Florida Senate - 2020 SB 1870
By Senator Hutson
7-01682B-20 20201870__
1 A bill to be entitled
2 An act relating to technological development; amending
3 s. 20.22, F.S.; renaming the Division of State
4 Technology within the Department of Management
5 Services; adding the Florida Digital Service to the
6 department; amending s. 282.0051, F.S.; establishing
7 the Florida Digital Service within the department;
8 providing definitions; transferring specified powers,
9 duties, and functions of the department to the Florida
10 Digital Service and revising such powers, duties, and
11 functions; providing appointments and requirements of
12 the state chief information officer and chief data
13 officer of the Florida Digital Service; requiring the
14 Florida Digital Service to develop an enterprise
15 architecture for all state departments and agencies;
16 providing requirements for such enterprise
17 architecture; providing duties of the Florida Digital
18 Service under certain circumstances; authorizing the
19 Florida Digital Service to enforce the enterprise
20 architecture by specified means; amending ss. 282.318,
21 287.0591, 365.171, 365.172, 365.173, and 943.0415,
22 F.S.; conforming provisions to changes made by the
23 act; creating s. 559.952, F.S.; providing a short
24 title; creating the Financial Technology Sandbox
25 Program; providing definitions; providing certain
26 waivers of requirements to specified persons under
27 certain circumstances; requiring an application for
28 the program for persons who want to make innovative
29 financial products or services available to consumers;
30 providing application requirements; requiring the
31 Office of Financial Regulation to pay an annual fee to
32 the Department of Law Enforcement for a specified
33 purpose; providing standards for application approval;
34 requiring the Commissioner of Financial Regulation and
35 any other persons exercising such powers to perform
36 certain actions upon approval of an application;
37 requiring posting of consumer protection bonds;
38 providing disposition of such bonds under a specified
39 circumstance; providing operation of the program;
40 providing extensions and conclusion of sandbox
41 periods; requiring persons who make innovative
42 financial products or services available to consumers
43 to submit a report; providing construction; providing
44 that such persons are not immune from civil damages
45 and are subject to criminal and consumer protection
46 laws; providing penalties; providing service of
47 process; requiring the office and the commissioner to
48 adopt rules; authorizing the commissioner to issue
49 certain orders and to enforce them in court;
50 authorizing the commissioner to issue and enforce
51 orders for payment of restitution and enforcement of
52 certain bonds; requiring the commissioner to use
53 certain proceeds for a specified purpose; providing an
54 effective date.
55
56 Be It Enacted by the Legislature of the State of Florida:
57
58 Section 1. Subsection (2) of section 20.22, Florida
59 Statutes, is amended to read:
60 20.22 Department of Management Services.—There is created a
61 Department of Management Services.
62 (2) The following divisions and programs within The
63 Department of Management Services shall consist of the following
64 are established:
65 (a) The Facilities Program.
66 (b) The Division of Telecommunications State Technology,
67 the director of which is appointed by the secretary of the
68 department and shall serve as the state chief information
69 officer. The state chief information officer must be a proven,
70 effective administrator who must have at least 10 years of
71 executive-level experience in the public or private sector,
72 preferably with experience in the development of information
73 technology strategic planning and the development and
74 implementation of fiscal and substantive information technology
75 policy and standards.
76 (c) The Workforce Program.
77 (d)1. The Support Program.
78 2. The Federal Property Assistance Program.
79 (e) The Administration Program.
80 (f) The Division of Administrative Hearings.
81 (g) The Division of Retirement.
82 (h) The Division of State Group Insurance.
83 (i) The Florida Digital Service.
84 Section 2. Section 282.0051, Florida Statutes, is amended
85 to read:
86 282.0051 Florida Digital Service Department of Management
87 Services; powers, duties, and functions.—There is established
88 the Florida Digital Service within the department to create
89 innovative solutions that securely modernize and optimize state
90 government and achieve value through digital transformation and
91 interoperability.
92 (1) As used in this section, the term:
93 (a) “Digital identity verifier” means a digital system
94 capable of securely authenticating the identity of an external
95 agent, including a person, an organization, an application, or a
96 device, without physically storing the necessary data to
97 validate a digital identity.
98 (b) “Enterprise” means the state or the entirety of state
99 government and its subdivisions.
100 (c) “Enterprise architecture” means a comprehensive
101 operational framework that contemplates the needs and assets of
102 the enterprise to create a unified information technology
103 environment.
104 (d) “Interoperability” means the technical and legal
105 ability to share data across and throughout the enterprise.
106 (e) “Qualified entity” means a public or private entity or
107 individual that enters into a binding agreement with the Florida
108 Digital Service, meets usage criteria, agrees to terms and
109 conditions, and is subsequently and prescriptively authorized by
110 the Florida Digital Service to access digital assets as defined
111 in the agreement.
112 (2) The Florida Digital Service department shall have the
113 following powers, duties, and functions:
114 (a)(1) Develop and publish information technology policy
115 for the management of the state’s information technology
116 resources.
117 (b)(2) Establish and publish information technology
118 architecture standards to provide for the most efficient use of
119 the state’s information technology resources and to ensure
120 compatibility and alignment with the needs of state agencies.
121 The Florida Digital Service department shall assist state
122 agencies in complying with the standards.
123 (c)(3) Establish project management and oversight standards
124 with which state agencies must comply when implementing
125 information technology projects. The Florida Digital Service
126 department shall provide training opportunities to state
127 agencies to assist in the adoption of the project management and
128 oversight standards. To support data-driven decisionmaking, the
129 standards must include, but are not limited to:
130 1.(a) Performance measurements and metrics that objectively
131 reflect the status of an information technology project based on
132 a defined and documented project scope, cost, and schedule.
