Florida Senate - 2020 CS for CS for SB 1870
By the Committees on Banking and Insurance; and Innovation,
Industry, and Technology; and Senator Hutson
597-03961-20 20201870c2
1 A bill to be entitled
2 An act relating to technology innovation; amending s.
3 20.22, F.S.; renaming the Division of State Technology
4 within the Department of Management Services as the
5 Division of Telecommunications; deleting provisions
6 relating to the appointment of the Division of State
7 Technology’s director and qualifications for the state
8 chief information officer; adding the Florida Digital
9 Service to the department; amending s. 282.0041, F.S.;
10 defining terms; revising the definition of the term
11 “open data”; amending s. 282.0051, F.S.; establishing
12 the Florida Digital Service within the department;
13 transferring specified powers, duties, and functions
14 of the department to the Florida Digital Service and
15 revising such powers, duties, and functions; providing
16 for designations of a state chief information officer
17 and a chief data officer and specifying their duties;
18 specifying duties of, and authorized actions by, the
19 Florida Digital Service pursuant to legislative
20 appropriation; providing duties of, and authorized
21 actions by, the department, subject to legislative
22 authorization and appropriation; authorizing the
23 Florida Digital Service to adopt rules; amending s.
24 282.00515, F.S.; revising standards that the
25 Department of Legal Affairs, the Department of
26 Financial Services, and the Department of Agriculture
27 and Consumer Services must adopt; specifying
28 notification requirements to the Governor and the
29 Legislature if such an agency adopts alternative
30 standards; providing construction; prohibiting the
31 Florida Digital Service from retrieving or publishing
32 data without a data sharing agreement with such an
33 agency; amending ss. 282.318, 287.0591, 365.171,
34 365.172, 365.173, and 943.0415, F.S.; conforming
35 provisions to changes made by the act; creating s.
36 559.952, F.S.; providing a short title; creating the
37 Financial Technology Sandbox within the Office of
38 Financial Regulation; defining terms; requiring the
39 office, if certain conditions are met, to grant a
40 license to a Financial Technology Sandbox applicant,
41 grant exceptions to specified provisions of general
42 law relating to consumer finance loans and money
43 services businesses, and grant waivers of certain
44 rules; authorizing a substantially affected person to
45 seek a declaratory statement before applying to the
46 Financial Technology Sandbox; specifying application
47 requirements and procedures; specifying requirements,
48 restrictions, and procedures for the office in
49 reviewing and approving or denying applications;
50 requiring the office to post on its website certain
51 information relating to approved applications;
52 specifying authorized actions of, limitations on, and
53 requirements for licensees operating in the Financial
54 Technology Sandbox; specifying disclosure requirements
55 for licensees to consumers; authorizing the office to
56 enter into certain agreements with other regulatory
57 agencies; authorizing the office to examine licensee
58 records; authorizing a licensee to apply for an
59 extension of an initial sandbox period for a certain
60 timeframe; specifying requirements and procedures for
61 applying for an extension; specifying requirements and
62 procedures for, and authorized actions of, licensees
63 when concluding a sandbox period or extension;
64 requiring licensees to submit certain reports to the
65 office at specified intervals; providing construction;
66 specifying the liability of a licensee; authorizing
67 the office to take certain disciplinary actions
68 against a licensee under certain circumstances;
69 providing construction relating to service of process;
70 specifying the rulemaking authority of the Financial
71 Services Commission; providing the office authority to
72 issue orders and enforce the orders; providing an
73 appropriation; providing effective dates.
74
75 Be It Enacted by the Legislature of the State of Florida:
76
77 Section 1. Subsection (2) of section 20.22, Florida
78 Statutes, is amended to read:
79 20.22 Department of Management Services.—There is created a
80 Department of Management Services.
81 (2) The following divisions and programs within the
82 Department of Management Services shall consist of the following
83 are established:
84 (a) The Facilities Program.
85 (b) The Division of Telecommunications State Technology,
86 the director of which is appointed by the secretary of the
87 department and shall serve as the state chief information
88 officer. The state chief information officer must be a proven,
89 effective administrator who must have at least 10 years of
90 executive-level experience in the public or private sector,
91 preferably with experience in the development of information
92 technology strategic planning and the development and
93 implementation of fiscal and substantive information technology
94 policy and standards.
95 (c) The Workforce Program.
96 (d)1. The Support Program.
97 2. The Federal Property Assistance Program.
98 (e) The Administration Program.
99 (f) The Division of Administrative Hearings.
100 (g) The Division of Retirement.
101 (h) The Division of State Group Insurance.
102 (i) The Florida Digital Service.
103 Section 2. Section 282.0041, Florida Statutes, is amended
104 to read:
105 282.0041 Definitions.—As used in this chapter, the term:
106 (1) “Agency assessment” means the amount each customer
107 entity must pay annually for services from the Department of
108 Management Services and includes administrative and data center
109 services costs.
110 (2) “Agency data center” means agency space containing 10
111 or more physical or logical servers.
112 (3) “Breach” has the same meaning as provided in s.
113 501.171.
114 (4) “Business continuity plan” means a collection of
115 procedures and information designed to keep an agency’s critical
116 operations running during a period of displacement or
117 interruption of normal operations.
118 (5) “Cloud computing” has the same meaning as provided in
119 Special Publication 800-145 issued by the National Institute of
120 Standards and Technology.
121 (6) “Computing facility” or “agency computing facility”
122 means agency space containing fewer than a total of 10 physical
123 or logical servers, but excluding single, logical-server
124 installations that exclusively perform a utility function such
125 as file and print servers.
126 (7) “Credential service provider” means a provider
127 competitively procured by the department to supply secure
128 identity management and verification services based on open
129 standards to qualified entities.
130 (8) “Customer entity” means an entity that obtains services
131 from the Department of Management Services.
132 (9)(8) “Data” means a subset of structured information in a
133 format that allows such information to be electronically
134 retrieved and transmitted.
135 (10) “Data-call” means an electronic transaction with the
136 credential service provider that verifies the authenticity of a
137 digital identity by querying enterprise data.
138 (11)(9) “Department” means the Department of Management
139 Services.
140 (12)(10) “Disaster recovery” means the process, policies,
141 procedures, and infrastructure related to preparing for and
142 implementing recovery or continuation of an agency’s vital
143 technology infrastructure after a natural or human-induced
144 disaster.
