Florida Senate - 2026 COMMITTEE AMENDMENT
Bill No. CS for SB 540
Ì704244ÇÎ704244
LEGISLATIVE ACTION
Senate . House
Comm: RCS .
02/12/2026 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Appropriations Committee on Agriculture, Environment, and
General Government (Martin) recommended the following:
1 Senate Amendment (with title amendment)
2
3 Delete lines 96 - 971
4 and insert:
5 Section 1. Subsection (4) is added to section 415.106,
6 Florida Statutes, to read:
7 415.106 Cooperation by the department and criminal justice
8 and other agencies.—
9 (4) To the fullest extent possible, the department shall
10 cooperate with and seek cooperation from the Office of Financial
11 Regulation concerning protective investigations of suspected
12 financial exploitation of specified adults, as defined in s.
13 415.10341, which are reported to the central abuse hotline and
14 which the department is responsible for conducting pursuant to
15 s. 415.104.
16 (a) In accordance with s. 415.107, the department must
17 provide copies of all suspected financial exploitation reports
18 received by the central abuse hotline pursuant to s. 415.1034
19 from any financial institution as defined in s. 655.005(1),
20 securities dealer as defined in s. 517.021(12), or investment
21 adviser as defined in s. 517.021(20) to the Office of Financial
22 Regulation within 15 days after receiving the report. The
23 department may provide copies of any records generated as a
24 result of such reports at the request of the Office of Financial
25 Regulation within 15 days after such request.
26 1. The Office of Financial Regulation may use the reports
27 or records obtained as required or authorized in this subsection
28 during an investigation or examination conducted pursuant to
29 chapter 517 or chapter 655.
30 2. Except as provided in this chapter and chapters 517 and
31 655, all confidentiality provisions that apply to the department
32 continue to apply to the records made available to the Office of
33 Financial Regulation and its officials, employees, and agents
34 under s. 415.107.
35 (b) The department and the Office of Financial Regulation
36 may enter into a memorandum of agreement that specifies how the
37 Office of Financial Regulation, in the agency’s role as the
38 regulator of financial institutions, may assist the department
39 with effectively and efficiently conducting a protective
40 investigation of any vulnerable adult abuse report received by
41 the central abuse hotline, and that specifies how such
42 assistance will be implemented.
43 Section 2. Paragraph (m) is added to subsection (3) of
44 section 415.107, Florida Statutes, to read:
45 415.107 Confidentiality of reports and records.—
46 (3) Access to all records, excluding the name of the
47 reporter which shall be released only as provided in subsection
48 (6), shall be granted only to the following persons, officials,
49 and agencies:
50 (m) Any appropriate officials, employees, or agents of the
51 Office of Financial Regulation who are responsible for
52 conducting investigations pursuant to chapters 517 and 655.
53 Section 3. Section 494.00123, Florida Statutes, is created
54 to read:
55 494.00123 Information security programs.—
56 (1) DEFINITIONS.—As used in this section, the term:
57 (a) “Customer” means a person who seeks to obtain or who
58 obtains or has obtained a financial product or service from a
59 licensee.
60 (b) “Customer information” means any record containing
61 nonpublic personal information about a customer of a financial
62 transaction, whether on paper, electronic, or in other forms,
63 which is handled or maintained by or on behalf of the licensee
64 or its affiliates.
65 (c) “Cybersecurity event” means an event resulting in
66 unauthorized access to, or disruption or misuse of, an
67 information system or customer information stored on such
68 information system. The term does not include the unauthorized
69 acquisition of encrypted customer information if the encryption
70 process or key is not also acquired, released, or used without
71 authorization. The term does not include an event with regard to
72 which the licensee has determined that the customer information
73 accessed by an unauthorized person has not been used or released
74 and has been returned or destroyed.
75 (d) “Encrypted” means the transformation of data into a
76 form that results in a low probability of assigning meaning
77 without the use of a protective process or key.
