171 universities. As used in part I of this chapter, except as
172 otherwise specifically provided, the term does not include the
173 Department of Legal Affairs, the Department of Agriculture and
174 Consumer Services, or the Department of Financial Services.
175 (34)(28) “SUNCOM Network” means the state enterprise
176 telecommunications system that provides all methods of
177 electronic or optical telecommunications beyond a single
178 building or contiguous building complex and used by entities
179 authorized as network users under this part.
180 (35)(29) “Telecommunications” means the science and
181 technology of communication at a distance, including electronic
182 systems used in the transmission or reception of information.
183 (36)(30) “Threat” means any circumstance or event that has
184 the potential to adversely impact a state agency’s operations or
185 assets through an information system via unauthorized access,
186 destruction, disclosure, or modification of information or
187 denial of service.
188 (37)(31) “Variance” means a calculated value that
189 illustrates how far positive or negative a projection has
190 deviated when measured against documented estimates within a
191 project plan.
192 Section 4. Section 282.0051, Florida Statutes, is amended
193 to read:
194 282.0051 Department of Management Services; Florida Digital
195 Service; powers, duties, and functions.—
196 (1) The Florida Digital Service has been created within the
197 department to propose innovative solutions that securely
198 modernize state government, including technology and information
199 services, to achieve value through digital transformation and
200 interoperability, and to fully support the cloud-first policy as
201 specified in s. 282.206. The department, through the Florida
202 Digital Service, shall have the following powers, duties, and
203 functions:
204 (a)(1) Develop and publish information technology policy
205 for the management of the state’s information technology
206 resources.
207 (b)(2) Develop an enterprise architecture that:
208 1. Acknowledges the unique needs of the entities within the
209 enterprise in the development and publication of standards and
210 terminologies to facilitate digital interoperability;
211 2. Supports the cloud-first policy as specified in s.
212 282.206; and
213 3. Addresses how information technology infrastructure may
214 be modernized to achieve cloud-first objectives Establish and
215 publish information technology architecture standards to provide
216 for the most efficient use of the state’s information technology
217 resources and to ensure compatibility and alignment with the
218 needs of state agencies. The department shall assist state
219 agencies in complying with the standards.
220 (c)(3) Establish project management and oversight standards
221 with which state agencies must comply when implementing
222 information technology projects. The department, acting through
223 the Florida Digital Service, shall provide training
224 opportunities to state agencies to assist in the adoption of the
225 project management and oversight standards. To support data
226 driven decisionmaking, the standards must include, but are not
227 limited to:
228 1.(a) Performance measurements and metrics that objectively
229 reflect the status of an information technology project based on
230 a defined and documented project scope, cost, and schedule.
231 2.(b) Methodologies for calculating acceptable variances in
232 the projected versus actual scope, schedule, or cost of an
233 information technology project.
234 3.(c) Reporting requirements, including requirements
235 designed to alert all defined stakeholders that an information
236 technology project has exceeded acceptable variances defined and
237 documented in a project plan.
238 4.(d) Content, format, and frequency of project updates.
239 (d)(4) Perform project oversight on all state agency
240 information technology projects that have total project costs of
241 $10 million or more and that are funded in the General
242 Appropriations Act or any other law. The department, acting
243 through the Florida Digital Service, shall report at least
244 quarterly to the Executive Office of the Governor, the President
245 of the Senate, and the Speaker of the House of Representatives
246 on any information technology project that the department
247 identifies as high-risk due to the project exceeding acceptable
248 variance ranges defined and documented in a project plan. The
249 report must include a risk assessment, including fiscal risks,
250 associated with proceeding to the next stage of the project, and
251 a recommendation for corrective actions required, including
252 suspension or termination of the project.
253 (e)(5) Identify opportunities for standardization and
254 consolidation of information technology services that support
255 interoperability and the cloud-first policy, as specified in s.
256 282.206, and business functions and operations, including
257 administrative functions such as purchasing, accounting and
258 reporting, cash management, and personnel, and that are common
259 across state agencies. The department, acting through the
260 Florida Digital Service, shall biennially on January 1 of each
261 even-numbered year April 1 provide recommendations for
262 standardization and consolidation to the Executive Office of the
263 Governor, the President of the Senate, and the Speaker of the
264 House of Representatives.
265 (f)(6) Establish best practices for the procurement of
266 information technology products and cloud-computing services in
267 order to reduce costs, increase the quality of data center
268 services, or improve government services.
269 (g)(7) Develop standards for information technology reports
270 and updates, including, but not limited to, operational work
271 plans, project spend plans, and project status reports, for use
272 by state agencies.
273 (h)(8) Upon request, assist state agencies in the
274 development of information technology-related legislative budget
275 requests.
276 (i)(9) Conduct annual assessments of state agencies to
277 determine compliance with all information technology standards
278 and guidelines developed and published by the department and
279 provide results of the assessments to the Executive Office of
280 the Governor, the President of the Senate, and the Speaker of
281 the House of Representatives.
282 (j)(10) Provide operational management and oversight of the
283 state data center established pursuant to s. 282.201, which
284 includes:
285 1.(a) Implementing industry standards and best practices
286 for the state data center’s facilities, operations, maintenance,
287 planning, and management processes.
288 2.(b) Developing and implementing cost-recovery mechanisms
289 that recover the full direct and indirect cost of services
290 through charges to applicable customer entities. Such cost
291 recovery mechanisms must comply with applicable state and
292 federal regulations concerning distribution and use of funds and
293 must ensure that, for any fiscal year, no service or customer
294 entity subsidizes another service or customer entity. The
295 Florida Digital Service may recommend other payment mechanisms
296 to the Executive Office of the Governor, the President of the
297 Senate, and the Speaker of the House of Representatives. Such
298 mechanism may be implemented only if specifically authorized by
299 the Legislature.
300 3.(c) Developing and implementing appropriate operating
301 guidelines and procedures necessary for the state data center to
302 perform its duties pursuant to s. 282.201. The guidelines and
303 procedures must comply with applicable state and federal laws,
304 regulations, and policies and conform to generally accepted
305 governmental accounting and auditing standards. The guidelines
306 and procedures must include, but need not be limited to:
307 a.1. Implementing a consolidated administrative support
308 structure responsible for providing financial management,
309 procurement, transactions involving real or personal property,
310 human resources, and operational support.