133 2.(b) Methodologies for calculating acceptable variances in
134 the projected versus actual scope, schedule, or cost of an
135 information technology project.
136 3.(c) Reporting requirements, including requirements
137 designed to alert all defined stakeholders that an information
138 technology project has exceeded acceptable variances defined and
139 documented in a project plan.
140 4.(d) Content, format, and frequency of project updates.
141 (d)(4) Perform project oversight on all state agency
142 information technology projects that have a technology component
143 with a total project cost costs of $10 million or more and that
144 are funded in the General Appropriations Act or any other law.
145 The Florida Digital Service department shall report at least
146 quarterly to the Executive Office of the Governor, the President
147 of the Senate, and the Speaker of the House of Representatives
148 on any information technology project that the Florida Digital
149 Service department identifies as high-risk due to the project
150 exceeding acceptable variance ranges defined and documented in a
151 project plan. The report must include a risk assessment,
152 including fiscal risks, associated with proceeding to the next
153 stage of the project, and a recommendation for corrective
154 actions required, including suspension or termination of the
155 project.
156 (e)(5) Identify opportunities for standardization and
157 consolidation of information technology services that support
158 business functions and operations, including administrative
159 functions such as purchasing, accounting and reporting, cash
160 management, and personnel, and that are common across state
161 agencies. The Florida Digital Service department shall
162 biennially on April 1 provide recommendations for
163 standardization and consolidation to the Executive Office of the
164 Governor, the President of the Senate, and the Speaker of the
165 House of Representatives.
166 (f)(6) Establish best practices for the procurement of
167 information technology products and cloud-computing services in
168 order to reduce costs, increase the quality of data center
169 services, or improve government services.
170 (g)(7) Develop standards for information technology reports
171 and updates, including, but not limited to, operational work
172 plans, project spend plans, and project status reports, for use
173 by state agencies.
174 (h)(8) Upon request, assist state agencies in the
175 development of information technology-related legislative budget
176 requests.
177 (i)(9) Conduct annual assessments of state agencies to
178 determine compliance with all information technology standards
179 and guidelines developed and published by the Florida Digital
180 Service department and provide results of the assessments to the
181 Executive Office of the Governor, the President of the Senate,
182 and the Speaker of the House of Representatives.
183 (j)(10) Provide operational management and oversight of the
184 state data center established pursuant to s. 282.201, which
185 includes:
186 1.(a) Implementing industry standards and best practices
187 for the state data center’s facilities, operations, maintenance,
188 planning, and management processes.
189 2.(b) Developing and implementing cost-recovery or payment
190 mechanisms that recover the full direct and indirect cost of
191 services through charges to applicable customer entities. Such
192 cost-recovery mechanisms must comply with applicable state and
193 federal regulations concerning distribution and use of funds and
194 must ensure that, for any fiscal year, no service or customer
195 entity subsidizes another service or customer entity.
196 3.(c) Developing and implementing appropriate operating
197 guidelines and procedures necessary for the state data center to
198 perform its duties pursuant to s. 282.201. The guidelines and
199 procedures must comply with applicable state and federal laws,
200 regulations, and policies and conform to generally accepted
201 governmental accounting and auditing standards. The guidelines
202 and procedures must include, but need not be limited to:
203 a.1. Implementing a consolidated administrative support
204 structure responsible for providing financial management,
205 procurement, transactions involving real or personal property,
206 human resources, and operational support.
207 b.2. Implementing an annual reconciliation process to
208 ensure that each customer entity is paying for the full direct
209 and indirect cost of each service as determined by the customer
210 entity’s use of each service.
211 c.3. Providing rebates that may be credited against future
212 billings to customer entities when revenues exceed costs.
213 d.4. Requiring customer entities to validate that
214 sufficient funds exist in the appropriate data processing
215 appropriation category or will be transferred into the
216 appropriate data processing appropriation category before
217 implementation of a customer entity’s request for a change in
218 the type or level of service provided, if such change results in
219 a net increase to the customer entity’s cost for that fiscal
220 year.
221 e.5. By November 15 of each year, providing to the Office
222 of Policy and Budget in the Executive Office of the Governor and
223 to the chairs of the legislative appropriations committees the
224 projected costs of providing data center services for the
225 following fiscal year.
226 f.6. Providing a plan for consideration by the Legislative
227 Budget Commission if the cost of a service is increased for a
228 reason other than a customer entity’s request made pursuant to
229 sub-subparagraph d. subparagraph 4. Such a plan is required only
230 if the service cost increase results in a net increase to a
231 customer entity for that fiscal year.
232 7. Standardizing and consolidating procurement and
233 contracting practices.
234 4.(d) In collaboration with the Department of Law
235 Enforcement, developing and implementing a process for
236 detecting, reporting, and responding to information technology
237 security incidents, breaches, and threats.
238 5.(e) Adopting rules relating to the operation of the state
239 data center, including, but not limited to, budgeting and
240 accounting procedures, cost-recovery methodologies, and
241 operating procedures.
242 (f) Conducting an annual market analysis to determine
243 whether the state’s approach to the provision of data center
244 services is the most effective and cost-efficient manner by
245 which its customer entities can acquire such services, based on
246 federal, state, and local government trends; best practices in
247 service provision; and the acquisition of new and emerging
248 technologies. The results of the market analysis shall assist
249 the state data center in making adjustments to its data center
250 service offerings.
251 (k)(11) Recommend other information technology services
252 that should be designed, delivered, and managed as enterprise
253 information technology services. Recommendations must include
254 the identification of existing information technology resources
255 associated with the services, if existing services must be
256 transferred as a result of being delivered and managed as
257 enterprise information technology services.