145 (13) “Electronic” means technology having electrical,
146 digital, magnetic, wireless, optical, electromagnetic, or
147 similar capabilities.
148 (14) “Electronic credential” means an electronic
149 representation of the identity of a person, an organization, an
150 application, or a device.
151 (15) “Enterprise” means the collection of state agencies as
152 defined in subsection (35). The term includes the Department of
153 Legal Affairs, the Department of Agriculture and Consumer
154 Services, and the Department of Financial Services.
155 (16) “Enterprise architecture” means a comprehensive
156 operational framework that contemplates the needs and assets of
157 the enterprise to support interoperability across state
158 government.
159 (17)(11) “Enterprise information technology service” means
160 an information technology service that is used in all agencies
161 or a subset of agencies and is established in law to be
162 designed, delivered, and managed at the enterprise level.
163 (18)(12) “Event” means an observable occurrence in a system
164 or network.
165 (19)(13) “Incident” means a violation or imminent threat of
166 violation, whether such violation is accidental or deliberate,
167 of information technology resources, security, policies, or
168 practices. An imminent threat of violation refers to a situation
169 in which the state agency has a factual basis for believing that
170 a specific incident is about to occur.
171 (20)(14) “Information technology” means equipment,
172 hardware, software, firmware, programs, systems, networks,
173 infrastructure, media, and related material used to
174 automatically, electronically, and wirelessly collect, receive,
175 access, transmit, display, store, record, retrieve, analyze,
176 evaluate, process, classify, manipulate, manage, assimilate,
177 control, communicate, exchange, convert, converge, interface,
178 switch, or disseminate information of any kind or form.
179 (21)(15) “Information technology policy” means a definite
180 course or method of action selected from among one or more
181 alternatives that guide and determine present and future
182 decisions.
183 (22)(16) “Information technology resources” has the same
184 meaning as provided in s. 119.011.
185 (23)(17) “Information technology security” means the
186 protection afforded to an automated information system in order
187 to attain the applicable objectives of preserving the integrity,
188 availability, and confidentiality of data, information, and
189 information technology resources.
190 (24) “Interoperability” means the technical ability to
191 share and use data across and throughout the enterprise.
192 (25)(18) “Open data” means data collected or created by a
193 state agency, including the Department of Legal Affairs, the
194 Department of Agriculture and Consumer Services, and the
195 Department of Financial Services, and structured in a way that
196 enables the data to be fully discoverable and usable by the
197 public. The term does not include data that are restricted from
198 public disclosure distribution based on federal or state
199 privacy, confidentiality, and security laws and regulations or
200 data for which a state agency is statutorily authorized to
201 assess a fee for its distribution.
202 (26)(19) “Performance metrics” means the measures of an
203 organization’s activities and performance.
204 (27)(20) “Project” means an endeavor that has a defined
205 start and end point; is undertaken to create or modify a unique
206 product, service, or result; and has specific objectives that,
207 when attained, signify completion.
208 (28)(21) “Project oversight” means an independent review
209 and analysis of an information technology project that provides
210 information on the project’s scope, completion timeframes, and
211 budget and that identifies and quantifies issues or risks
212 affecting the successful and timely completion of the project.
213 (29) “Qualified entity” means a public or private entity or
214 individual that enters into a binding agreement with the
215 department, meets usage criteria, agrees to terms and
216 conditions, and is subsequently and prescriptively authorized by
217 the department to access data under the terms of that agreement
218 as specified in s. 282.0051.
219 (30)(22) “Risk assessment” means the process of identifying
220 security risks, determining their magnitude, and identifying
221 areas needing safeguards.
222 (31)(23) “Service level” means the key performance
223 indicators (KPI) of an organization or service which must be
224 regularly performed, monitored, and achieved.
225 (32)(24) “Service-level agreement” means a written contract
226 between the Department of Management Services and a customer
227 entity which specifies the scope of services provided, service
228 level, the duration of the agreement, the responsible parties,
229 and service costs. A service-level agreement is not a rule
230 pursuant to chapter 120.
231 (33)(25) “Stakeholder” means a person, group, organization,
232 or state agency involved in or affected by a course of action.
233 (34)(26) “Standards” means required practices, controls,
234 components, or configurations established by an authority.
235 (35)(27) “State agency” means any official, officer,
236 commission, board, authority, council, committee, or department
237 of the executive branch of state government; the Justice
238 Administrative Commission; and the Public Service Commission.
239 The term does not include university boards of trustees or state
240 universities. As used in part I of this chapter, except as
241 otherwise specifically provided, the term does not include the
242 Department of Legal Affairs, the Department of Agriculture and
243 Consumer Services, or the Department of Financial Services.
244 (36)(28) “SUNCOM Network” means the state enterprise
245 telecommunications system that provides all methods of
246 electronic or optical telecommunications beyond a single
247 building or contiguous building complex and used by entities
248 authorized as network users under this part.
249 (37)(29) “Telecommunications” means the science and
250 technology of communication at a distance, including electronic
251 systems used in the transmission or reception of information.
252 (38)(30) “Threat” means any circumstance or event that has
253 the potential to adversely impact a state agency’s operations or
254 assets through an information system via unauthorized access,
255 destruction, disclosure, or modification of information or
256 denial of service.
257 (39)(31) “Variance” means a calculated value that
258 illustrates how far positive or negative a projection has
259 deviated when measured against documented estimates within a
260 project plan.
261 Section 3. Section 282.0051, Florida Statutes, is amended
262 to read:
263 282.0051 Florida Digital Service Department of Management
264 Services; powers, duties, and functions.—There is established
265 the Florida Digital Service within the department to create
266 innovative solutions that securely modernize state government,
267 achieve value through digital transformation and
268 interoperability, and fully support the cloud-first policy as
269 specified in s. 282.206.
270 (1) The Florida Digital Service department shall have the
271 following powers, duties, and functions:
272 (a)(1) Develop and publish information technology policy
273 for the management of the state’s information technology
274 resources.
275 (b)(2) Develop an enterprise architecture that:
276 1. Acknowledges the unique needs of those included within
277 the enterprise, resulting in the publication of standards,
278 terminologies, and procurement guidelines to facilitate digital
279 interoperability;
280 2. Supports the cloud-first policy as specified in s.