311 b.2. Implementing an annual reconciliation process to
312 ensure that each customer entity is paying for the full direct
313 and indirect cost of each service as determined by the customer
314 entity’s use of each service.
315 c.3. Providing rebates that may be credited against future
316 billings to customer entities when revenues exceed costs.
317 d.4. Requiring customer entities to validate that
318 sufficient funds exist in the appropriate data processing
319 appropriation category or will be transferred into the
320 appropriate data processing appropriation category before
321 implementation of a customer entity’s request for a change in
322 the type or level of service provided, if such change results in
323 a net increase to the customer entity’s cost for that fiscal
324 year.
325 e.5. By November 15 of each year, providing to the Office
326 of Policy and Budget in the Executive Office of the Governor and
327 to the chairs of the legislative appropriations committees the
328 projected costs of providing data center services for the
329 following fiscal year.
330 f.6. Providing a plan for consideration by the Legislative
331 Budget Commission if the cost of a service is increased for a
332 reason other than a customer entity’s request made pursuant to
333 sub-subparagraph d. subparagraph 4. Such a plan is required only
334 if the service cost increase results in a net increase to a
335 customer entity for that fiscal year.
336 g.7. Standardizing and consolidating procurement and
337 contracting practices.
338 4.(d) In collaboration with the Department of Law
339 Enforcement, developing and implementing a process for
340 detecting, reporting, and responding to information technology
341 security incidents, breaches, and threats.
342 5.(e) Adopting rules relating to the operation of the state
343 data center, including, but not limited to, budgeting and
344 accounting procedures, cost-recovery methodologies, and
345 operating procedures.
346 (k) Conduct a market analysis not less frequently than
347 every 3 years beginning in 2021 to determine whether the
348 information technology resources within the enterprise are
349 utilized in the most cost-effective and cost-efficient manner,
350 while recognizing that the replacement of certain legacy
351 information technology systems within the enterprise may be cost
352 prohibitive or cost inefficient due to the remaining useful life
353 of those resources; whether the enterprise is complying with the
354 cloud-first policy specified in s. 282.206; and whether the
355 enterprise is utilizing best practices with respect to
356 information technology, information services, and the
357 acquisition of emerging technologies and information services.
358 Each market analysis shall be used to prepare a strategic plan
359 for continued and future information technology and information
360 services for the enterprise, including, but not limited to,
361 proposed acquisition of new services or technologies and
362 approaches to the implementation of any new services or
363 technologies. Copies of each market analysis and accompanying
364 strategic plan must be submitted to the Executive Office of the
365 Governor, the President of the Senate, and the Speaker of the
366 House of Representatives not later than December 31 of each year
367 that a market analysis is conducted.
368 (f) Conducting an annual market analysis to determine
369 whether the state’s approach to the provision of data center
370 services is the most effective and cost-efficient manner by
371 which its customer entities can acquire such services, based on
372 federal, state, and local government trends; best practices in
373 service provision; and the acquisition of new and emerging
374 technologies. The results of the market analysis shall assist
375 the state data center in making adjustments to its data center
376 service offerings.
377 (l)(11) Recommend other information technology services
378 that should be designed, delivered, and managed as enterprise
379 information technology services. Recommendations must include
380 the identification of existing information technology resources
381 associated with the services, if existing services must be
382 transferred as a result of being delivered and managed as
383 enterprise information technology services.
384 (m)(12) In consultation with state agencies, propose a
385 methodology and approach for identifying and collecting both
386 current and planned information technology expenditure data at
387 the state agency level.
388 (n)1.(13)(a) Notwithstanding any other law, provide project
389 oversight on any information technology project of the
390 Department of Financial Services, the Department of Legal
391 Affairs, and the Department of Agriculture and Consumer Services
392 which has a total project cost of $25 million or more and which
393 impacts one or more other agencies. Such information technology
394 projects must also comply with the applicable information
395 technology architecture, project management and oversight, and
396 reporting standards established by the department, acting
397 through the Florida Digital Service.
398 2.(b) When performing the project oversight function
399 specified in subparagraph 1. paragraph (a), report at least
400 quarterly to the Executive Office of the Governor, the President
401 of the Senate, and the Speaker of the House of Representatives
402 on any information technology project that the department,
403 acting through the Florida Digital Service, identifies as high
404 risk due to the project exceeding acceptable variance ranges
405 defined and documented in the project plan. The report shall
406 include a risk assessment, including fiscal risks, associated
407 with proceeding to the next stage of the project and a
408 recommendation for corrective actions required, including
409 suspension or termination of the project.
410 (o)(14) If an information technology project implemented by
411 a state agency must be connected to or otherwise accommodated by
412 an information technology system administered by the Department
413 of Financial Services, the Department of Legal Affairs, or the
414 Department of Agriculture and Consumer Services, consult with
415 these departments regarding the risks and other effects of such
416 projects on their information technology systems and work
417 cooperatively with these departments regarding the connections,
418 interfaces, timing, or accommodations required to implement such
419 projects.
420 (p)(15) If adherence to standards or policies adopted by or
421 established pursuant to this section causes conflict with
422 federal regulations or requirements imposed on an entity within
423 the enterprise a state agency and results in adverse action
424 against an entity the state agency or federal funding, work with
425 the entity state agency to provide alternative standards,
426 policies, or requirements that do not conflict with the federal
427 regulation or requirement. The department, acting through the
428 Florida Digital Service, shall annually report such alternative
429 standards to the Executive Office of the Governor, the President
430 of the Senate, and the Speaker of the House of Representatives.
431 (q)1.(16)(a) Establish an information technology policy for
432 all information technology-related state contracts, including
433 state term contracts for information technology commodities,
434 consultant services, and staff augmentation services. The
435 information technology policy must include:
436 a.1. Identification of the information technology product
437 and service categories to be included in state term contracts.
438 b.2. Requirements to be included in solicitations for state
439 term contracts.
440 c.3. Evaluation criteria for the award of information
441 technology-related state term contracts.