258 (l)(12) In consultation with state agencies, propose a
259 methodology and approach for identifying and collecting both
260 current and planned information technology expenditure data at
261 the state agency level.
262 (m)1.(13)(a) Notwithstanding any other law, provide project
263 oversight on any information technology project of the
264 Department of Financial Services with a technology component,
265 the Department of Legal Affairs, and the Department of
266 Agriculture and Consumer Services which has a total project cost
267 of $25 million or more and which impacts one or more other
268 agencies. Such information technology projects must also comply
269 with the applicable information technology architecture, project
270 management and oversight, and reporting standards established by
271 the Florida Digital Service department.
272 2.(b) When performing the project oversight function
273 specified in subparagraph 1. paragraph (a), report at least
274 quarterly to the Executive Office of the Governor, the President
275 of the Senate, and the Speaker of the House of Representatives
276 on any information technology project that the Florida Digital
277 Service department identifies as high-risk due to the project
278 exceeding acceptable variance ranges defined and documented in
279 the project plan. The report shall include a risk assessment,
280 including fiscal risks, associated with proceeding to the next
281 stage of the project and a recommendation for corrective actions
282 required, including suspension or termination of the project.
283 (n)(14) If an information technology project implemented by
284 a state agency must be connected to or otherwise accommodated by
285 an information technology system administered by the Department
286 of Financial Services, the Department of Legal Affairs, or the
287 Department of Agriculture and Consumer Services, consult with
288 these departments regarding the risks and other effects of such
289 projects on their information technology systems and work
290 cooperatively with these departments regarding the connections,
291 interfaces, timing, or accommodations required to implement such
292 projects.
293 (o)(15) If adherence to standards or policies adopted by or
294 established pursuant to this section causes conflict with
295 federal regulations or requirements imposed on a state agency
296 and results in adverse action against the state agency or
297 federal funding, work with the state agency to provide
298 alternative standards, policies, or requirements that do not
299 conflict with the federal regulation or requirement. The Florida
300 Digital Service department shall annually report such
301 alternative standards to the Governor, the President of the
302 Senate, and the Speaker of the House of Representatives.
303 (p) Follow best purchasing practices of state procurement
304 to the extent practicable for the purpose of creating innovative
305 solutions that securely modernize and optimize state government
306 to achieve value through digital transformation and to use best
307 business practices employed by the private sector,
308 notwithstanding chapter 287 and the authority of the department.
309 (16)(a) Establish an information technology policy for all
310 information technology-related state contracts, including state
311 term contracts for information technology commodities,
312 consultant services, and staff augmentation services. The
313 information technology policy must include:
314 1. Identification of the information technology product and
315 service categories to be included in state term contracts.
316 2. Requirements to be included in solicitations for state
317 term contracts.
318 3. Evaluation criteria for the award of information
319 technology-related state term contracts.
320 4. The term of each information technology-related state
321 term contract.
322 5. The maximum number of vendors authorized on each state
323 term contract.
324 (b) Evaluate vendor responses for information technology
325 related state term contract solicitations and invitations to
326 negotiate.
327 (c) Answer vendor questions on information technology
328 related state term contract solicitations.
329 (d) Ensure that the information technology policy
330 established pursuant to paragraph (a) is included in all
331 solicitations and contracts that are administratively executed
332 by the department.
333 (q)(17) Recommend potential methods for standardizing data
334 across state agencies which will promote interoperability and
335 reduce the collection of duplicative data.
336 (r)(18) Recommend open data technical standards and
337 terminologies for use by state agencies.
338 (3)(a) The Secretary of Management Services shall appoint a
339 state chief information officer to head the Florida Digital
340 Service. The state chief information officer must be a proven,
341 effective administrator who must have at least 10 years of
342 executive-level experience in the public or private sector,
343 preferably with experience in the development of information
344 technology strategic planning and the development and
345 implementation of fiscal and substantive information technology
346 policy and standards.
347 (b) The state chief information officer shall appoint a
348 chief data officer, who shall report to the state chief
349 information officer. The chief data officer must be a proven,
350 effective administrator who must have at least 10 years of
351 experience in data management, data governance,
352 interoperability, and security. The chief data officer is
353 included in the Senior Management Service. As used in this
354 paragraph, the term “data governance” means the practice of
355 organizing, classifying, securing, and implementing policies,
356 procedures, and standards for the effective use of an
357 organization’s structured and unstructured information assets.
358 (4) The Florida Digital Service shall develop an
359 enforceable and comprehensive enterprise architecture for all
360 state departments and agencies which:
361 (a) Recognizes the unique needs of all stakeholders and
362 results in the publication of standards and terminologies,
363 procurement guidelines, and the facilitation of digital
364 interoperability.
365 (b) Establishes a comprehensive framework that accounts for
366 all of the needs and responsibilities of a department and agency
367 while defining how technology benefits and serves the overall
368 mission of both entities.
369 (c) Addresses how hardware, operating systems, legacy
370 systems, and programming and networking solutions may be used or
371 improved to achieve current and future objectives.
372 (d) Allows the enterprise architecture to be enforced, as
373 appropriate, to ensure stewardship of tax dollars.
374 (5) Upon the required production of information from the
375 stakeholders of the enterprise architecture, the Florida Digital
376 Service shall:
377 (a) Create and maintain a comprehensive indexed data
378 catalog that lists what data elements are housed within which
379 department or agency and in which legacy system or application.
380 (b) Develop and publish for each state department and
381 agency a data dictionary that reflects the nomenclature as
382 existing in the comprehensive indexed data catalog.
383 (c) Create and maintain an indexed integration catalog that
384 includes all integration tools currently used by each state
385 department and agency.