281 282.206; and
282 3. Addresses how information technology infrastructure may
283 be modernized to achieve cloud-first objectives Establish and
284 publish information technology architecture standards to provide
285 for the most efficient use of the state’s information technology
286 resources and to ensure compatibility and alignment with the
287 needs of state agencies. The department shall assist state
288 agencies in complying with the standards.
289 (c)(3) Establish project management and oversight standards
290 with which state agencies must comply when implementing projects
291 that have an information technology component projects. The
292 Florida Digital Service department shall provide training
293 opportunities to state agencies to assist in the adoption of the
294 project management and oversight standards. To support data
295 driven decisionmaking, the standards must include, but are not
296 limited to:
297 1.(a) Performance measurements and metrics that objectively
298 reflect the status of a project with an information technology
299 component project based on a defined and documented project
300 scope, cost, and schedule.
301 2.(b) Methodologies for calculating acceptable variances in
302 the projected versus actual scope, schedule, or cost of a
303 project with an information technology component project.
304 3.(c) Reporting requirements, including requirements
305 designed to alert all defined stakeholders that a project with
306 an information technology component project has exceeded
307 acceptable variances defined and documented in a project plan.
308 4.(d) Content, format, and frequency of project updates.
309 (d)(4) Perform project oversight on all state agency
310 information technology projects that have an information
311 technology component with a total project cost costs of $10
312 million or more and that are funded in the General
313 Appropriations Act or any other law. The Florida Digital Service
314 department shall report at least quarterly to the Executive
315 Office of the Governor, the President of the Senate, and the
316 Speaker of the House of Representatives on any project with an
317 information technology component project that the Florida
318 Digital Service department identifies as high-risk due to the
319 project exceeding acceptable variance ranges defined and
320 documented in a project plan. The report must include a risk
321 assessment, including fiscal risks, associated with proceeding
322 to the next stage of the project, and a recommendation for
323 corrective actions required, including suspension or termination
324 of the project. The Florida Digital Service shall establish a
325 process for state agencies to apply for an exception to the
326 requirements of this paragraph for a specific project with an
327 information technology component.
328 (e)(5) Identify opportunities for standardization and
329 consolidation of information technology services that support
330 interoperability and the cloud-first policy as specified in s.
331 282.206, business functions and operations, including
332 administrative functions such as purchasing, accounting and
333 reporting, cash management, and personnel, and that are common
334 across state agencies. The Florida Digital Service department
335 shall biennially on April 1 provide recommendations for
336 standardization and consolidation to the Executive Office of the
337 Governor, the President of the Senate, and the Speaker of the
338 House of Representatives.
339 (f)(6) Establish best practices for the procurement of
340 information technology products and cloud-computing services in
341 order to reduce costs, increase the quality of data center
342 services, or improve government services.
343 (g)(7) Develop standards for information technology reports
344 and updates, including, but not limited to, operational work
345 plans, project spend plans, and project status reports, for use
346 by state agencies.
347 (h)(8) Upon request, assist state agencies in the
348 development of information technology-related legislative budget
349 requests.
350 (i)(9) Conduct annual assessments of state agencies to
351 determine compliance with all information technology standards
352 and guidelines developed and published by the Florida Digital
353 Service department and provide results of the assessments to the
354 Executive Office of the Governor, the President of the Senate,
355 and the Speaker of the House of Representatives.
356 (j)(10) Provide operational management and oversight of the
357 state data center established pursuant to s. 282.201, which
358 includes:
359 1.(a) Implementing industry standards and best practices
360 for the state data center’s facilities, operations, maintenance,
361 planning, and management processes.
362 2.(b) Developing and implementing cost-recovery or other
363 payment mechanisms that recover the full direct and indirect
364 cost of services through charges to applicable customer
365 entities. Such cost-recovery or other payment mechanisms must
366 comply with applicable state and federal regulations concerning
367 distribution and use of funds and must ensure that, for any
368 fiscal year, no service or customer entity subsidizes another
369 service or customer entity.
370 3.(c) Developing and implementing appropriate operating
371 guidelines and procedures necessary for the state data center to
372 perform its duties pursuant to s. 282.201. The guidelines and
373 procedures must comply with applicable state and federal laws,
374 regulations, and policies and conform to generally accepted
375 governmental accounting and auditing standards. The guidelines
376 and procedures must include, but need not be limited to:
377 a.1. Implementing a consolidated administrative support
378 structure responsible for providing financial management,
379 procurement, transactions involving real or personal property,
380 human resources, and operational support.
381 b.2. Implementing an annual reconciliation process to
382 ensure that each customer entity is paying for the full direct
383 and indirect cost of each service as determined by the customer
384 entity’s use of each service.
385 c.3. Providing rebates that may be credited against future
386 billings to customer entities when revenues exceed costs.
387 d.4. Requiring customer entities to validate that
388 sufficient funds exist in the appropriate data processing
389 appropriation category or will be transferred into the
390 appropriate data processing appropriation category before
391 implementation of a customer entity’s request for a change in
392 the type or level of service provided, if such change results in
393 a net increase to the customer entity’s cost for that fiscal
394 year.
395 e.5. By November 15 of each year, providing to the Office
396 of Policy and Budget in the Executive Office of the Governor and
397 to the chairs of the legislative appropriations committees the
398 projected costs of providing data center services for the
399 following fiscal year.
400 f.6. Providing a plan for consideration by the Legislative
401 Budget Commission if the cost of a service is increased for a
402 reason other than a customer entity’s request made pursuant to
403 sub-subparagraph d. subparagraph 4. Such a plan is required only
404 if the service cost increase results in a net increase to a
405 customer entity for that fiscal year.
406 g.7. Standardizing and consolidating procurement and
407 contracting practices.
408 4.(d) In collaboration with the Department of Law
409 Enforcement, developing and implementing a process for
410 detecting, reporting, and responding to information technology
411 security incidents, breaches, and threats.
412 5.(e) Adopting rules relating to the operation of the state
413 data center, including, but not limited to, budgeting and
414 accounting procedures, cost-recovery or other payment
415 methodologies, and operating procedures.
416 (f) Conducting an annual market analysis to determine
417 whether the state’s approach to the provision of data center
418 services is the most effective and cost-efficient manner by
419 which its customer entities can acquire such services, based on
420 federal, state, and local government trends; best practices in
421 service provision; and the acquisition of new and emerging
422 technologies. The results of the market analysis shall assist
423 the state data center in making adjustments to its data center
424 service offerings.