442 d.4. The term of each information technology-related state
443 term contract.
444 e.5. The maximum number of vendors authorized on each state
445 term contract.
446 2.(b) Evaluate vendor responses for information technology
447 related state term contract solicitations and invitations to
448 negotiate.
449 3.(c) Answer vendor questions on information technology
450 related state term contract solicitations.
451 4.(d) Ensure that the information technology policy
452 established pursuant to subparagraph 1. paragraph (a) is
453 included in all solicitations and contracts that are
454 administratively executed by the department.
455 (r)(17) Recommend potential methods for standardizing data
456 across state agencies which will promote interoperability and
457 reduce the collection of duplicative data.
458 (s)(18) Recommend open data technical standards and
459 terminologies for use by the enterprise state agencies.
460 (t) Ensure that enterprise information technology solutions
461 are capable of utilizing an electronic credential and comply
462 with the enterprise architecture standards.
463 (2)(a) The Secretary of Management Services shall designate
464 a state chief information officer, who shall administer the
465 Florida Digital Service. The state chief information officer,
466 prior to appointment, must have at least 5 years of experience
467 in the development of information system strategic planning and
468 development or information technology policy, and, preferably,
469 have leadership-level experience in the design, development, and
470 deployment of interoperable software and data solutions.
471 (b) The state chief information officer, in consultation
472 with the Secretary of Management Services, shall designate a
473 state chief data officer. The chief data officer must be a
474 proven and effective administrator who must have significant and
475 substantive experience in data management, data governance,
476 interoperability, and security.
477 (3) The department, acting through the Florida Digital
478 Service and from funds appropriated to the Florida Digital
479 Service, shall:
480 (a) Create, not later than October 1, 2021, and maintain a
481 comprehensive indexed data catalog in collaboration with the
482 enterprise that lists the data elements housed within the
483 enterprise and the legacy system or application in which these
484 data elements are located. The data catalog must, at a minimum,
485 specifically identify all data that is restricted from public
486 disclosure based on federal or state laws and regulations and
487 require that all such information be protected in accordance
488 with s. 282.318.
489 (b) Develop and publish, not later than October 1, 2021, in
490 collaboration with the enterprise, a data dictionary for each
491 agency that reflects the nomenclature in the comprehensive
492 indexed data catalog.
493 (c) Adopt, by rule, standards that support the creation and
494 deployment of an application programming interface to facilitate
495 integration throughout the enterprise.
496 (d) Adopt, by rule, standards necessary to facilitate a
497 secure ecosystem of data interoperability that is compliant with
498 the enterprise architecture.
499 (e) Adopt, by rule, standards that facilitate the
500 deployment of applications or solutions to the existing
501 enterprise system in a controlled and phased approach.
502 (f) After submission of documented use cases developed in
503 conjunction with the affected agencies, assist the affected
504 agencies with the deployment, contingent upon a specific
505 appropriation therefor, of new interoperable applications and
506 solutions:
507 1. For the Department of Health, the Agency for Health Care
508 Administration, the Agency for Persons with Disabilities, the
509 Department of Education, the Department of Elderly Affairs, and
510 the Department of Children and Families.
511 2. To support military members, veterans, and their
512 families.
513 (4) Upon the adoption of the enterprise architecture
514 standards in rule, the department, acting through the Florida
515 Digital Service, may develop a process to:
516 (a) Receive written notice from the entities within the
517 enterprise of any planned procurement of an information
518 technology project that is subject to enterprise architecture
519 standards.
520 (b) Participate in the development of specifications and
521 recommend modifications to any planned procurement by state
522 agencies so that the procurement complies with the enterprise
523 architecture.
524 (5) The department, acting through the Florida Digital
525 Service, may not retrieve or disclose any data without a shared
526 data agreement in place between the department and the
527 enterprise entity that has primary custodial responsibility of,
528 or data-sharing responsibility for, that data.
529 (6) The department, acting through the Florida Digital
530 Service, shall adopt rules to administer this section.
531 (19) Adopt rules to administer this section.
532 Section 5. Section 282.00515, Florida Statutes, is amended
533 to read:
534 282.00515 Duties of Cabinet agencies.—
535 (1) The Department of Legal Affairs, the Department of
536 Financial Services, and the Department of Agriculture and
537 Consumer Services shall adopt the standards established in s.
538 282.0051(1)(b), (c), and (s) and (3)(e) s. 282.0051(2), (3), and
539 (7) or adopt alternative standards based on best practices and
540 industry standards that allow for open data interoperability.
541 (2) If the Department of Legal Affairs, the Department of
542 Financial Services, or the Department of Agriculture and
543 Consumer Services adopts alternative standards in lieu of the
544 enterprise architecture standards adopted pursuant to s.
545 282.0051, such department must notify the Governor, the
546 President of the Senate, and the Speaker of the House of
547 Representatives in writing of the adoption of the alternative
548 standards and provide a justification for adoption of the
549 alternative standards and explain how the agency will achieve
550 open data interoperability.
551 (3) The Department of Legal Affairs, the Department of
552 Financial Services, and the Department of Agriculture and
553 Consumer Services, and may contract with the department to
554 provide or perform any of the services and functions described
555 in s. 282.0051 for the Department of Legal Affairs, the
556 Department of Financial Services, or the Department of
557 Agriculture and Consumer Services.
558 (4)(a) Nothing in this section or in s. 282.0051 requires
559 the Department of Legal Affairs, the Department of Financial
560 Services, or the Department of Agriculture and Consumer Services
561 to integrate with information technology outside its own
562 department or with the Florida Digital Service.
563 (b) The department, acting through the Florida Digital
564 Service, may not retrieve or disclose any data without a shared
565 data agreement in place between the department and the
566 Department of Legal Affairs, the Department of Financial
567 Services, or the Department of Agriculture and Consumer
568 Services.
569 Section 6. Paragraph (a) of subsection (3), paragraphs (d),
570 (e), (g), and (j) of subsection (4), and subsection (5) of
571 section 282.318, Florida Statutes, are amended to read:
572 282.318 Security of data and information technology.—
573 (3) The department is responsible for establishing
574 standards and processes consistent with generally accepted best
575 practices for information technology security, to include
576 cybersecurity, and adopting rules that safeguard an agency’s
577 data, information, and information technology resources to
578 ensure availability, confidentiality, and integrity and to
579 mitigate risks. The department shall also:
580 (a) Designate an employee of the Florida Digital Service as
581 the a state chief information security officer. The state chief
582 information security officer who must have experience and
583 expertise in security and risk management for communications and
584 information technology resources.