386 (d) Review, confirm, and document operational use cases
387 with all stakeholders across the enterprise architecture,
388 including the Legislature and all state departments and
389 agencies.
390 (e) Identify core functionality use cases reliant on
391 digital and data infrastructure.
392 (f) Develop, collaboratively with stakeholders, solutions
393 for authorized, mandated, or encouraged use cases within the
394 enterprise.
395 (g) Develop, publish, and manage an application programming
396 interface to facilitate integration throughout the enterprise.
397 (h) Facilitate collaborative analysis of enterprise
398 architecture data to improve service delivery.
399 (i) Provide a testing environment in which any newly
400 developed solution can be tested for compliance within the
401 enterprise architecture and for functionality assurance before
402 deployment.
403 (j) Create the functionality necessary for a secure
404 ecosystem of data interoperability that is compliant with the
405 enterprise architecture and allows for governmental and
406 nongovernmental stakeholders to access the data store by:
407 1. Competitively procuring a credential service provider.
408 As used in this subparagraph, the term “credential service
409 provider” means an electronic credential provider that supplies
410 secure credential services based on open standards for identity
411 management and verification to qualified entities.
412 2. Upon the signing of the enterprise architecture terms of
413 service and privacy policies, providing to qualified entities
414 and digital identity verifiers appropriate access to the data
415 store to facilitate authorized integrations to collaboratively,
416 less expensively, or at no taxpayer cost, solve enterprise use
417 cases.
418 (k) Architect and deploy applications or solutions to
419 existing department and agency obligations in a controlled and
420 phased approach, including, but not limited to:
421 1. Digital licenses, including full identification
422 management.
423 2. Interoperability that contains the data functionality to
424 enable supervisors of elections to authenticate voter
425 eligibility in real time at the point of service.
426 3. The criminal justice database.
427 4. Motor vehicle insurance cancellation integration between
428 insurers and the Department of Highway Safety and Motor
429 Vehicles.
430 5. Interoperability solutions between agencies, including,
431 but not limited to, the Department of Health, the Agency for
432 Health Care Administration, the Agency for Persons with
433 Disabilities, the Department of Education, the Department of
434 Elderly Affairs, and the Department of Children and Families.
435 (6) The Florida Digital Service may enforce the enterprise
436 architecture by:
437 (a) Receiving written notice of any planned or existing
438 procurement of digital solutions which is subject to governance
439 by the enterprise architecture, which includes:
440 1. An attestation of compliance with the enterprise
441 architecture.
442 2. A list of integrations tools needed.
443 3. Enterprise stakeholders actually or potentially involved
444 or affected by the procurement.
445 4. Resources that would reduce the cost or increase the
446 speed to deployment.
447 (b) Intervening in any procurement that does not comply
448 with the enterprise architecture after the Florida Digital
449 Service provided notice of noncompliance to relevant
450 stakeholders through the following acts:
451 1. Delaying the procurement until it complies with the
452 enterprise architecture.
453 2. Providing recommendations to cure the portions of the
454 procurement which do not comply with the enterprise
455 architecture.
456 (19) Adopt rules to administer this section.
457 Section 3. Paragraph (a) of subsection (3), paragraphs (d),
458 (e), (g), and (j) of subsection (4), and paragraph (b) of
459 subsection (5) of section 282.318, Florida Statutes, are amended
460 to read:
461 282.318 Security of data and information technology.—
462 (3) The department is responsible for establishing
463 standards and processes consistent with generally accepted best
464 practices for information technology security, to include
465 cybersecurity, and adopting rules that safeguard an agency’s
466 data, information, and information technology resources to
467 ensure availability, confidentiality, and integrity and to
468 mitigate risks. The department shall also:
469 (a) Designate a state chief information security officer
470 for the Florida Digital Service, who must be a proven, effective
471 administrator and have at least 10 years of executive-level
472 experience in the public or private sector, preferably with
473 experience in the development of information technology
474 strategic planning and the development and implementation of
475 fiscal and substantive information technology policy and
476 standards and expertise in security and risk management for
477 communications and information technology resources.
478 (4) Each state agency head shall, at a minimum:
479 (d) Conduct, and update every 3 years, a comprehensive risk
480 assessment, which may be completed by a private sector vendor,
481 to determine the security threats to the data, information, and
482 information technology resources, including mobile devices and
483 print environments, of the agency. The risk assessment must
484 comply with the risk assessment methodology developed by the
485 department and is confidential and exempt from s. 119.07(1),
486 except that such information shall be available to the Auditor
487 General, the Florida Digital Service Division of State
488 Technology within the department, the Cybercrime Office of the
489 Department of Law Enforcement, and, for state agencies under the
490 jurisdiction of the Governor, the Chief Inspector General.
491 (e) Develop, and periodically update, written internal
492 policies and procedures, which include procedures for reporting
493 information technology security incidents and breaches to the
494 Cybercrime Office of the Department of Law Enforcement and the
495 Florida Digital Service Division of State Technology within the
496 department. Such policies and procedures must be consistent with
497 the rules, guidelines, and processes established by the
498 department to ensure the security of the data, information, and
499 information technology resources of the agency. The internal
500 policies and procedures that, if disclosed, could facilitate the
501 unauthorized modification, disclosure, or destruction of data or
502 information technology resources are confidential information
503 and exempt from s. 119.07(1), except that such information shall
504 be available to the Auditor General, the Cybercrime Office of
505 the Department of Law Enforcement, the Florida Digital Service
506 Division of State Technology within the department, and, for
507 state agencies under the jurisdiction of the Governor, the Chief
508 Inspector General.
509 (g) Ensure that periodic internal audits and evaluations of
510 the agency’s information technology security program for the
511 data, information, and information technology resources of the
512 agency are conducted. The results of such audits and evaluations
513 are confidential information and exempt from s. 119.07(1),
514 except that such information shall be available to the Auditor
515 General, the Cybercrime Office of the Department of Law
516 Enforcement, the Florida Digital Service Division of State
517 Technology within the department, and, for agencies under the
518 jurisdiction of the Governor, the Chief Inspector General.