78 (e) “Financial product or service” means any product or
79 service offered by a licensee under this chapter.
80 (f) “Information security program” means the
81 administrative, technical, or physical safeguards used to
82 access, collect, distribute, process, protect, store, use,
83 transmit, dispose of, or otherwise handle customer information.
84 (g) “Information system” means a discrete set of electronic
85 information resources organized for the collection, processing,
86 maintenance, use, sharing, dissemination, or disposition of
87 electronic information, as well as any specialized system such
88 as an industrial process control system, telephone switching and
89 private branch exchange system, or environmental control system,
90 which contain customer information or which are connected to a
91 system that contains customer information.
92 (h)1. “Nonpublic personal information” means:
93 a. Personally identifiable financial information; and
94 b. Any list, description, or other grouping of customers
95 which is derived using any personally identifiable financial
96 information that is not publicly available, such as account
97 numbers, including any list of individuals’ names and street
98 addresses which is derived, in whole or in part, using
99 personally identifiable financial information that is not
100 publicly available.
101 2. The term does not include:
102 a. Publicly available information, except as included on a
103 list, description, or other grouping of customers described in
104 sub-subparagraph 1.b.;
105 b. Any list, description, or other grouping of consumers,
106 or any publicly available information pertaining to such list,
107 description, or other grouping of consumers, which is derived
108 without using any personally identifiable financial information
109 that is not publicly available; or
110 c. Any list of individuals’ names and addresses which
111 contains only publicly available information, is not derived, in
112 whole or in part, using personally identifiable financial
113 information that is not publicly available, and is not disclosed
114 in a manner that indicates that any of the individuals on the
115 list is a customer of a licensee.
116 3. As used in this paragraph, the term:
117 a.(I) “Personally identifiable financial information” means
118 any information that:
119 (A) A customer provides to a licensee to obtain a financial
120 product or service, such as information that a customer provides
121 to a licensee on an application to obtain a loan or other
122 financial product or service;
123 (B) A licensee receives about a consumer which is obtained
124 during or as a result of any transaction involving a financial
125 product or service between the licensee and the customer, such
126 as information collected through an information-collecting
127 device from a web server; or
128 (C) A licensee otherwise obtains about a customer in
129 connection with providing a financial product or service to the
130 customer, such as the fact that an individual is or has been one
131 of the licensee’s customers or has obtained a financial product
132 or service from the licensee.
133 (II) The term “personally identifiable financial
134 information” does not include:
135 (A) A list of names and addresses of customers of an entity
136 that is not a financial institution; or
137 (B) Information that does not identify a customer, such as
138 blind data or aggregate information that does not contain
139 personal identifiers such as account numbers, names, or
140 addresses.
141 b.(I) “Publicly available information” means any
142 information that a licensee has a reasonable basis to believe is
143 lawfully made available to the general public from:
144 (A) Federal, state, or local government records, such as
145 government real estate records or security interest filings;
146 (B) Widely distributed media, such as information from a
147 telephone records repository or directory, a television or radio
148 program, a newspaper, a social media platform, or a website that
149 is available to the general public on an unrestricted basis. A
150 website is not restricted merely because an Internet service
151 provider or a site operator requires a fee or a password, so
152 long as access is available to the general public; or
153 (C) Disclosures to the general public which are required to
154 be made by federal, state, or local law.
155 (II) As used in this sub-subparagraph, the term “reasonable
156 basis to believe is lawfully made available to the general
157 public” relating to any information means that the person has
158 taken steps to determine:
159 (A) That the information is of the type that is available
160 to the general public, such as information included on the
161 public record in the jurisdiction where the mortgage would be
162 recorded; and
163 (B) Whether an individual can direct that the information
164 not be made available to the general public and, if so, the
165 customer to whom the information relates has not done so, such
166 as when a telephone number is listed in a telephone directory
167 and the customer has informed the licensee that the telephone
168 number is not unlisted.