585 (4) Each state agency head shall, at a minimum:
586 (d) Conduct, and update every 3 years, a comprehensive risk
587 assessment, which may be completed by a private sector vendor,
588 to determine the security threats to the data, information, and
589 information technology resources, including mobile devices and
590 print environments, of the agency. The risk assessment must
591 comply with the risk assessment methodology developed by the
592 department and is confidential and exempt from s. 119.07(1),
593 except that such information shall be available to the Auditor
594 General, the Florida Digital Service Division of State
595 Technology within the department, the Cybercrime Office of the
596 Department of Law Enforcement, and, for state agencies under the
597 jurisdiction of the Governor, the Chief Inspector General.
598 (e) Develop, and periodically update, written internal
599 policies and procedures, which include procedures for reporting
600 information technology security incidents and breaches to the
601 Cybercrime Office of the Department of Law Enforcement and the
602 Florida Digital Service Division of State Technology within the
603 department. Such policies and procedures must be consistent with
604 the rules, guidelines, and processes established by the
605 department to ensure the security of the data, information, and
606 information technology resources of the agency. The internal
607 policies and procedures that, if disclosed, could facilitate the
608 unauthorized modification, disclosure, or destruction of data or
609 information technology resources are confidential information
610 and exempt from s. 119.07(1), except that such information shall
611 be available to the Auditor General, the Cybercrime Office of
612 the Department of Law Enforcement, the Florida Digital Service
613 Division of State Technology within the department, and, for
614 state agencies under the jurisdiction of the Governor, the Chief
615 Inspector General.
616 (g) Ensure that periodic internal audits and evaluations of
617 the agency’s information technology security program for the
618 data, information, and information technology resources of the
619 agency are conducted. The results of such audits and evaluations
620 are confidential information and exempt from s. 119.07(1),
621 except that such information shall be available to the Auditor
622 General, the Cybercrime Office of the Department of Law
623 Enforcement, the Florida Digital Service Division of State
624 Technology within the department, and, for agencies under the
625 jurisdiction of the Governor, the Chief Inspector General.
626 (j) Develop a process for detecting, reporting, and
627 responding to threats, breaches, or information technology
628 security incidents which is consistent with the security rules,
629 guidelines, and processes established by the department Agency
630 for State Technology.
631 1. All information technology security incidents and
632 breaches must be reported to the Florida Digital Service
633 Division of State Technology within the department and the
634 Cybercrime Office of the Department of Law Enforcement and must
635 comply with the notification procedures and reporting timeframes
636 established pursuant to paragraph (3)(c).
637 2. For information technology security breaches, state
638 agencies shall provide notice in accordance with s. 501.171.
639 3. Records held by a state agency which identify detection,
640 investigation, or response practices for suspected or confirmed
641 information technology security incidents, including suspected
642 or confirmed breaches, are confidential and exempt from s.
643 119.07(1) and s. 24(a), Art. I of the State Constitution, if the
644 disclosure of such records would facilitate unauthorized access
645 to or the unauthorized modification, disclosure, or destruction
646 of:
647 a. Data or information, whether physical or virtual; or
648 b. Information technology resources, which includes:
649 (I) Information relating to the security of the agency’s
650 technologies, processes, and practices designed to protect
651 networks, computers, data processing software, and data from
652 attack, damage, or unauthorized access; or
653 (II) Security information, whether physical or virtual,
654 which relates to the agency’s existing or proposed information
655 technology systems.
656
657 Such records shall be available to the Auditor General, the
658 Florida Digital Service Division of State Technology within the
659 department, the Cybercrime Office of the Department of Law
660 Enforcement, and, for state agencies under the jurisdiction of
661 the Governor, the Chief Inspector General. Such records may be
662 made available to a local government, another state agency, or a
663 federal agency for information technology security purposes or
664 in furtherance of the state agency’s official duties. This
665 exemption applies to such records held by a state agency before,
666 on, or after the effective date of this exemption. This
667 subparagraph is subject to the Open Government Sunset Review Act
668 in accordance with s. 119.15 and shall stand repealed on October
669 2, 2021, unless reviewed and saved from repeal through
670 reenactment by the Legislature.
671 (5) The portions of risk assessments, evaluations, external
672 audits, and other reports of a state agency’s information
673 technology security program for the data, information, and
674 information technology resources of the state agency which are
675 held by a state agency are confidential and exempt from s.
676 119.07(1) and s. 24(a), Art. I of the State Constitution if the
677 disclosure of such portions of records would facilitate
678 unauthorized access to or the unauthorized modification,
679 disclosure, or destruction of:
680 (a) Data or information, whether physical or virtual; or
681 (b) Information technology resources, which include:
682 1. Information relating to the security of the agency’s
683 technologies, processes, and practices designed to protect
684 networks, computers, data processing software, and data from
685 attack, damage, or unauthorized access; or
686 2. Security information, whether physical or virtual, which
687 relates to the agency’s existing or proposed information
688 technology systems.
689
690 Such portions of records shall be available to the Auditor
691 General, the Cybercrime Office of the Department of Law
692 Enforcement, the Florida Digital Service Division of State
693 Technology within the department, and, for agencies under the
694 jurisdiction of the Governor, the Chief Inspector General. Such
695 portions of records may be made available to a local government,
696 another state agency, or a federal agency for information
697 technology security purposes or in furtherance of the state
698 agency’s official duties. For purposes of this subsection,
699 “external audit” means an audit that is conducted by an entity
700 other than the state agency that is the subject of the audit.
701 This exemption applies to such records held by a state agency
702 before, on, or after the effective date of this exemption. This
703 subsection is subject to the Open Government Sunset Review Act
704 in accordance with s. 119.15 and shall stand repealed on October
705 2, 2021, unless reviewed and saved from repeal through
706 reenactment by the Legislature.