519 (j) Develop a process for detecting, reporting, and
520 responding to threats, breaches, or information technology
521 security incidents which is consistent with the security rules,
522 guidelines, and processes established by the Agency for State
523 Technology.
524 1. All information technology security incidents and
525 breaches must be reported to the Florida Digital Service
526 Division of State Technology within the department and the
527 Cybercrime Office of the Department of Law Enforcement and must
528 comply with the notification procedures and reporting timeframes
529 established pursuant to paragraph (3)(c).
530 2. For information technology security breaches, state
531 agencies shall provide notice in accordance with s. 501.171.
532 3. Records held by a state agency which identify detection,
533 investigation, or response practices for suspected or confirmed
534 information technology security incidents, including suspected
535 or confirmed breaches, are confidential and exempt from s.
536 119.07(1) and s. 24(a), Art. I of the State Constitution, if the
537 disclosure of such records would facilitate unauthorized access
538 to or the unauthorized modification, disclosure, or destruction
539 of:
540 a. Data or information, whether physical or virtual; or
541 b. Information technology resources, which includes:
542 (I) Information relating to the security of the agency’s
543 technologies, processes, and practices designed to protect
544 networks, computers, data processing software, and data from
545 attack, damage, or unauthorized access; or
546 (II) Security information, whether physical or virtual,
547 which relates to the agency’s existing or proposed information
548 technology systems.
549
550 Such records shall be available to the Auditor General, the
551 Florida Digital Service Division of State Technology within the
552 department, the Cybercrime Office of the Department of Law
553 Enforcement, and, for state agencies under the jurisdiction of
554 the Governor, the Chief Inspector General. Such records may be
555 made available to a local government, another state agency, or a
556 federal agency for information technology security purposes or
557 in furtherance of the state agency’s official duties. This
558 exemption applies to such records held by a state agency before,
559 on, or after the effective date of this exemption. This
560 subparagraph is subject to the Open Government Sunset Review Act
561 in accordance with s. 119.15 and shall stand repealed on October
562 2, 2021, unless reviewed and saved from repeal through
563 reenactment by the Legislature.
564 (5) The portions of risk assessments, evaluations, external
565 audits, and other reports of a state agency’s information
566 technology security program for the data, information, and
567 information technology resources of the state agency which are
568 held by a state agency are confidential and exempt from s.
569 119.07(1) and s. 24(a), Art. I of the State Constitution if the
570 disclosure of such portions of records would facilitate
571 unauthorized access to or the unauthorized modification,
572 disclosure, or destruction of:
573 (b) Information technology resources, which include:
574 1. Information relating to the security of the agency’s
575 technologies, processes, and practices designed to protect
576 networks, computers, data processing software, and data from
577 attack, damage, or unauthorized access; or
578 2. Security information, whether physical or virtual, which
579 relates to the agency’s existing or proposed information
580 technology systems.
581
582 Such portions of records shall be available to the Auditor
583 General, the Cybercrime Office of the Department of Law
584 Enforcement, the Florida Digital Service Division of State
585 Technology within the department, and, for agencies under the
586 jurisdiction of the Governor, the Chief Inspector General. Such
587 portions of records may be made available to a local government,
588 another state agency, or a federal agency for information
589 technology security purposes or in furtherance of the state
590 agency’s official duties. For purposes of this subsection,
591 “external audit” means an audit that is conducted by an entity
592 other than the state agency that is the subject of the audit.
593 This exemption applies to such records held by a state agency
594 before, on, or after the effective date of this exemption. This
595 subsection is subject to the Open Government Sunset Review Act
596 in accordance with s. 119.15 and shall stand repealed on October
597 2, 2021, unless reviewed and saved from repeal through
598 reenactment by the Legislature.
599 Section 4. Subsection (4) of section 287.0591, Florida
600 Statutes, is amended to read:
601 287.0591 Information technology.—
602 (4) If the department issues a competitive solicitation for
603 information technology commodities, consultant services, or
604 staff augmentation contractual services, the Florida Digital
605 Service Division of State Technology within the department shall
606 participate in such solicitations.
607 Section 5. Paragraph (a) of subsection (3) of section
608 365.171, Florida Statutes, is amended to read:
609 365.171 Emergency communications number E911 state plan.—
610 (3) DEFINITIONS.—As used in this section, the term:
611 (a) “Office” means the Division of Telecommunications State
612 Technology within the Department of Management Services, as
613 designated by the secretary of the department.
614 Section 6. Paragraph (s) of subsection (3) of section
615 365.172, Florida Statutes, is amended to read:
616 365.172 Emergency communications number “E911.”—
617 (3) DEFINITIONS.—Only as used in this section and ss.
618 365.171, 365.173, 365.174, and 365.177, the term:
619 (s) “Office” means the Division of Telecommunications State
620 Technology within the Department of Management Services, as
621 designated by the secretary of the department.
622 Section 7. Paragraph (a) of subsection (1) of section
623 365.173, Florida Statutes, is amended to read:
624 365.173 Communications Number E911 System Fund.—
625 (1) REVENUES.—
626 (a) Revenues derived from the fee levied on subscribers
627 under s. 365.172(8) must be paid by the board into the State
628 Treasury on or before the 15th day of each month. Such moneys
629 must be accounted for in a special fund to be designated as the
630 Emergency Communications Number E911 System Fund, a fund created
631 in the Division of Telecommunications State Technology, or other
632 office as designated by the Secretary of Management Services.