169 (i) “Third-party service provider” means a person, other
170 than a licensee, which contracts with a licensee to maintain,
171 process, or store nonpublic personal information, or is
172 otherwise permitted access to nonpublic personal information
173 through its provision of services to a licensee.
174 (2) INFORMATION SECURITY PROGRAM.—
175 (a) Each licensee shall develop, implement, and maintain a
176 comprehensive written information security program that contains
177 administrative, technical, and physical safeguards for the
178 protection of the licensee’s information system and nonpublic
179 personal information.
180 (b) Each licensee shall ensure that the information
181 security program meets all of the following criteria:
182 1. Be commensurate with the following measures:
183 a. Size and complexity of the licensee.
184 b. Nature and scope of the licensee’s activities, including
185 the licensee’s use of third-party service providers.
186 c. Sensitivity of nonpublic personal information that is
187 used by the licensee or that is in the licensee’s possession,
188 custody, or control.
189 2. Be designed to do all of the following:
190 a. Protect the security and confidentiality of nonpublic
191 personal information and the security of the licensee’s
192 information system.
193 b. Protect against threats or hazards to the security or
194 integrity of nonpublic personal information and the licensee’s
195 information system.
196 c. Protect against unauthorized access to or the use of
197 nonpublic personal information and minimize the likelihood of
198 harm to any customer.
199 3. Define and periodically reevaluate the retention
200 schedule and the mechanism for the destruction of nonpublic
201 personal information if retention is no longer necessary for the
202 licensee’s business operations or is no longer required by
203 applicable law.
204 4. Regularly test and monitor systems and procedures for
205 the detection of actual and attempted attacks on, or intrusions
206 into, the licensee’s information system.
207 5. Be monitored, evaluated, and adjusted, as necessary, to
208 meet all of the following requirements:
209 a. Determine whether the licensee’s information security
210 program is consistent with relevant changes in technology.
211 b. Confirm the licensee’s information security program
212 accounts for the sensitivity of nonpublic personal information.
213 c. Identify changes that may be necessary to the licensee’s
214 information system.
215 d. Mitigate any internal or external threats to nonpublic
216 personal information.
217 e. Amend the licensee’s information security program for
218 any material changes to the licensee’s business arrangements,
219 including, but not limited to, mergers and acquisitions,
220 alliances and joint ventures, and outsourcing arrangements.
221 (c)1. As part of a licensee’s information security program,
222 the licensee shall establish a written incident response plan
223 designed to promptly respond to, and recover from, a
224 cybersecurity event that compromises:
225 a. The confidentiality, integrity, or availability of
226 nonpublic personal information in the licensee’s possession;
227 b. The licensee’s information system; or
228 c. The continuing functionality of any aspect of the
229 licensee’s operations.
230 2. The written incident response plan must address all of
231 the following:
232 a. The licensee’s internal process for responding to a
233 cybersecurity event.
234 b. The goals of the licensee’s incident response plan.
235 c. The assignment of clear roles, responsibilities, and
236 levels of decisionmaking authority for the licensee’s personnel
237 that participate in the incident response plan.
238 d. External communications, internal communications, and
239 information sharing related to a cybersecurity event.
240 e. The identification of remediation requirements for
241 weaknesses identified in information systems and associated
242 controls.
243 f. The documentation and reporting regarding cybersecurity
244 events and related incident response activities.
245 g. The evaluation and revision of the incident response
246 plan, as appropriate, following a cybersecurity event.
247 h. The process by which notice must be given as required
248 under subsection (3) and s. 501.171(3) and (4).
249 (d)1. This section does not apply to a licensee that has
250 fewer than:
251 a. Twenty individuals on its workforce, including employees
252 and independent contractors; or
253 b. Five hundred customers during a calendar year.
254 2. A licensee that no longer qualifies for exemption under
255 subparagraph 1. has 180 calendar days to comply with this
256 section after the date of the disqualification.
257 (e) Each licensee shall maintain a copy of the information
258 security program for a minimum of 5 years and shall make it
259 available to the office upon request or as part of an
260 examination.