425 (k)(11) Recommend other information technology services
426 that should be designed, delivered, and managed as enterprise
427 information technology services. Recommendations must include
428 the identification of existing information technology resources
429 associated with the services, if existing services must be
430 transferred as a result of being delivered and managed as
431 enterprise information technology services.
432 (l)(12) In consultation with state agencies, propose a
433 methodology and approach for identifying and collecting both
434 current and planned information technology expenditure data at
435 the state agency level.
436 (m)1.(13)(a) Notwithstanding any other law, provide project
437 oversight on any project with an information technology
438 component project of the Department of Financial Services, the
439 Department of Legal Affairs, and the Department of Agriculture
440 and Consumer Services which has a total project cost of $25
441 million or more and which impacts one or more other agencies.
442 Such projects with an information technology component projects
443 must also comply with the applicable information technology
444 architecture, project management and oversight, and reporting
445 standards established by the Florida Digital Service department.
446 The Florida Digital Service shall establish a process for the
447 Department of Financial Services, the Department of Legal
448 Affairs, and the Department of Agriculture and Consumer Services
449 to apply for an exception to the requirements of this paragraph
450 for a specific project with an information technology component.
451 2.(b) When performing the project oversight function
452 specified in subparagraph 1. paragraph (a), report at least
453 quarterly to the Executive Office of the Governor, the President
454 of the Senate, and the Speaker of the House of Representatives
455 on any project with an information technology component project
456 that the Florida Digital Service department identifies as high
457 risk due to the project exceeding acceptable variance ranges
458 defined and documented in the project plan. The report shall
459 include a risk assessment, including fiscal risks, associated
460 with proceeding to the next stage of the project and a
461 recommendation for corrective actions required, including
462 suspension or termination of the project.
463 (n)(14) If a project with an information technology
464 component project implemented by a state agency must be
465 connected to or otherwise accommodated by an information
466 technology system administered by the Department of Financial
467 Services, the Department of Legal Affairs, or the Department of
468 Agriculture and Consumer Services, consult with these
469 departments regarding the risks and other effects of such
470 projects on their information technology systems and work
471 cooperatively with these departments regarding the connections,
472 interfaces, timing, or accommodations required to implement such
473 projects.
474 (o)(15) If adherence to standards or policies adopted by or
475 established pursuant to this section causes conflict with
476 federal regulations or requirements imposed on a state agency
477 and results in adverse action against the state agency or
478 federal funding, work with the state agency to provide
479 alternative standards, policies, or requirements that do not
480 conflict with the federal regulation or requirement. The Florida
481 Digital Service department shall annually report such
482 alternative standards to the Governor, the President of the
483 Senate, and the Speaker of the House of Representatives.
484 (p)1.(16)(a) Establish an information technology policy for
485 all information technology-related state contracts, including
486 state term contracts for information technology commodities,
487 consultant services, and staff augmentation services. The
488 information technology policy must include:
489 a.1. Identification of the information technology product
490 and service categories to be included in state term contracts.
491 b.2. Requirements to be included in solicitations for state
492 term contracts.
493 c.3. Evaluation criteria for the award of information
494 technology-related state term contracts.
495 d.4. The term of each information technology-related state
496 term contract.
497 e.5. The maximum number of vendors authorized on each state
498 term contract.
499 2.(b) Evaluate vendor responses for information technology
500 related state term contract solicitations and invitations to
501 negotiate.
502 3.(c) Answer vendor questions on information technology
503 related state term contract solicitations.
504 4.(d) Ensure that the information technology policy
505 established pursuant to subparagraph 1. paragraph (a) is
506 included in all solicitations and contracts that are
507 administratively executed by the department.
508 (q)(17) Recommend potential methods for standardizing data
509 across state agencies which will promote interoperability and
510 reduce the collection of duplicative data.
511 (r)(18) Recommend open data technical standards and
512 terminologies for use by the enterprise state agencies.
513 (2)(a) The Secretary of Management Services shall designate
514 a state chief information officer, who shall administer the
515 Florida Digital Service and is included in the Senior Management
516 Service.
517 (b) The state chief information officer shall designate a
518 chief data officer, who shall report to the state chief
519 information officer and is included in the Senior Management
520 Service.
521 (3) The Florida Digital Service shall, pursuant to
522 legislative appropriation:
523 (a) Create and maintain a comprehensive indexed data
524 catalog that lists what data elements are housed within the
525 enterprise and in which legacy system or application these data
526 elements are located.
527 (b) Develop and publish, in collaboration with the
528 enterprise, a data dictionary for each agency which reflects the
529 nomenclature in the comprehensive indexed data catalog.
530 (c) Review and document use cases across the enterprise
531 architecture.
532 (d) Develop and publish standards that support the creation
533 and deployment of application programming interfaces to
534 facilitate integration throughout the enterprise.
535 (e) Publish standards necessary to facilitate a secure
536 ecosystem of data interoperability which is compliant with the
537 enterprise architecture and allows for a qualified entity to
538 access the enterprise’s data under the terms of the agreements
539 with the department. However, enterprise data do not include
540 data that are restricted from public distribution based on
541 federal or state privacy, confidentiality, or security laws and
542 regulations.
543 (f) Publish standards that facilitate the deployment of
544 applications or solutions to existing enterprise obligations in
545 a controlled and phased approach, including, but not limited to:
546 1. Electronic credentials, including digital proofs of a
547 driver license as specified in s. 322.032.
548 2. Interoperability that enables supervisors of elections
549 to authenticate voter eligibility in real time at the point of
550 service.
551 3. The criminal justice database.
552 4. Motor vehicle insurance cancellation integration between
553 insurers and the Department of Highway Safety and Motor
554 Vehicles.
555 5. Interoperability solutions between agencies, including,
556 but not limited to, the Department of Health, the Agency for
557 Health Care Administration, the Agency for Persons with
558 Disabilities, the Department of Education, the Department of
559 Elderly Affairs, and the Department of Children and Families.
560 6. Interoperability solutions to support military members,
561 veterans, and their families.
562 (4) Pursuant to legislative authorization and subject to
563 appropriation:
564 (a) The department may procure a credential service
565 provider through a competitive process pursuant to s. 287.057.