707 Section 7. Subsection (4) of section 287.0591, Florida
708 Statutes, is amended to read:
709 287.0591 Information technology.—
710 (4) If the department issues a competitive solicitation for
711 information technology commodities, consultant services, or
712 staff augmentation contractual services, the Florida Digital
713 Service Division of State Technology within the department shall
714 participate in such solicitations.
715 Section 8. Paragraph (a) of subsection (3) of section
716 365.171, Florida Statutes, is amended to read:
717 365.171 Emergency communications number E911 state plan.—
718 (3) DEFINITIONS.—As used in this section, the term:
719 (a) “Office” means the Division of Telecommunications State
720 Technology within the Department of Management Services, as
721 designated by the secretary of the department.
722 Section 9. Paragraph (s) of subsection (3) of section
723 365.172, Florida Statutes, is amended to read:
724 365.172 Emergency communications number “E911.”—
725 (3) DEFINITIONS.—Only as used in this section and ss.
726 365.171, 365.173, 365.174, and 365.177, the term:
727 (s) “Office” means the Division of Telecommunications State
728 Technology within the Department of Management Services, as
729 designated by the secretary of the department.
730 Section 10. Paragraph (a) of subsection (1) of section
731 365.173, Florida Statutes, is amended to read:
732 365.173 Communications Number E911 System Fund.—
733 (1) REVENUES.—
734 (a) Revenues derived from the fee levied on subscribers
735 under s. 365.172(8) must be paid by the board into the State
736 Treasury on or before the 15th day of each month. Such moneys
737 must be accounted for in a special fund to be designated as the
738 Emergency Communications Number E911 System Fund, a fund created
739 in the Division of Telecommunications State Technology, or other
740 office as designated by the Secretary of Management Services.
741 Section 11. Subsection (5) of section 943.0415, Florida
742 Statutes, is amended to read:
743 943.0415 Cybercrime Office.—There is created within the
744 Department of Law Enforcement the Cybercrime Office. The office
745 may:
746 (5) Consult with the Florida Digital Service Division of
747 State Technology within the Department of Management Services in
748 the adoption of rules relating to the information technology
749 security provisions in s. 282.318.
750 Section 12. Effective January 1, 2021, section 559.952,
751 Florida Statutes, is created to read:
752 559.952 Financial Technology Sandbox.—
753 (1) SHORT TITLE.—This section may be cited as the
754 “Financial Technology Sandbox.”
755 (2) CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—There is
756 created the Financial Technology Sandbox within the Office of
757 Financial Regulation to allow financial technology innovators to
758 test new products and services in a supervised, flexible
759 regulatory sandbox using exceptions to specified general law and
760 waivers of the corresponding rule requirements under defined
761 conditions. The creation of a supervised, flexible regulatory
762 sandbox provides a welcoming business environment for technology
763 innovators and may lead to significant business growth.
764 (3) DEFINITIONS.—As used in this section, the term:
765 (a) “Business entity” means a domestic corporation or other
766 organized domestic entity with a physical presence, other than
767 that of a registered office or agent or virtual mailbox, in this
768 state.
769 (b) “Commission” means the Financial Services Commission.
770 (c) “Consumer” means a person in this state, whether a
771 natural person or a business organization, who purchases, uses,
772 receives, or enters into an agreement to purchase, use, or
773 receive an innovative financial product or service made
774 available through the Financial Technology Sandbox.
775 (d) “Control person” means an individual, a partnership, a
776 corporation, a trust, or other organization that possesses the
777 power, directly or indirectly, to direct the management or
778 policies of a company, whether through ownership of securities,
779 by contract, or through other means. A person is presumed to
780 control a company if, with respect to a particular company, that
781 person:
782 1. Is a director, a general partner, or an officer
783 exercising executive responsibility or having similar status or
784 functions;
785 2. Directly or indirectly may vote 10 percent or more of a
786 class of a voting security or sell or direct the sale of 10
787 percent or more of a class of voting securities; or
788 3. In the case of a partnership, may receive upon
789 dissolution or has contributed 10 percent or more of the
790 capital.
791 (e) “Corresponding rule requirements” means the commission
792 rules, or portions thereof, which implement the general laws
793 enumerated in paragraph (4)(a).
794 (f) “Financial product or service” means a product or
795 service related to a consumer finance loan, as defined in s.
796 516.01, or a money transmitter or payment instrument seller, as
797 those terms are defined in s. 560.103, including mediums of
798 exchange that are in electronic or digital form, which is
799 subject to the general laws enumerated in paragraph (4)(a) and
800 corresponding rule requirements and which is under the
801 jurisdiction of the office.
802 (g) “Financial Technology Sandbox” means the program
803 created by this section which allows a licensee to make an
804 innovative financial product or service available to consumers
805 during a sandbox period through exceptions to general laws and
806 waivers of corresponding rule requirements.
807 (h) “Innovative” means new or emerging technology, or new
808 uses of existing technology, which provide a product, service,
809 business model, or delivery mechanism to the public and which
810 are not known to have a comparable offering in this state
811 outside the Financial Technology Sandbox.
812 (i) “Licensee” means a business entity that has been
813 approved by the office to participate in the Financial
814 Technology Sandbox.
815 (j) “Office” means, unless the context clearly indicates
816 otherwise, the Office of Financial Regulation.
817 (k) “Sandbox period” means the initial 24-month period in
818 which the office has authorized a licensee to make an innovative
819 financial product or service available to consumers, and any
820 extension granted pursuant to subsection (7).
821 (4) EXCEPTIONS TO GENERAL LAW AND WAIVERS OF RULE
822 REQUIREMENTS.—
823 (a) Notwithstanding any other law, upon approval of a
824 Financial Technology Sandbox application, the following
825 provisions and corresponding rule requirements are not
826 applicable to the licensee during the sandbox period:
827 1. Section 516.03(1), except for the application fee, the
828 investigation fee, the requirement to provide the social
829 security numbers of control persons, evidence of liquid assets
830 of at least $25,000, and the office’s authority to investigate
831 the applicant’s background. The office may prorate the license
832 renewal fee for an extension granted under subsection (7).