261 (3) NOTICE TO OFFICE OF SECURITY BREACH.—Each licensee
262 shall provide notice to the office of any breach of security, as
263 defined in s. 501.171, affecting 500 or more individuals in this
264 state at a time and in the manner prescribed by commission rule.
265 (4) CONSTRUCTION.—This section may not be construed to
266 relieve a covered entity from complying with s. 501.171. To the
267 extent a licensee is a covered entity, as defined in s.
268 501.171(1), the licensee remains subject to s. 501.171.
269 (5) RULES.—The commission shall adopt rules to administer
270 this section, including rules that allow a licensee that is in
271 compliance with the Federal Trade Commission’s Standards for
272 Safeguarding Customer Information, 16 C.F.R. part 314, to be
273 deemed in substantial compliance with subsection (2).
274 Section 4. Paragraph (z) is added to subsection (1) of
275 section 494.00255, Florida Statutes, to read:
276 494.00255 Administrative penalties and fines; license
277 violations.—
278 (1) Each of the following acts constitutes a ground for
279 which the disciplinary actions specified in subsection (2) may
280 be taken against a person licensed or required to be licensed
281 under part II or part III of this chapter:
282 (z) Failure to comply with the notification requirements in
283 s. 501.171(3) and (4).
284 Section 5. Present subsections (28) through (36) of section
285 517.021, Florida Statutes, are redesignated as subsections (29)
286 through (37), respectively, a new subsection (28) is added to
287 that section, and subsection (20) of that section is amended, to
288 read:
289 517.021 Definitions.—When used in this chapter, unless the
290 context otherwise indicates, the following terms have the
291 following respective meanings:
292 (20)(a) “Investment adviser” means a person, other than an
293 associated person of an investment adviser or a federal covered
294 adviser, that receives compensation, directly or indirectly, and
295 engages for all or part of the person’s time, directly or
296 indirectly, or through publications or writings, in the business
297 of advising others as to the value of securities or as to the
298 advisability of investments in, purchasing of, or selling of
299 securities.
300 (b) The term does not include any of the following:
301 1. A dealer or an associated person of a dealer whose
302 performance of services in paragraph (a) is solely incidental to
303 the conduct of the dealer’s or associated person’s business as a
304 dealer and who does not receive special compensation for those
305 services.
306 2. A licensed practicing attorney or certified public
307 accountant whose performance of such services is solely
308 incidental to the practice of the attorney’s or accountant’s
309 profession.
310 3. A bank authorized to do business in this state.
311 4. A bank holding company as defined in the Bank Holding
312 Company Act of 1956, as amended, authorized to do business in
313 this state.
314 5. A trust company having trust powers, as defined in s.
315 658.12, which it is authorized to exercise in this state, which
316 trust company renders or performs investment advisory services
317 in a fiduciary capacity incidental to the exercise of its trust
318 powers.
319 6. A person that renders investment advice exclusively to
320 insurance or investment companies.
321 7. A person:
322 a. Without a place of business in this state if the person
323 has had that, during the preceding 12 months, has fewer than six
324 clients who are residents of this state.
325 b. With a place of business in this state if the person has
326 had, during the preceding 12 months, fewer than six clients who
327 are residents of this state and no clients who are not residents
328 of this state.
329
330 As used in this subparagraph, the term “client” has the same
331 meaning as provided in Securities and Exchange Commission Rule
332 222-2 275.222-2, 17 C.F.R. s. 275.222-2, as amended.
333 8. A federal covered adviser.
334 9. The United States, a state, or any political subdivision
335 of a state, or any agency, authority, or instrumentality of any
336 such entity; a business entity that is wholly owned directly or
337 indirectly by such a governmental entity; or any officer, agent,
338 or employee of any such governmental or business entity who is
339 acting within the scope of his or her official duties.