566 The terms of the contract developed from such procurement must
567 pay for the value on a per-data-call or subscription basis, and
568 there shall be no cost to the enterprise or law enforcement for
569 using the services provided by the credential service provider.
570 (b) The department may enter into agreements with qualified
571 entities that have the technological capabilities necessary to
572 integrate with the credential service provider; ensure secure
573 validation and authentication of data; meet usage criteria; and
574 agree to terms and conditions, privacy policies, and uniform
575 remittance terms relating to the consumption of enterprise data.
576 Enterprise data do not include data that are restricted from
577 public disclosure based on federal or state privacy,
578 confidentiality, or security laws and regulations. These
579 agreements must include clear, enforceable, and significant
580 penalties for violations of the agreements.
581 (c) The terms of the agreements between the department and
582 the credential service provider and between the department and
583 the qualified entities must be based on the per-data-call or
584 subscription charges to validate and authenticate an electronic
585 credential and allow the department to recover any state costs
586 for implementing and administering an electronic credential
587 solution. Credential service provider and qualifying entity
588 revenues may not be derived from any other transactions that
589 generate revenue for the enterprise outside of the per-data-call
590 or subscription charges.
591 (d) All revenues generated from the agreements with the
592 credential service provider and qualified entities shall be
593 remitted to the department, and the department shall deposit
594 these revenues into the Department of Management Services
595 Operating Trust Fund for distribution pursuant to a legislative
596 appropriation and department agreements with the credential
597 service provider and qualified entities.
598 (e) Upon the signing of the agreement and the enterprise
599 architecture terms of service and privacy policies with a
600 qualified entity, the department shall facilitate authorized
601 integrations between the qualified entity and the credential
602 service provider.
603 (5) Upon the adoption of the enterprise architecture, the
604 Florida Digital Service may develop a process to:
605 (a) Receive written notice from the enterprise of any
606 procurement of an information technology project that is subject
607 to enterprise architecture standards.
608 (b) Participate in the development of specifications and
609 recommend modifications of any procurement by state agencies so
610 that the procurement complies with the enterprise architecture.
611 (6)(19) The Florida Digital Service may adopt rules to
612 administer this section.
613 Section 4. Section 282.00515, Florida Statutes, is amended
614 to read:
615 282.00515 Duties of Cabinet agencies.—
616 (1) The Department of Legal Affairs, the Department of
617 Financial Services, and the Department of Agriculture and
618 Consumer Services shall adopt the standards established in s.
619 282.0051(1)(b), (c), (g), (r), and (3)(e) s. 282.0051(2), (3),
620 and (7) or adopt alternative standards based on best practices
621 and industry standards that allow for the interoperability of
622 open data within the enterprise.
623 (2) If the Department of Legal Affairs, the Department of
624 Financial Services, or the Department of Agriculture and
625 Consumer Services adopts alternative standards in lieu of the
626 enterprise architecture standards in s. 282.0051, such agency
627 shall notify the Governor, the President of the Senate, and
628 Speaker of the House of Representatives in writing before the
629 adoption of the alternative standards and annually thereafter,
630 until such agency adopts the enterprise architecture standards
631 in s. 282.0051. The notification must include the following:
632 (a) A detailed plan of how such agency will comply with the
633 interoperability requirements referenced in this chapter.
634 (b) An estimated cost and time difference between adhering
635 to the enterprise architecture or choosing alternative
636 standards.
637 (c) A detailed security risk assessment of adopting
638 alternative standards versus adopting the enterprise
639 architecture.
640 (d) Certification by the agency head or the agency head’s
641 designated representative that the agency’s strategic and
642 operational information technology security plans as required by
643 s. 282.318(4) include provisions related to interoperability.
644 (3) The Department of Legal Affairs, the Department of
645 Financial Services, or the Department of Agriculture and
646 Consumer Services may contract with the department to provide or
647 perform any of the services and functions described in s.
648 282.0051.
649 (4)(a) This section or s. 282.0051 does not require the
650 Department of Legal Affairs, the Department of Financial
651 Services, or the Department of Agriculture and Consumer Services
652 to integrate with any information technology outside its own
653 department or contract with a credential service provider.
654 (b) The Florida Digital Service may not retrieve or publish
655 data without a data sharing agreement in place between the
656 Florida Digital Service and the Department of Legal Affairs, the
657 Department of Financial Services, or the Department of
658 Agriculture and Consumer Services, and may contract with the
659 department to provide or perform any of the services and
660 functions described in s. 282.0051 for the Department of Legal
661 Affairs, the Department of Financial Services, or the Department
662 of Agriculture and Consumer Services.
663 Section 5. Paragraph (a) of subsection (3) of section
664 282.318, Florida Statutes, is amended to read:
665 282.318 Security of data and information technology.—
666 (3) The department is responsible for establishing
667 standards and processes consistent with generally accepted best
668 practices for information technology security, to include
669 cybersecurity, and adopting rules that safeguard an agency’s
670 data, information, and information technology resources to
671 ensure availability, confidentiality, and integrity and to
672 mitigate risks. The department shall also:
673 (a) Designate a state chief information security officer
674 who shall report to the state chief information officer of the
675 Florida Digital Service and is in the Senior Management Service.
676 The state chief information security officer must have
677 experience and expertise in security and risk management for
678 communications and information technology resources.
679 Section 6. Subsection (4) of section 287.0591, Florida
680 Statutes, is amended to read:
681 287.0591 Information technology.—
682 (4) If the department issues a competitive solicitation for
683 information technology commodities, consultant services, or
684 staff augmentation contractual services, the Florida Digital
685 Service Division of State Technology within the department shall
686 participate in such solicitations.
687 Section 7. Paragraph (a) of subsection (3) of section
688 365.171, Florida Statutes, is amended to read:
689 365.171 Emergency communications number E911 state plan.—
690 (3) DEFINITIONS.—As used in this section, the term:
691 (a) “Office” means the Division of Telecommunications State
692 Technology within the Department of Management Services, as
693 designated by the secretary of the department.
694 Section 8. Paragraph (s) of subsection (3) of section
695 365.172, Florida Statutes, is amended to read:
696 365.172 Emergency communications number “E911.”—
697 (3) DEFINITIONS.—Only as used in this section and ss.
698 365.171, 365.173, 365.174, and 365.177, the term:
699 (s) “Office” means the Division of Telecommunications State
700 Technology within the Department of Management Services, as
701 designated by the secretary of the department.