833 2. Section 516.05(1) and (2), except that the office shall
834 investigate the applicant’s background.
835 3. Section 560.109, only to the extent that the section
836 requires the office to examine a licensee at least once every 5
837 years.
838 4. Section 560.118(2).
839 5. Section 560.125(1), only to the extent that subsection
840 would prohibit a licensee from engaging in the business of a
841 money transmitter or payment instrument seller during the
842 sandbox period.
843 6. Section 560.125(2), only to the extent that subsection
844 would prohibit a licensee from appointing an authorized vendor
845 during the sandbox period. Any authorized vendor of such a
846 licensee during the sandbox period remains liable to the holder
847 or remitter.
848 7. Section 560.128.
849 8. Section 560.141, except for s. 560.141(1)(a)1., 3., 7.
850 10. and (b), (c), and (d).
851 9. Section 560.142(1) and (2), except that the office may
852 prorate, but may not entirely eliminate, the license renewal
853 fees in s. 560.143 for an extension granted under subsection
854 (7).
855 10. Section 560.143(2), only to the extent necessary for
856 proration of the renewal fee under subparagraph 9.
857 11. Section 560.204(1), only to the extent that subsection
858 would prohibit a licensee from engaging in, or advertising that
859 it engages in, the selling or issuing of payment instruments or
860 in the activity of a money transmitter during the sandbox
861 period.
862 12. Section 560.205(2).
863 13. Section 560.208(2).
864 14. Section 560.209, only to the extent that the office may
865 modify, but may not entirely eliminate, the net worth, corporate
866 surety bond, and collateral deposit amounts required under that
867 section. The modified amounts must be in such lower amounts that
868 the office determines to be commensurate with the factors under
869 paragraph (5)(c) and the maximum number of consumers authorized
870 to receive the financial product or service under this section.
871 (b) The office may approve a Financial Technology Sandbox
872 application if one or more of the general laws enumerated in
873 paragraph (a) currently prevent the innovative financial product
874 or service from being made available to consumers and if all
875 other requirements of this section are met.
876 (c) A licensee may conduct business through electronic
877 means, including through the Internet or a software application.
878 (5) FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS FOR
879 APPROVAL.—
880 (a) Before filing an application for licensure under this
881 section, a substantially affected person may seek a declaratory
882 statement pursuant to s. 120.565 regarding the applicability of
883 a statute, a rule, or an agency order to the petitioner’s
884 particular set of circumstances or a variance or waiver of a
885 rule pursuant to s. 120.542.
886 (b) Before making an innovative financial product or
887 service available to consumers in the Financial Technology
888 Sandbox, a business entity must file with the office an
889 application for licensure under the Financial Technology
890 Sandbox. The commission shall, by rule, prescribe the form and
891 manner of the application and how the office will evaluate and
892 apply each of the factors specified in paragraph (c).
893 1. The application must specify each general law enumerated
894 in paragraph (4)(a) which currently prevents the innovative
895 financial product or service from being made available to
896 consumers and the reasons why those provisions of general law
897 prevent the innovative financial product or service from being
898 made available to consumers.
899 2. The application must contain sufficient information for
900 the office to evaluate the factors specified in paragraph (c).
901 3. An application submitted on behalf of a business entity
902 must include evidence that the business entity has authorized
903 the person to submit the application on behalf of the business
904 entity intending to make an innovative financial product or
905 service available to consumers.
906 4. The application must specify the maximum number of
907 consumers, which may not exceed the number of consumers
908 specified in paragraph (f), to whom the applicant proposes to
909 provide the innovative financial product or service.
910 5. The application must include a proposed draft of the
911 statement or statements meeting the requirements of paragraph
912 (6)(b) which the applicant proposes to provide to consumers.
913 (c) The office shall approve or deny in writing a Financial
914 Technology Sandbox application within 60 days after receiving
915 the completed application. The office and the applicant may
916 jointly agree to extend the time beyond 60 days. Consistent with
917 this section, the office may impose conditions on any approval.
918 In deciding whether to approve or deny an application for
919 licensure, the office must consider each of the following:
920 1. The nature of the innovative financial product or
921 service proposed to be made available to consumers in the
922 Financial Technology Sandbox, including all relevant technical
923 details.
924 2. The potential risk to consumers and the methods that
925 will be used to protect consumers and resolve complaints during
926 the sandbox period.
927 3. The business plan proposed by the applicant, including
928 company information, market analysis, and financial projections
929 or pro forma financial statements, and evidence of the financial
930 viability of the applicant.
931 4. Whether the applicant has the necessary personnel,
932 adequate financial and technical expertise, and a sufficient
933 plan to test, monitor, and assess the innovative financial
934 product or service.
935 5. Whether any control person of the applicant, regardless
936 of adjudication, has pled no contest to, has been convicted or
937 found guilty of, or is currently under investigation for fraud,
938 a state or federal securities violation, a property-based
939 offense, or a crime involving moral turpitude or dishonest
940 dealing, in which case the application to the Financial
941 Technology Sandbox must be denied.
942 6. A copy of the disclosures that will be provided to
943 consumers under paragraph (6)(b).
944 7. The financial responsibility of the applicant and any
945 control person, including whether the applicant or any control
946 person has a history of unpaid liens, unpaid judgments, or other
947 general history of nonpayment of legal debts, including, but not
948 limited to, having been the subject of a petition for bankruptcy
949 under the United States Bankruptcy Code within the past 7
950 calendar years.
951 8. Any other factor that the office determines to be
952 relevant.
953 (d) The office may not approve an application if:
954 1. The applicant had a prior Financial Technology Sandbox
955 application that was approved and that related to a
956 substantially similar financial product or service;
957 2. Any control person of the applicant was substantially
958 involved in the development, operation, or management with
959 another Financial Technology Sandbox applicant whose application
960 was approved and whose application related to a substantially
961 similar financial product or service; or
962 3. The applicant or any control person has failed to
963 affirmatively demonstrate financial responsibility.
964 (e) Upon approval of an application, the office shall
965 notify the licensee that the licensee is exempt from the
966 provisions of general law enumerated in paragraph (4)(a) and the
967 corresponding rule requirements during the sandbox period. The
968 office shall post on its website notice of the approval of the
969 application, a summary of the innovative financial product or
970 service, and the contact information of the licensee.
