Florida Senate - 2023 COMMITTEE AMENDMENT
Bill No. SB 258
Ì887954WÎ887954
LEGISLATIVE ACTION
Senate . House
Comm: RCS .
03/15/2023 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Committee on Governmental Oversight and Accountability
(Burgess) recommended the following:
1 Senate Amendment (with title amendment)
2
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. Section 112.22, Florida Statutes, is created to
6 read:
7 112.22 Use of applications from foreign countries of
8 concern prohibited.—
9 (1) As used in this section, the term:
10 (a) “Department” means the Department of Management
11 Services.
12 (b) “Employee or officer” means a person who performs labor
13 or services for a public employer in exchange for salary, wages,
14 or other remuneration.
15 (c) “Foreign country of concern” means the People’s
16 Republic of China, the Russian Federation, the Islamic Republic
17 of Iran, the Democratic People’s Republic of Korea, the Republic
18 of Cuba, the Venezuelan regime of Nicolás Maduro, or the Syrian
19 Arab Republic, including any agency of or any other entity under
20 significant control of such foreign country of concern.
21 (d) “Foreign principal” means:
22 1. The government or an official of the government of a
23 foreign country of concern;
24 2. A political party or a member of a political party or
25 any subdivision of a political party in a foreign country of
26 concern;
27 3. A partnership, an association, a corporation, an
28 organization, or another combination of persons organized under
29 the laws of or having its principal place of business in a
30 foreign country of concern, or an affiliate or a subsidiary
31 thereof; or
32 4. Any person who is domiciled in a foreign country of
33 concern and is not a citizen of the United States.
34 (e) “Government-issued device” means a cellular telephone,
35 desktop computer, laptop computer, computer tablet, or other
36 electronic device capable of connecting to the Internet which is
37 owned or leased by a public employer and issued to an employee
38 or officer for work-related purposes.
39 (f) “Prohibited application” means an application that
40 meets the following criteria:
41 1. Any Internet application that is created, maintained, or
42 owned by a foreign principal and that participates in activities
43 that include, but are not limited to:
44 a. Collecting keystrokes or sensitive personal, financial,
45 proprietary, or other business data;
46 b. Compromising e-mail and acting as a vector for
47 ransomware deployment;
48 c. Conducting cyber-espionage against a public employer;
49 d. Conducting surveillance and tracking of individual
50 users; or
51 e. Using algorithmic modifications to conduct
52 disinformation or misinformation campaigns; and
53 2. Any Internet application the department deems to present
54 a security risk in the form of unauthorized access to or
55 temporary unavailability of the public employer’s records,
56 digital assets, systems, networks, servers, or information.
57 (g) “Public employer” means the state or any agency,
58 authority, branch, bureau, commission, department, division,
59 special district, institution, university, institution of higher
60 education, or board thereof; or any county, district school
61 board, or municipality, or any agency, branch, department,
62 board, or metropolitan planning organization thereof.
63 (2)(a) A public employer shall do all of the following:
64 1. Block all prohibited applications from public access on
65 any network and virtual private network that it owns, operates,
66 or maintains.
67 2. Restrict access to any prohibited application on a
68 government-issued device.
69 3. Retain the ability to remotely wipe and uninstall any
70 prohibited application from a government-issued device that is
71 believed to have been adversely impacted, either intentionally
72 or unintentionally, by a prohibited application.
73 (b) A person, including an employee or officer of a public
74 employer, may not download or access any prohibited application
75 on any government-issued device.
76 1. This paragraph does not apply to a law enforcement
77 officer as defined in s. 943.10(1) if the use of the prohibited
78 application is necessary to protect the public safety or conduct
79 an investigation within the scope of his or her employment.
80 2. A public employer may request a waiver from the
81 department to allow designated employees or officers to download
82 or access a prohibited application on a government-issued
83 device.
84 (c) Within 15 calendar days after the department issues or
85 updates its list of prohibited applications pursuant to
86 paragraph (3)(a), an employee or officer of a public employer
87 who uses a government-issued device must remove, delete, or
88 uninstall any prohibited applications from his or her
89 government-issued device.
90 (3) The department shall do all of the following:
91 (a) Compile and maintain a list of prohibited applications
92 and publish the list on its website. The department shall update
93 this list quarterly and shall provide notice of any update to
94 public employers.
95 (b) Establish procedures for granting or denying requests
96 for waivers pursuant to subparagraph (2)(b)2. The request for a
97 waiver must include all of the following:
98 1. A description of the activity to be conducted and the
99 state interest furthered by the activity.
100 2. The maximum number of government-issued devices and
101 employees or officers to which the waiver will apply.
102 3. The length of time for necessary for the waiver. Any
103 waiver granted pursuant to subparagraph (2)(b)2. must be limited
104 to a timeframe of no more than 1 year, but the department may
105 approve an extension.
106 4. Risk mitigation actions that will be taken to prevent
107 access to sensitive data, including methods to ensure that the
108 activity does not connect to a state system, network, or server.
109 5. A description of the circumstances under which the
110 waiver applies.
111 (4)(a) Notwithstanding s. 120.74(4) and (5), the department
112 is authorized, and all conditions are deemed met, to adopt
113 emergency rules pursuant to s. 120.54(4) and to implement
114 paragraph (3)(a). Such rulemaking must occur initially by filing
115 emergency rules within 30 days after July 1, 2023.
116 (b) The department shall adopt rules necessary to
117 administer this section.
118 Section 2. The Legislature finds that a proper and
119 legitimate state purpose is served when efforts are taken to
120 secure a public employer’s system, network, or server.
121 Therefore, the Legislature determines and declares that this act
122 fulfills an important state interest.
123 Section 3. This act shall take effect July 1, 2023.
124
125 ================= T I T L E A M E N D M E N T ================
126 And the title is amended as follows:
127 Delete everything before the enacting clause
128 and insert:
129 A bill to be entitled
130 An act relating to prohibited applications on
131 government-issued devices; creating s. 112.22, F.S.;
132 defining terms; requiring public employers to take
133 certain actions relating to prohibited applications;
134 prohibiting employees and officers of public employers
135 from downloading or accessing prohibited applications
136 on government-issued devices; providing exceptions;
137 providing a deadline by which specified employees must
138 remove, delete, or uninstall a prohibited application;
139 requiring the Department of Management Services to
140 compile a specified list and establish procedures for
141 a specified waiver; authorizing the department to
142 adopt emergency rules; requiring that such rulemaking
143 occur within a specified timeframe; requiring the
144 department to adopt specified rules; providing a
145 declaration of important state interest; providing an
146 effective date.