633 Section 8. Subsection (5) of section 943.0415, Florida
634 Statutes, is amended to read:
635 943.0415 Cybercrime Office.—There is created within the
636 Department of Law Enforcement the Cybercrime Office. The office
637 may:
638 (5) Consult with the Florida Digital Service Division of
639 State Technology within the Department of Management Services in
640 the adoption of rules relating to the information technology
641 security provisions in s. 282.318.
642 Section 9. Section 559.952, Florida Statutes, is created to
643 read:
644 559.952 Financial Technology Sandbox Act.—
645 (1) SHORT TITLE.—This section may be cited as the
646 “Financial Technology Sandbox Act.”
647 (2) CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX PROGRAM.
648 There is created the Financial Technology Sandbox Program within
649 the Office of Financial Regulation to allow financial technology
650 innovators to test new products and services in a supervised,
651 flexible regulatory sandbox, using waivers of specified general
652 law and rule requirements under defined conditions. The creation
653 of a supervised, flexible regulatory sandbox provides a
654 welcoming business environment for technology innovators and may
655 lead to significant business growth.
656 (3) DEFINITIONS.—As used in this section, the term:
657 (a) “Blockchain” means a digital record of online
658 transactions that are stored chronologically and obtained
659 through consensus and that are decentralized and mathematically
660 verified in nature.
661 (b) “Commissioner” means the Director of the Office of
662 Financial Regulation, also known as the Commissioner of
663 Financial Regulation, and any other person lawfully exercising
664 such powers.
665 (c) “Consumer” means a person in this state, whether a
666 natural person or a business entity, who purchases, uses, or
667 enters into an agreement to receive an innovative financial
668 product or service made available through the Financial
669 Technology Sandbox.
670 (d) “Financial product or service” means a product or
671 service related to finance, including banking, securities,
672 consumer credit, or money transmission, which is traditionally
673 subject to general law or rule requirements in the chapters
674 enumerated in paragraph (4)(a) and which is under the
675 jurisdiction of the commissioner.
676 (e) “Financial Technology Sandbox” means, unless the
677 context clearly indicates otherwise, the program created in this
678 section, which allows a person to make an innovative financial
679 product or service available to consumers during a sandbox
680 period through a waiver of existing general laws and rule
681 requirements, or portions thereof, as determined by the
682 commissioner.
683 (f) “Innovative” means new or emerging technology, or new
684 uses of existing technology, including blockchain technology,
685 which provides a product, service, business model, or delivery
686 mechanism to the public and has no substantially comparable,
687 widely available analog in this state.
688 (g) “Office” means, unless the context clearly indicates
689 otherwise, the Office of Financial Regulation.
690 (h) “Sandbox period” means the period, initially not longer
691 than 24 months, in which the commissioner has:
692 1. Authorized an innovative financial product or service to
693 be made available to consumers.
694 2. Granted the person who makes the innovative financial
695 product or service available a waiver of general law or rule
696 requirements, as determined by the commissioner, so that the
697 authorization under subparagraph 1. is possible.
698 (4) WAIVERS OF GENERAL LAW AND RULE REQUIREMENTS.—
699 (a) Notwithstanding any other provision of law, upon
700 approval of a Financial Technological Sandbox application, the
701 commissioner may grant an applicant a waiver of a requirement,
702 or a portion thereof, which is imposed by a general law or rule
703 in any following chapter or part thereof, if all of the
704 conditions in paragraph (b) are met:
705 1. Chapter 516, consumer finance.
706 2. Chapter 517, securities transactions.
707 3. Chapter 520, retail installment sales.
708 4. Chapter 537, title loans.
709 5. Part I or part II of chapter 560, general provisions of
710 money services businesses or payment instruments and funds
711 transmission.
712 6. Chapter 655, financial institutions generally.
713 7. Chapter 657, credit unions.
714 8. Chapter 658, banks and trust companies.
715 9. Chapter 660, trust business.
716 10. Chapter 662, family trust companies.
717 11. Chapter 663, international banking.
718 (b) The commissioner may grant, during a sandbox period, a
719 waiver of a requirement, or a portion thereof, imposed by a
720 general law or rule in any chapter enumerated in paragraph (a),
721 if all of the following conditions are met:
722 1. The general law or rule does not currently authorize the
723 innovative financial product or service to be made available to
724 consumers.
725 2. The waiver is not broader than necessary to accomplish
726 the purposes and standards specified in this section, as
727 determined by the commissioner.
728 3. No provision relating to the liability of an
729 incorporator, director, or officer of the applicant is eligible
730 for a waiver.
731 (5) FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS FOR
732 APPROVAL; CONSUMER PROTECTION BOND.—
733 (a) Before making an innovative financial product or
734 service available to consumers in the Financial Technology
735 Sandbox, a person must file an application with the
736 commissioner. The commissioner shall, by rule, prescribe the
737 form and manner of the application.
738 1. In the application, the person must specify the general
739 law or rule requirements for which a waiver is sought, and the
740 reasons why these requirements prohibit the innovative financial
741 product or service from being made available to consumers.
742 2. The application must also contain the information
743 specified in subparagraphs (e)1.-7.
744 (b) A business entity filing an application under this
745 section must be a domestic corporation or other organized
746 domestic entity with a physical presence, other than that of a
747 registered office or agent or virtual mailbox, in this state.
748 (c) Before an employee applies on behalf of a business
749 entity intending to make an innovative financial product or
750 service available to consumers, the employee must obtain the
751 consent of the business entity.
752 (d) The applicant must submit fingerprints for each
753 individual filing an application under this section and each
754 individual who is substantially involved in the development,
755 operation, or management of the innovative financial product or
756 service for live-scan processing in accordance with rules
757 adopted by the office.