971 (f) The office, on a case-by-case basis, shall specify the
972 maximum number of consumers authorized to receive an innovative
973 financial product or service, after consultation with the
974 Financial Technology Sandbox applicant. The office may not
975 authorize more than 15,000 consumers to receive the financial
976 product or service until the licensee has filed the first report
977 required under subsection (8). After the filing of that report,
978 if the licensee demonstrates adequate financial capitalization,
979 risk management processes, and management oversight, the office
980 may authorize up to 25,000 consumers to receive the financial
981 product or service.
982 (g) A licensee has a continuing obligation to promptly
983 inform the office of any material change to the information
984 provided under paragraph (b).
985 (6) OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—
986 (a) A licensee may make an innovative financial product or
987 service available to consumers during the sandbox period.
988 (b)1. Before a consumer purchases, uses, receives, or
989 enters into an agreement to purchase, use, or receive an
990 innovative financial product or service through the Financial
991 Technology Sandbox, the licensee must provide a written
992 statement of all of the following to the consumer:
993 a. The name and contact information of the licensee.
994 b. That the financial product or service has been
995 authorized to be made available to consumers for a temporary
996 period by the office, under the laws of this state.
997 c. That the state does not endorse the financial product or
998 service.
999 d. That the financial product or service is undergoing
1000 testing, may not function as intended, and may entail financial
1001 risk.
1002 e. That the licensee is not immune from civil liability for
1003 any losses or damages caused by the financial product or
1004 service.
1005 f. The expected end date of the sandbox period.
1006 g. The contact information for the office and notification
1007 that suspected legal violations, complaints, or other comments
1008 related to the financial product or service may be submitted to
1009 the office.
1010 h. Any other statements or disclosures required by rule of
1011 the commission which are necessary to further the purposes of
1012 this section.
1013 2. The written statement under subparagraph 1. must contain
1014 an acknowledgment from the consumer, which must be retained for
1015 the duration of the sandbox period by the licensee.
1016 (c) The office may enter into an agreement with a state,
1017 federal, or foreign regulatory agency to allow licensees under
1018 the Financial Technology Sandbox to make their products or
1019 services available in other jurisdictions. The commission shall
1020 adopt rules to implement this paragraph.
1021 (d) The office may examine the records of a licensee at any
1022 time, with or without prior notice.
1023 (7) EXTENSIONS AND CONCLUSION OF SANDBOX PERIOD.—
1024 (a) A licensee may apply for one extension of the initial
1025 24-month sandbox period for 12 additional months for a purpose
1026 specified in subparagraph (b)1. or subparagraph (b)2. A complete
1027 application for an extension must be filed with the office at
1028 least 90 days before the conclusion of the initial sandbox
1029 period. The office shall approve or deny the application for
1030 extension in writing at least 35 days before the conclusion of
1031 the initial sandbox period. In determining whether to approve or
1032 deny an application for extension of the sandbox period, the
1033 office must, at a minimum, consider the current status of the
1034 factors previously considered under paragraph (5)(c).
1035 (b) An application for an extension under paragraph (a)
1036 must cite one of the following reasons as the basis for the
1037 application and must provide all relevant supporting
1038 information:
1039 1. Amendments to general law or rules are necessary to
1040 offer the innovative financial product or service in this state
1041 permanently.
1042 2. An application for a license that is required in order
1043 to offer the innovative financial product or service in this
1044 state permanently has been filed with the office and approval is
1045 pending.
1046 (c) At least 30 days before the conclusion of the initial
1047 24-month sandbox period or the extension, whichever is later, a
1048 licensee shall provide written notification to consumers
1049 regarding the conclusion of the initial sandbox period or the
1050 extension and may not make the financial product or service
1051 available to any new consumers after the conclusion of the
1052 initial sandbox period or the extension, whichever is later,
1053 until legal authority outside of the Financial Technology
1054 Sandbox exists for the licensee to make the financial product or
1055 service available to consumers. After the conclusion of the
1056 sandbox period or the extension, whichever is later, the
1057 business entity formerly licensed under the Financial Technology
1058 Sandbox may:
1059 1. Collect and receive money owed to the business entity or
1060 pay money owed by the business entity, based on agreements with
1061 consumers made before the conclusion of the sandbox period or
1062 the extension.
1063 2. Take necessary legal action.
1064 3. Take other actions authorized by commission rule which
1065 are not inconsistent with this section.
1066 (8) REPORT.—A licensee shall submit a report to the office
1067 twice a year as prescribed by commission rule. The report must,
1068 at a minimum, include financial reports and the number of
1069 consumers who have received the financial product or service.
1070 (9) CONSTRUCTION.—A business entity whose Financial
1071 Technology Sandbox application is approved under this section:
1072 (a) Is licensed under chapter 516, chapter 560, or both
1073 chapters 516 and 560, as applicable to the business entity’s
1074 activities.
1075 (b) Is subject to any provision of chapter 516 or chapter
1076 560 not specifically excepted under paragraph (4)(a), as
1077 applicable to the business entity’s activities, and must comply
1078 with such provisions.
1079 (c) May not engage in activities authorized under part III
1080 of chapter 560, notwithstanding s. 560.204(2).
1081 (10) VIOLATIONS AND PENALTIES.—
1082 (a) A licensee who makes an innovative financial product or
1083 service available to consumers in the Financial Technology
1084 Sandbox remains subject to:
1085 1. Civil damages for acts and omissions arising from or
1086 related to any innovative financial product or services provided
1087 or made available by the licensee or relating to this section.
1088 2. All criminal and consumer protection laws and any other
1089 statute not specifically excepted under paragraph (4)(a).