340 10. A family office as defined in Securities and Exchange
341 Commission Rule 202(a)(11)(G)-1(b) under the Investment Advisers
342 Act of 1940, 17 C.F.R. s. 275.202(a)(11)(G)-1(b), as amended. In
343 determining whether a person meets the definition of a family
344 office under this subparagraph, the terms “affiliated family
345 office,” “control,” “executive officer,” “family client,”
346 “family entity,” “family member,” “former family member,” “key
347 employee,” and “spousal equivalent” have the same meaning as in
348 Securities and Exchange Commission Rule 202(a)(11)(G)-1(d) under
349 the Investment Advisers Act of 1940, 17 C.F.R. s.
350 275.202(a)(11)(G)-1(d), as amended.
351 (28) “Place of business” of an investment adviser means an
352 office at which the investment adviser regularly provides
353 investment advisory services to, solicits, meets with, or
354 otherwise communicates with clients; and any other location that
355 is held out to the general public as a location at which the
356 investment adviser provides investment advisory services to,
357 solicits, meets with, or otherwise communicates with clients.
358 Section 6. Paragraph (i) of subsection (9) of section
359 517.061, Florida Statutes, is amended to read:
360 517.061 Exempt transactions.—Except as otherwise provided
361 in subsection (11), the exemptions provided herein from the
362 registration requirements of s. 517.07 are self-executing and do
363 not require any filing with the office before being claimed. Any
364 person who claims entitlement to an exemption under this section
365 bears the burden of proving such entitlement in any proceeding
366 brought under this chapter. The registration provisions of s.
367 517.07 do not apply to any of the following transactions;
368 however, such transactions are subject to s. 517.301:
369 (9) The offer or sale of securities to:
370 (i) A family office as defined in Securities and Exchange
371 Commission Rule 202(a)(11)(G)-1(b) 202(a)(11)(G)-1 under the
372 Investment Advisers Act of 1940, 17 C.F.R. s. 275.202(a)(11)(G)
373 1(b) s. 275.202(a)(11)(G)-1, as amended, provided that:
374 1. The family office has assets under management in excess
375 of $5 million;
376 2. The family office is not formed for the specific purpose
377 of acquiring the securities offered; and
378 3. The prospective investment of the family office is
379 directed by a person who has knowledge and experience in
380 financial and business matters that the family office is capable
381 of evaluating the merits and risks of the prospective
382 investment.
383
384 In determining whether a person meets the definition of a family
385 office under this paragraph, the terms “affiliated family
386 office,” “control,” “executive officer,” “family client,”
387 “family entity,” “family member,” “former family member,” “key
388 employee,” and “spousal equivalent” have the same meaning as in
389 Securities and Exchange Commission Rule 202(a)(11)(G)-1(d) under
390 the Investment Advisers Act of 1940, 17 C.F.R. s.
391 275.202(a)(11)(G)-1(d), as amended.
392 Section 7. Paragraph (a) of subsection (1) of section
393 517.201, Florida Statutes, is amended, and paragraph (c) is
394 added to that subsection, to read:
395 517.201 Investigations; examinations; subpoenas; hearings;
396 witnesses.—
397 (1) The office:
398 (a) May make investigations and examinations within or
399 outside of this state as it deems necessary:
400 1. To determine whether a person has violated or is about
401 to violate any provision of this chapter or a rule or order
402 hereunder; or
403 2. To aid in the enforcement of this chapter; or
404 3. In accordance with a memorandum of understanding
405 pursuant to s. 415.106(4)(b), to aid the Department of Children
406 and Families with any protective investigations the Department
407 of Children and Families is required to conduct under s.
408 415.104.
409 (c) May consider or use as part of any investigation or
410 examination pursuant to this section the information contained
411 in any suspected financial exploitation report or any records
412 generated as a result of such report which is obtained pursuant
413 to s. 415.106(4).