758 1. The fingerprints may be submitted through a third-party
759 vendor authorized by the Department of Law Enforcement to
760 provide live-scan fingerprinting.
761 2. The Department of Law Enforcement must conduct the state
762 criminal history background check, and a federal criminal
763 history background check must be conducted through the Federal
764 Bureau of Investigation.
765 3. All fingerprints submitted to the Department of Law
766 Enforcement must be submitted electronically and entered into
767 the statewide automated fingerprint identification system
768 established in s. 943.05(2)(b) and available for use in
769 accordance with s. 943.05(2)(g) and (h). The office shall pay an
770 annual fee to the Department of Law Enforcement to participate
771 in the system and shall inform the Department of Law Enforcement
772 of any person whose fingerprints no longer must be retained.
773 4. The office shall review the results of the state and
774 federal criminal history background checks and determine whether
775 the applicant meets the office’s requirements.
776 5. For purposes of this paragraph, fingerprints are not
777 required to be submitted if the applicant is a publicly traded
778 corporation or is exempted under s. 560.104(1). The term
779 “publicly traded” means a stock is currently traded on a
780 national securities exchange registered with the Securities and
781 Exchange Commission or traded on an exchange in a country other
782 than the United States which is regulated by a regulator
783 equivalent to the Securities and Exchange Commission and the
784 disclosure and reporting requirements of such regulator are
785 substantially similar to those of the Securities and Exchange
786 Commission.
787 (e) The commissioner shall approve or deny in writing a
788 Financial Technology Sandbox application within 60 days after
789 receiving the completed application. The commissioner and the
790 applicant may jointly agree to extend the time beyond 60 days.
791 The commissioner may impose conditions on any approval,
792 consistent with this section. In deciding to approve or deny an
793 application, the commissioner must consider each of the
794 following:
795 1. The nature of the innovative financial product or
796 service proposed to be made available to consumers in the
797 Financial Technology Sandbox, including all relevant technical
798 details, which may include whether the product or service uses
799 blockchain technology.
800 2. The potential risk to consumers and the methods that
801 will be used to protect consumers and resolve complaints during
802 the sandbox period.
803 3. The business plan proposed by the applicant, including a
804 statement of arranged capital.
805 4. Whether the applicant has the necessary personnel,
806 adequate financial and technical expertise, and a sufficient
807 plan to test, monitor, and assess the innovative financial
808 product or service.
809 5. Whether any person substantially involved in the
810 development, operation, or management of the innovative
811 financial product or service has been convicted of, or is
812 currently under investigation for, fraud, a state or federal
813 securities violation, or any property-based offense.
814 6. A copy of the disclosures that will be provided to
815 consumers under paragraph (6)(c).
816 7. Any other factor that the commissioner determines to be
817 relevant.
818 (f) If an application is approved pursuant to paragraph
819 (e), the commissioner shall specify the general law or rule
820 requirements, or portions thereof, for which a waiver is granted
821 and the length of the initial sandbox period, not to exceed 24
822 months. The commissioner shall post on the office’s website
823 notice of the approval of the application, a summary of the
824 innovative financial product or service, and the contact
825 information of the person making the financial product or
826 service available.
827 (g) A person whose Financial Technology Sandbox application
828 is approved shall post a consumer protection bond with the
829 commissioner as security for potential losses suffered by
830 consumers. The commissioner shall determine the bond amount,
831 which must be at least $10,000 and commensurate with the risk
832 profile of the innovative financial product or service. The
833 commissioner may require that a bond under this paragraph be
834 increased or decreased at any time based on the risk profile.
835 Unless a bond is enforced under subparagraph (11)(b)2., the
836 commissioner shall cancel the bond or allow it to expire 2 years
837 after the date of the conclusion of the sandbox period.
838 (6) OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—
839 (a) A person whose Financial Technology Sandbox application
840 is approved may make an innovative financial product or service
841 available to consumers during the sandbox period.
842 (b) The commissioner may, on a case-by-case basis, specify
843 the maximum number of consumers authorized to receive an
844 innovative financial product or service, after consultation with
845 the person who makes the financial product or service available
846 to consumers.
847 (c)1. Before a consumer purchases or enters into an
848 agreement to receive an innovative financial product or service
849 through the Financial Technology Sandbox, the person making the
850 financial product or service available must provide a written
851 statement of all of the following to the consumer:
852 a. The name and contact information of the person making
853 the financial product or service available to consumers.
854 b. That the financial product or service has been
855 authorized to be made available to consumers for a temporary
856 period by the commissioner, under the laws of this state.
857 c. That the state does not endorse the financial product or
858 service and is not subject to liability for losses or damages
859 caused by the financial product or service.
860 d. That the financial product or service is undergoing
861 testing, may not function as intended, and may entail financial
862 risk.
863 e. That the person making the product or service available
864 to consumers is not immune from civil liability for any losses
865 or damages caused by the financial product or service.
866 f. The expected end date of the sandbox period.
867 g. The name and contact information of the commissioner,
868 and notification that suspected legal violations, complaints, or
869 other comments related to the financial product or service may
870 be submitted to the commissioner.
871 h. Any other statements or disclosures required by rule of
872 the commissioner which are necessary to further the purposes of
873 this section.
874 2. The written statement must contain an acknowledgement
875 from the consumer, which must be retained for the duration of
876 the sandbox period by the person making the financial product or
877 service available.
878 (d) The commissioner may enter into an agreement with a
879 state, federal, or foreign regulatory agency to allow persons:
880 1. Who make an innovative financial product or service
881 available in this state through the Financial Technology Sandbox
882 to make their products or services available in other
883 jurisdictions.