1090 (b)1. The office may, by order, revoke or suspend a
1091 licensee’s approval to participate in the Financial Technology
1092 Sandbox if:
1093 a. The licensee has violated or refused to comply with this
1094 section, any statute not specifically excepted under paragraph
1095 (4)(a), a rule of the commission that has not been waived, an
1096 order of the office, or a condition placed by the office on the
1097 approval of the licensee’s Financial Technology Sandbox
1098 application;
1099 b. A fact or condition exists that, if it had existed or
1100 become known at the time that the Financial Technology Sandbox
1101 application was pending, would have warranted denial of the
1102 application or the imposition of material conditions;
1103 c. A material error, false statement, misrepresentation, or
1104 material omission was made in the Financial Technology Sandbox
1105 application; or
1106 d. After consultation with the licensee, the office
1107 determines that continued testing of the innovative financial
1108 product or service would:
1109 (I) Be likely to harm consumers; or
1110 (II) No longer serve the purposes of this section because
1111 of the financial or operational failure of the financial product
1112 or service.
1113 2. Written notice of a revocation or suspension order made
1114 under subparagraph 1. must be served using any means authorized
1115 by law. If the notice relates to a suspension, the notice must
1116 include any condition or remedial action that the licensee must
1117 complete before the office lifts the suspension.
1118 (c) The office may refer any suspected violation of law to
1119 an appropriate state or federal agency for investigation,
1120 prosecution, civil penalties, and other appropriate enforcement
1121 action.
1122 (d) If service of process on a licensee is not feasible,
1123 service on the office is deemed service on the licensee.
1124 (11) RULES AND ORDERS.—
1125 (a) The commission shall adopt rules to administer this
1126 section before approving any application under this section.
1127 (b) The office may issue all necessary orders to enforce
1128 this section and may enforce these orders in accordance with
1129 chapter 120 or in any court of competent jurisdiction. These
1130 orders include, but are not limited to, orders for payment of
1131 restitution for harm suffered by consumers as a result of an
1132 innovative financial product or service.
1133 Section 13. For the 2020-2021 fiscal year, the sum of
1134 $50,000 in nonrecurring funds is appropriated from the
1135 Administrative Trust Fund to the Office of Financial Regulation
1136 to implement s. 559.952, Florida Statutes, as created by this
1137 act.
1138 Section 14. The creation of s. 559.952, Florida Statutes,
1139 and the appropriation to implement s. 559.952, Florida Statutes,
1140 by this act shall take effect only if SB 1872 or similar
1141 legislation takes effect and if such legislation is adopted in
1142 the same legislative session or an extension thereof and becomes
1143 a law.
1144 Section 15. Except as otherwise expressly provided in this
1145 act, this act shall take effect July 1, 2020.
1146
1147 ================= T I T L E A M E N D M E N T ================
1148 And the title is amended as follows:
1149 Delete everything before the enacting clause
1150 and insert:
1151 A bill to be entitled
1152 An act relating to technology innovation; amending s.
1153 20.22, F.S.; establishing the Florida Digital Service
1154 and the Division of Telecommunications within the
1155 Department of Management Services; abolishing the
1156 Division of State Technology within the department;
1157 amending s. 110.205, F.S.; exempting the state chief
1158 data officer and the state chief information security
1159 officer within the Florida Digital Service from the
1160 Career Service System; providing for the salary and
1161 benefits of such positions to be set by the
1162 department; amending s. 282.0041, F.S.; defining
1163 terms; revising the definition of the term “open
1164 data”; amending s. 282.0051, F.S.; revising
1165 information technology-related powers, duties, and
1166 functions of the department acting through the Florida
1167 Digital Service; specifying the designation of the
1168 state chief information officer and the state chief
1169 data officer; specifying qualifications for such
1170 positions; specifying requirements, contingent upon
1171 legislative appropriation, for the department;
1172 authorizing the department to develop a certain
1173 process; prohibiting the department from retrieving or
1174 disclosing any data without a certain shared-data
1175 agreement in place; specifying rulemaking authority
1176 for the department; amending s. 282.00515, F.S.;
1177 requiring the Department of Legal Affairs, the
1178 Department of Financial Services, or the Department of
1179 Agriculture and Consumer Services to notify the
1180 Governor and the Legislature and provide a certain
1181 justification and explanation if such agency adopts
1182 alternative standards to certain enterprise
1183 architecture standards; providing construction;
1184 prohibiting the department from retrieving or
1185 disclosing any data without a certain shared-data
1186 agreement in place; conforming a cross-reference;
1187 amending ss. 282.318, 287.0591, 365.171, 365.172,
1188 365.173, and 943.0415, F.S.; conforming provisions to
1189 changes made by the act; creating s. 559.952, F.S.;
1190 providing a short title; creating the Financial
1191 Technology Sandbox within the Office of Financial
1192 Regulation; defining terms; requiring the office, if
1193 certain conditions are met, to grant a license to a
1194 Financial Technology Sandbox applicant, grant
1195 exceptions to specified provisions of general law
1196 relating to consumer finance loans and money services
1197 businesses, and grant waivers of certain rules;
1198 authorizing a substantially affected person to seek a
1199 declaratory statement before applying to the Financial
1200 Technology Sandbox; specifying application
1201 requirements and procedures; specifying requirements
1202 and procedures for the office in reviewing and
1203 approving or denying applications; providing
1204 requirements for the office in specifying the number
1205 of the consumers authorized to receive an innovative
1206 financial product or service; specifying authorized
1207 actions of, limitations on, and requirements for
1208 licensees operating in the Financial Technology
1209 Sandbox; requiring licensees to make a specified
1210 disclosure to consumers; authorizing the office to
1211 enter into certain agreements with other regulatory
1212 agencies; authorizing the office to examine licensee
1213 records; authorizing a licensee to apply for one
1214 extension of an initial sandbox period for a certain
1215 timeframe; specifying requirements and procedures for
1216 applying for an extension; specifying requirements and
1217 procedures for, and authorized actions of, licensees
1218 when concluding a sandbox period or extension;
1219 requiring licensees to submit certain reports to the
1220 office at specified intervals; providing construction;
1221 specifying the liability of a licensee; authorizing
1222 the office to take certain disciplinary actions
1223 against a licensee under certain circumstances;
1224 providing construction relating to service of process;
1225 specifying the rulemaking authority of the Financial
1226 Services Commission; providing the office authority to
1227 issue orders and enforce the orders; providing an
1228 appropriation; providing that specified provisions of
1229 the act are contingent upon passage of other
1230 provisions addressing public records; providing
1231 effective dates.