702 Section 9. Paragraph (a) of subsection (1) of section
703 365.173, Florida Statutes, is amended to read:
704 365.173 Communications Number E911 System Fund.—
705 (1) REVENUES.—
706 (a) Revenues derived from the fee levied on subscribers
707 under s. 365.172(8) must be paid by the board into the State
708 Treasury on or before the 15th day of each month. Such moneys
709 must be accounted for in a special fund to be designated as the
710 Emergency Communications Number E911 System Fund, a fund created
711 in the Division of Telecommunications State Technology, or other
712 office as designated by the Secretary of Management Services.
713 Section 10. Subsection (5) of section 943.0415, Florida
714 Statutes, is amended to read:
715 943.0415 Cybercrime Office.—There is created within the
716 Department of Law Enforcement the Cybercrime Office. The office
717 may:
718 (5) Consult with the Florida Digital Service Division of
719 State Technology within the Department of Management Services in
720 the adoption of rules relating to the information technology
721 security provisions in s. 282.318.
722 Section 11. Effective January 1, 2021, section 559.952,
723 Florida Statutes, is created to read:
724 559.952 Financial Technology Sandbox.—
725 (1) SHORT TITLE.—This section may be cited as the
726 “Financial Technology Sandbox.”
727 (2) CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—There is
728 created the Financial Technology Sandbox within the Office of
729 Financial Regulation to allow financial technology innovators to
730 test new products and services in a supervised, flexible
731 regulatory sandbox using exceptions to specified general law and
732 waivers of the corresponding rule requirements under defined
733 conditions. The creation of a supervised, flexible regulatory
734 sandbox provides a welcoming business environment for technology
735 innovators and may lead to significant business growth.
736 (3) DEFINITIONS.—As used in this section, the term:
737 (a) “Business entity” means a domestic corporation or other
738 organized domestic entity with a physical presence, other than
739 that of a registered office or agent or virtual mailbox, in this
740 state.
741 (b) “Commission” means the Financial Services Commission.
742 (c) “Consumer” means a person in this state, whether a
743 natural person or a business entity, who purchases, uses,
744 receives, or enters into an agreement to purchase, use, or
745 receive an innovative financial product or service made
746 available through the Financial Technology Sandbox.
747 (d) “Control person” means an individual, a partnership, a
748 corporation, a trust, or other organization that possesses the
749 power, directly or indirectly, to direct the management or
750 policies of a company, whether through ownership of securities,
751 by contract, or through other means. A person is presumed to
752 control a company if, with respect to a particular company, that
753 person:
754 1. Is a director, a general partner, or an officer
755 exercising executive responsibility or having similar status or
756 functions;
757 2. Directly or indirectly may vote 10 percent or more of a
758 class of a voting security or sell or direct the sale of 10
759 percent or more of a class of voting securities; or
760 3. In the case of a partnership, may receive upon
761 dissolution or has contributed 10 percent or more of the
762 capital.
763 (e) “Financial product or service” means a product or
764 service related to a consumer finance loan, as defined in s.
765 516.01, or a money transmitter and payment instrument seller, as
766 defined in s. 560.103, including mediums of exchange that are in
767 electronic or digital form, which is subject to general law or
768 corresponding rule requirements in the sections enumerated in
769 paragraph (4)(a) and which is under the jurisdiction of the
770 office.
771 (f) “Financial Technology Sandbox” means the program
772 created in this section which allows a licensee to make an
773 innovative financial product or service available to consumers
774 as a person who makes and collects consumer finance loans, as
775 defined in s. 516.01, or as a money transmitter or payment
776 instrument seller, as defined in s. 560.103, during a sandbox
777 period through an exception to general laws or a waiver of rule
778 requirements, or portions thereof, as specified in this section.
779 (g) “Innovative” means new or emerging technology, or new
780 uses of existing technology, which provides a product, service,
781 business model, or delivery mechanism to the public and which is
782 not known to have a comparable offering in this state outside
783 the Financial Technology Sandbox.
784 (h) “Licensee” means a person who has been approved by the
785 office to participate in the Financial Technology Sandbox.
786 (i) “Office” means, unless the context clearly indicates
787 otherwise, the Office of Financial Regulation.
788 (j) “Sandbox period” means the period, initially not longer
789 than 24 months, in which the office has:
790 1. Authorized an innovative financial product or service to
791 be made available to consumers.
792 2. Granted the licensee who makes the innovative financial
793 product or service available an exception to general law or a
794 waiver of the corresponding rule requirements, as determined by
795 the office, so that the authorization under subparagraph 1. is
796 possible.
797 (4) EXCEPTIONS TO GENERAL LAW AND WAIVERS OF RULE
798 REQUIREMENTS.—
799 (a) Notwithstanding any other law, upon approval of a
800 Financial Technology Sandbox application, the office shall grant
801 an applicant a license and a waiver of a requirement, or a
802 portion thereof, which is imposed by rule as authorized by any
803 of the following provisions of general law, if all of the
804 conditions in paragraph (b) are met. If the application is
805 approved for a person who otherwise would be subject to chapter
806 516 or chapter 560, the following provisions are not applicable
807 to the licensee:
808 1. Section 516.03, except for the application fee for a
809 license, the investigation fee, evidence of liquid assets of at
810 least $25,000, and the office’s authority to make an
811 investigation of the facts concerning the applicant’s background
812 as provided in s. 516.03(1). The office may prorate the license
813 renewal fees for an extension granted under subsection (7).
814 2. Section 516.05, except for s. 516.05(4), (5), and (7)
815 (9).
816 3. Section 560.109, to the extent that it requires the
817 office to examine a licensee at least once every 5 years.
818 4. Section 560.118, except for s. 560.118(1).
819 5. Section 560.125(1), to the extent that subsection would
820 prohibit a licensee from engaging in the business of a money
821 services business during the sandbox period; and s. 560.125(2),
822 to the extent that subsection would prohibit a licensee from
823 appointing an authorized vendor during the sandbox period.
824 6. Section 560.128.
825 7. Section 560.141, except for s. 560.141(1)(a)3., 8., 9.,
826 and 10. and (1)(b), (c), and (d).
827 8. Section 560.142, except that the office may prorate, but
828 may not entirely waive, the license renewal fees provided in ss.