884 2. Who operate in similar financial technology sandboxes in
885 other jurisdictions to make innovative financial products and
886 services available in this state under the standards of this
887 section.
888 (e)1. A person whose Financial Technology Sandbox
889 application is approved by the commissioner shall maintain
890 comprehensive records relating to the innovative financial
891 product or service. The person shall keep these records for at
892 least 5 years after the conclusion of the sandbox period. The
893 commissioner may specify by rule additional records
894 requirements.
895 2. The commissioner may examine the records maintained
896 under subparagraph 1. at any time, with or without notice. All
897 direct and indirect costs of an examination conducted under this
898 subparagraph shall be paid by the person making the innovative
899 financial product or service available to consumers.
900 (7) EXTENSIONS AND CONCLUSION OF SANDBOX PERIOD.—
901 (a) A person who is authorized to make an innovative
902 financial product or service available to consumers may apply
903 for an extension of the initial sandbox period for up to 12
904 additional months, with the option of multiple extensions for
905 the purpose of pursuing licensure from the office. An
906 application for an extension must be made at least 60 days
907 before the conclusion of the initial sandbox period or, if the
908 extension is a second or subsequent extension, at least 60 days
909 before the conclusion of the current extension. The commissioner
910 shall approve or deny the application for extension in writing
911 at least 35 days before the conclusion of the initial sandbox
912 period or the conclusion of the current extension, if
913 applicable.
914 (b) An application for an extension under paragraph (a)
915 must cite one of the following reasons as the basis for the
916 application and must provide all relevant supporting information
917 that:
918 1. Amendments to general law or rules are necessary to
919 conduct financial technology business in this state permanently.
920 2. An application for a license or other authorization
921 required to conduct business in this state has been filed with
922 the appropriate office, and approval is pending.
923 (c) Unless granted an extension under this subsection at
924 least 30 days before the conclusion of the initial sandbox
925 period or the current extension, a person who makes an
926 innovative financial product or service available shall provide
927 written notification to consumers regarding the conclusion of
928 the initial sandbox period or the current extension and may not
929 make the financial product or service available to any new
930 consumers after the conclusion of the initial sandbox period or
931 the current extension until legal authority outside of the
932 Financial Technology Sandbox exists to make the financial
933 product or service available to consumers. The person shall wind
934 down operations with existing consumers within 60 days after the
935 conclusion of the sandbox period or the current extension,
936 except that, after the 60th day, the person may:
937 1. Collect and receive money owed to the person and service
938 loans made by the person, based on agreements with consumers
939 made before the conclusion of the sandbox period or the current
940 extension.
941 2. Take necessary legal action.
942 3. Take other actions authorized by rule by the
943 commissioner which are not inconsistent with this subsection.
944 (8) REPORT.—A person authorized to make an innovative
945 financial product or service available to consumers under
946 subsection (5) shall submit a report to the commissioner twice a
947 year as prescribed by rule.
948 (9) CONSTRUCTION.—
949 (a) A person whose Financial Technology Sandbox application
950 is approved shall be deemed to possess an appropriate license
951 under any general law requiring state licensure or
952 authorization.
953 (b) Authorization to make an innovative financial product
954 or service available to consumers under subsection (5) does not
955 create a property right.
956 (c) The state does not endorse the financial product or
957 service and is not subject to liability for losses or damages
958 caused by the financial product or service.
959 (10) VIOLATIONS AND PENALTIES.—
960 (a) A person who makes an innovative financial product or
961 service available to consumers in the Financial Technology
962 Sandbox is:
963 1. Not immune from civil damages for acts and omissions
964 relating to this section.
965 2. Subject to all criminal and consumer protection laws.
966 (b)1. The commissioner may, by order, revoke or suspend
967 authorization granted to a person to make an innovative
968 financial product or service available to consumers if:
969 a. The person has violated or refused to comply with this
970 section or any rule, order, or decision adopted by the
971 commissioner;
972 b. A fact or condition exists that, if it had existed or
973 become known at the time of the Financial Technology Sandbox
974 application, would have warranted denial of the application or
975 the imposition of material conditions;
976 c. A material error, false statement, misrepresentation, or
977 material omission was made in the Financial Technology Sandbox
978 application; or
979 d. After consultation with the person, continued testing of
980 the innovative financial product or service would:
981 (I) Be likely to harm consumers; or
982 (II) No longer serve the purposes of this section because
983 of the financial or operational failure of the financial product
984 or service.
985 2. Written notice of a revocation or suspension order made
986 under subparagraph 1. shall be served using any means authorized
987 by law. If the notice relates to a suspension, the notice must
988 include any condition or remedial action that the person must
989 complete before the commissioner lifts the suspension.
990 (c) The commissioner may refer any suspected violation of
991 law relating to this section to an appropriate state or federal
992 agency for investigation, prosecution, civil penalties, and
993 other appropriate enforcement actions.
994 (d) If service of process on a person making an innovative
995 financial product or service available to consumers in the
996 Financial Technology Sandbox is not feasible, service on the
997 commissioner shall be deemed service on such person.
998 (11) RULES AND ORDERS.—
999 (a) The office and the commissioner shall adopt rules to
1000 administer this section.
1001 (b) The commissioner may issue all necessary orders to
1002 enforce this section and may enforce these orders in any court
1003 of competent jurisdiction. These orders include, but are not
1004 limited to, orders for:
1005 1. Payment of restitution.
1006 2. Enforcement of a bond, or a portion of a bond, posted
1007 under paragraph (5)(g). The commissioner shall use proceeds from
1008 such bonds to offset losses suffered by consumers as a result of
1009 an innovative financial product or service.
1010 Section 10. This act shall take effect July 1, 2020.