414 Section 8. Paragraphs (b) and (c) of subsection (3) and
415 subsection (6) of section 517.34, Florida Statutes, are amended
416 to read:
417 517.34 Protection of specified adults.—
418 (3) A dealer or investment adviser may delay a disbursement
419 or transaction of funds or securities from an account of a
420 specified adult or an account for which a specified adult is a
421 beneficiary or beneficial owner if all of the following apply:
422 (b) Not later than 3 business days after the date on which
423 the delay was first placed, the dealer or investment adviser
424 complies with all of the following conditions:
425 1. Notifies in writing all parties authorized to transact
426 business on the account and any trusted contact on the account,
427 using the contact information provided for the account, with the
428 exception of any party the dealer or investment adviser
429 reasonably believes has engaged in, is engaging in, has
430 attempted to engage in, or will attempt to engage in the
431 suspected financial exploitation of the specified adult. The
432 notice, which may be provided electronically, must provide the
433 reason for the delay.
434 2. Notifies the office of the delay electronically on a
435 form prescribed by commission rule. The form must be consistent
436 with the purposes of this section and must contain, but need not
437 be limited to, the following information:
438 a. The date on which the delay was first placed.
439 b. The name, age, and address, or location, if different,
440 of the specified adult.
441 c. The business location of the dealer or investment
442 adviser.
443 d. The name, address, and telephone number and title of the
444 employee who reported suspected financial exploitation of the
445 specified adult.
446 e. The facts and circumstances that caused the employee to
447 report suspected financial exploitation.
448 f. The names, addresses, and telephone numbers of the
449 specified adult’s family members.
450 g. The name, address, and telephone number of each person
451 suspected of engaging in financial exploitation.
452 h. The name, address, and telephone number of the caregiver
453 of the specified adult, if different from the person or persons
454 suspected of engaging in financial exploitation.
455 i. A description of actions taken by the dealer or
456 investment adviser, if any, such as notification to a criminal
457 justice agency.
458 j. Any other information available to the reporting person
459 which may establish the cause of financial exploitation that
460 occurred or is occurring.
461 (c) Not later than 3 business days after the date on which
462 the delay was first placed, the dealer or investment adviser
463 Notifies the office of the delay electronically on a form
464 prescribed by commission rule. The form must be consistent with
465 the purposes of this section and may include only the following
466 information:
467 1. The date on which the notice is submitted to the office.
468 2. The date on which the delay was first placed.
469 3. The following information about the specified adult:
470 a. Gender.
471 b. Age.
472 c. Zip code of residence address.
473 4. The following information about the dealer or investment
474 adviser who placed the delay:
475 a. Name.
476 b. Title.
477 c. Firm name.
478 d. Business address.
479 5. A section with the following questions for which the
480 only allowable responses are “Yes” or “No”:
481 a. Is financial exploitation of a specified adult suspected
482 in connection with a disbursement or transaction?
483 b. Are funds currently at risk of being lost?
484
485 The form must contain substantially the following statement in
486 conspicuous type: “The office may take disciplinary action
487 against any person making a knowing and willful
488 misrepresentation on this form.”
489 (6) A dealer, an investment adviser, or an associated
490 person who in good faith and exercising reasonable care complies
491 with this section is immune from any administrative or civil
492 liability that might otherwise arise from such delay in a
493 disbursement or transaction in accordance with this section.
494 This subsection does not supersede or diminish any immunity
495 granted under chapter 415, nor does it substitute for the duty
496 to report to the central abuse hotline as required under s.
497 415.1034.
498 Section 9. Section 520.135, Florida Statutes, is created to
499 read:
500 520.135 Surrendered or repossessed vehicles.—The rights and
501 obligations of parties with respect to a surrendered or
502 repossessed motor vehicle are exclusively governed by part VI of
503 chapter 679.