829 560.142 and 560.143 for an extension granted under subsection
830 (7).
831 9. Section 560.143(2), to the extent necessary for
832 proration of the renewal fee under subparagraph 8.
833 10. Section 560.204(1), to the extent that subsection would
834 prohibit a licensee from engaging in, or advertising it engages
835 in, the selling or issuing of payment instruments or in the
836 activity of a money transmitter during the sandbox period.
837 11. Section 560.205, except for s. 560.205(1), (3), and
838 (4).
839 12. Section 560.208, except for s. 560.208(3)-(6).
840 13. Section 560.209, except that the office may modify, but
841 may not entirely waive, the net worth, corporate surety bond,
842 and collateral deposit amounts required under that section. The
843 modified amounts must be in such lower amounts that the office
844 determines to be commensurate with the considerations under
845 paragraph (5)(d) and the maximum number of consumers authorized
846 to receive the financial product or service under this section.
847 (b) The office may grant, during a sandbox period, an
848 exception of a requirement, or a portion thereof, imposed by a
849 general law or waiver of a corresponding rule in any section
850 enumerated in paragraph (a) to a licensee, if all of the
851 following conditions are met:
852 1. The general law or corresponding rule currently prevents
853 the innovative financial product or service from being made
854 available to consumers.
855 2. The exceptions or rule waivers are not broader than
856 necessary to accomplish the purposes and standards specified in
857 this section, as determined by the office.
858 3. No provision relating to the liability of an
859 incorporator, a director, or an officer of the applicant is
860 eligible for a waiver.
861 4. The other requirements of this section are met.
862 (5) FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS FOR
863 APPROVAL.—
864 (a) Before filing an application for licensure under this
865 section, a substantially affected person may seek a declaratory
866 statement pursuant to s. 120.565 regarding the applicability of
867 a statute, a rule, or an agency order to the petitioner’s
868 particular set of circumstances.
869 (b) Before making an innovative financial product or
870 service available to consumers in the Financial Technology
871 Sandbox, a person must file an application for licensure with
872 the office. The commission shall, by rule, prescribe the form
873 and manner of the application.
874 1. In the application, the person must specify the general
875 law or rule requirements for which an exception or waiver is
876 sought and the reasons why these requirements prevent the
877 innovative financial product or service from being made
878 available to consumers.
879 2. The application also must contain the information
880 specified in paragraph (d).
881 (c)1. A business entity may file an application for
882 licensure.
883 2. Before a person applies on behalf of a business entity
884 intending to make an innovative financial product or service
885 available to consumers, the person must obtain the consent of
886 the business entity.
887 (d) The office shall approve or deny in writing a Financial
888 Technology Sandbox application within 60 days after receiving
889 the completed application. The office and the applicant may
890 jointly agree to extend the time beyond 60 days. Consistent with
891 this section, the office may impose conditions on any approval.
892 In deciding whether to approve or deny an application for
893 licensure, the office must consider each of the following:
894 1. The nature of the innovative financial product or
895 service proposed to be made available to consumers in the
896 Financial Technology Sandbox, including all relevant technical
897 details.
898 2. The potential risk to consumers and the methods that
899 will be used to protect consumers and resolve complaints during
900 the sandbox period.
901 3. The business plan proposed by the applicant, including
902 company information, market analysis, and financial projections
903 or pro forma financial statements.
904 4. Whether the applicant has the necessary personnel,
905 adequate financial and technical expertise, and a sufficient
906 plan to test, monitor, and assess the innovative financial
907 product or service.
908 5. If any control person of the applicant’s innovative
909 financial product or service has pled no contest to, has been
910 convicted or found guilty of, or is currently under
911 investigation for, fraud, a state or federal securities
912 violation, a property-based offense, or a crime involving moral
913 turpitude or dishonest dealing, the application to the Financial
914 Technology Sandbox must be denied. A plea of no contest, a
915 conviction, or a finding of guilt must be reported under this
916 subparagraph regardless of adjudication.
917 6. A copy of the disclosures that will be provided to
918 consumers under paragraph (6)(c).
919 7. The financial responsibility of any control person.
920 8. Any other factor that the office determines to be
921 relevant.
922 (e) The office may not approve an application if:
923 1. The applicant had a prior Financial Technology Sandbox
924 application that was approved and that related to a
925 substantially similar financial product or service; or
926 2. Any control person substantially involved in the
927 development, operation, or management of the applicant’s
928 innovative financial product or service was substantially
929 involved in such with another Financial Technology Sandbox
930 applicant whose application was approved and whose application
931 related to a substantially similar financial product or service.
932 (f) Upon approval of an application, the office shall
933 specify the general law or rule requirements, or portions
934 thereof, for which an exception or a waiver is granted during
935 the sandbox period and the length of the initial sandbox period,
936 not to exceed 24 months. The office shall post on its website
937 notice of the approval of the application, a summary of the
938 innovative financial product or service, and the contact
939 information of the person making the financial product or
940 service available.
941 (6) OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—
942 (a) A licensee under this section may make an innovative
943 financial product or service available to consumers during the
944 sandbox period.
945 (b) The office, on a case-by-case basis, may specify the
946 maximum number of consumers authorized to receive an innovative
947 financial product or service, after consultation with the person
948 who makes the financial product or service available to
949 consumers. The office may not authorize more than 15,000
950 consumers to receive the financial product or service until the
951 licensee who makes the financial product or service available to
952 consumers has filed the first report required under subsection
953 (8). After the filing of that report, if the licensee
954 demonstrates adequate financial capitalization, risk management
955 processes, and management oversight, the office may authorize up
956 to 25,000 consumers to receive the financial product or service.
957 (c)1. Before a consumer purchases, uses, receives, or
958 enters into an agreement to purchase, use, or receive an
959 innovative financial product or service through the Financial
960 Technology Sandbox, the licensee making the financial product or
961 service available must provide a written statement of all of the
962 following to the consumer:
963 a. The name and contact information of the person making
964 the financial product or service available to consumers.
965 b. That the financial product or service has been
966 authorized to be made available to consumers for a temporary
967 period by the office, under the laws of this state.
968 c. That the state does not endorse the financial product or
969 service.
970 d. That the financial product or service is undergoing
971 testing, may not function as intended, and may entail financial
972 risk.
973 e. That the licensee making the financial product or
974 service available to consumers is not immune from civil
975 liability for any losses or damages caused by the financial
976 product or service.
977 f. The expected end date of the sandbox period.
978 g. The contact information for the office and notification
979 that suspected legal violations, complaints, or other comments
980 related to the financial product or service may be submitted to
981 the office.
982 h. Any other statements or disclosures required by rule of
983 the commission which are necessary to further the purposes of
984 this section.
985 2. The written statement must contain an acknowledgement
986 from the consumer, which must be retained for the duration of
987 the sandbox period by the licensee making the financial product
988 or service available.
989 (d) The office may enter into an agreement with a state,
990 federal, or foreign regulatory agency to allow persons who make
991 an innovative financial product or service available in this
992 state through the Financial Technology Sandbox to make their
993 products or services available in other jurisdictions. The
994 commission shall adopt rules to implement this paragraph.
995 (e) The office may examine the records of a licensee at any
996 time, with or without prior notice.
997 (7) EXTENSIONS AND CONCLUSION OF SANDBOX PERIOD.—
998 (a) A licensee may apply for an extension of the initial
999 sandbox period for up to 12 additional months for a purpose
1000 specified in subparagraph (b)1. or subparagraph (b)2. A complete
1001 application for an extension must be filed with the office at
1002 least 90 days before the conclusion of the initial sandbox
1003 period. The office shall approve or deny the application for
1004 extension in writing at least 35 days before the conclusion of
1005 the initial sandbox period. In deciding to approve or deny an
1006 application for extension of the sandbox period, the office
1007 must, at a minimum, consider the current status of the factors
1008 previously considered under paragraph (5)(d).
1009 (b) An application for an extension under paragraph (a)
1010 must cite one of the following reasons as the basis for the
1011 application and must provide all relevant supporting information
1012 that:
1013 1. Amendments to general law or rules are necessary to
1014 offer the innovative financial product or service in this state
1015 permanently.
1016 2. An application for a license that is required in order
1017 to offer the innovative financial product or service in this
1018 state permanently has been filed with the office, and approval
1019 is pending.
1020 (c) At least 30 days before the conclusion of the initial
1021 sandbox period or the extension, whichever is later, a licensee
1022 shall provide written notification to consumers regarding the
1023 conclusion of the initial sandbox period or the extension and
1024 may not make the financial product or service available to any
1025 new consumers after the conclusion of the initial sandbox period
1026 or the extension, whichever is later, until legal authority
1027 outside of the Financial Technology Sandbox exists for the
1028 licensee to make the financial product or service available to
1029 consumers. After the conclusion of the sandbox period or the
1030 extension, whichever is later, the licensee may:
1031 1. Collect and receive money owed to the person or pay
1032 money owed by the person, based on agreements with consumers
1033 made before the conclusion of the sandbox period or the
1034 extension.
1035 2. Take necessary legal action.
1036 3. Take other actions authorized by commission rule which
1037 are not inconsistent with this subsection.
1038 (8) REPORT.—A licensee shall submit a report to the office
1039 twice a year as prescribed by commission rule. The report must,
1040 at a minimum, include financial reports and the number of
1041 consumers who have received the financial product or service.
1042 (9) CONSTRUCTION.—A person whose Financial Technology
1043 Sandbox application is approved is deemed licensed under this
1044 section and is subject to chapter 516 or chapter 560 with the
1045 applicable exceptions to general law or waiver of the rule
1046 requirements of chapter 516 or chapter 560 specified under
1047 paragraph (4)(a), unless the person’s license has been revoked
1048 or suspended. Notwithstanding s. 560.204(2), a licensee may not
1049 engage in activities authorized under part III of chapter 560.
1050 (10) VIOLATIONS AND PENALTIES.—
1051 (a) A licensee who makes an innovative financial product or
1052 service available to consumers in the Financial Technology
1053 Sandbox is:
1054 1. Not immune from civil damages for acts and omissions
1055 relating to this section.
1056 2. Subject to all criminal and any other statute not
1057 specifically excepted under paragraph (4)(a).
1058 (b)1. The office may, by order, revoke or suspend a license
1059 of a person to make an innovative financial product or service
1060 available to consumers if:
1061 a. The person has violated or refused to comply with this
1062 section, a rule of the commission, an order of the office, or a
1063 condition placed by the office on the approval of the person’s
1064 Financial Technology Sandbox application;
1065 b. A fact or condition exists that, if it had existed or
1066 become known at the time that the Financial Technology Sandbox
1067 application was pending, would have warranted denial of the
1068 application or the imposition of material conditions;
1069 c. A material error, false statement, misrepresentation, or
1070 material omission was made in the Financial Technology Sandbox
1071 application; or
1072 d. After consultation with the licensee, the office
1073 determines that continued testing of the innovative financial
1074 product or service would:
1075 (I) Be likely to harm consumers; or
1076 (II) No longer serve the purposes of this section because
1077 of the financial or operational failure of the financial product
1078 or service.
1079 2. Written notice of a revocation or suspension order made
1080 under subparagraph 1. must be served using any means authorized
1081 by law. If the notice relates to a suspension, the notice must
1082 include any condition or remedial action that the person must
1083 complete before the office lifts the suspension.
1084 (c) The office may refer any suspected violation of law to
1085 an appropriate state or federal agency for investigation,
1086 prosecution, civil penalties, and other appropriate enforcement
1087 action.
1088 (d) If service of process on a person making an innovative
1089 financial product or service available to consumers in the
1090 Financial Technology Sandbox is not feasible, service on the
1091 office is deemed service on such person.
1092 (11) RULES AND ORDERS.—
1093 (a) The commission shall adopt rules to administer this
1094 section.
1095 (b) The office may issue all necessary orders to enforce
1096 this section and may enforce these orders in accordance with
1097 chapter 120 or in any court of competent jurisdiction. These
1098 orders include, but are not limited to, orders for payment of
1099 restitution for harm suffered by consumers as a result of an
1100 innovative financial product or service.
1101 Section 12. For the 2020-2021 fiscal year, the sum of
1102 $50,000 in nonrecurring funds is appropriated from the
1103 Administrative Trust Fund to the Office of Financial Regulation
1104 to implement s. 559.952, Florida Statutes, as created by this
1105 act.
1106 Section 13. Except as otherwise expressly provided in this
1107 act, this act shall take effect July 1, 2020.