504 Section 10. Subsections (1) and (2) of section 560.114,
505 Florida Statutes, are amended to read:
506 560.114 Disciplinary actions; penalties.—
507 (1) The following actions by a money services business, an
508 authorized vendor, or a affiliated party that was affiliated at
509 the time of commission of the actions constitute grounds for the
510 issuance of a cease and desist order; the issuance of a removal
511 order; the denial, suspension, or revocation of a license; or
512 taking any other action within the authority of the office
513 pursuant to this chapter:
514 (a) Failure to comply with any provision of this chapter or
515 related rule or order, or any written agreement entered into
516 with the office.
517 (b) Fraud, misrepresentation, deceit, or gross negligence
518 in any transaction by a money services business, regardless of
519 reliance thereon by, or damage to, a customer.
520 (c) Fraudulent misrepresentation, circumvention, or
521 concealment of any matter that must be stated or furnished to a
522 customer pursuant to this chapter, regardless of reliance
523 thereon by, or damage to, such customer.
524 (d) False, deceptive, or misleading advertising.
525 (e) Failure to maintain, preserve, keep available for
526 examination, and produce all books, accounts, files, or other
527 documents required by this chapter or related rules or orders,
528 by 31 C.F.R. ss. 1010.306, 1010.311, 1010.312, 1010.340,
529 1010.410, 1010.415, 1022.210, 1022.320, 1022.380, and 1022.410,
530 or by an agreement entered into with the office.
531 (f) Refusing to allow the examination or inspection of
532 books, accounts, files, or other documents by the office
533 pursuant to this chapter, or to comply with a subpoena issued by
534 the office.
535 (g) Failure to pay a judgment recovered in any court by a
536 claimant in an action arising out of a money transmission
537 transaction within 30 days after the judgment becomes final.
538 (h) Engaging in an act prohibited under s. 560.111 or s.
539 560.1115.
540 (i) Insolvency.
541 (j) Failure by a money services business to remove an
542 affiliated party after the office has issued and served upon the
543 money services business a final order setting forth a finding
544 that the affiliated party has violated a provision of this
545 chapter.
546 (k) Making a material misstatement, misrepresentation, or
547 omission in an application for licensure, any amendment to such
548 application, or application for the appointment of an authorized
549 vendor.
550 (l) Committing any act that results in a license or its
551 equivalent, to practice any profession or occupation being
552 denied, suspended, revoked, or otherwise acted against by a
553 licensing authority in any jurisdiction.
554 (m) Being the subject of final agency action or its
555 equivalent, issued by an appropriate regulator, for engaging in
556 unlicensed activity as a money services business or deferred
557 presentment provider in any jurisdiction.
558 (n) Committing any act resulting in a license or its
559 equivalent to practice any profession or occupation being
560 denied, suspended, revoked, or otherwise acted against by a
561 licensing authority in any jurisdiction for a violation of 18
562 U.S.C. s. 1956, 18 U.S.C. s. 1957, 18 U.S.C. s. 1960, 31 U.S.C.
563 s. 5324, or any other law or rule of another state or of the
564 United States relating to a money services business, deferred
565 presentment provider, or usury that may cause the denial,
566 suspension, or revocation of a money services business or
567 deferred presentment provider license or its equivalent in such
568 jurisdiction.
569 (o) Having been convicted of, or entered a plea of guilty
570 or nolo contendere to, any felony or crime punishable by
571 imprisonment of 1 year or more under the law of any state or the
572 United States which involves fraud, moral turpitude, or
573 dishonest dealing, regardless of adjudication.
574 (p) Having been convicted of, or entered a plea of guilty
575 or nolo contendere to, a crime under 18 U.S.C. s. 1956 or 31
576 U.S.C. s. 5318, s. 5322, or s. 5324, regardless of adjudication.
577 (q) Having been convicted of, or entered a plea of guilty
578 or nolo contendere to, misappropriation, conversion, or unlawful
579 withholding of moneys belonging to others, regardless of
580 adjudication.
581 (r) Having been convicted of, or entered a plea of guilty
582 or nolo contendere to, a violation of 31 C.F.R. chapter X, part
583 1022, regardless of adjudication.
584 (s)(r) Failure to inform the office in writing within 30
585 days after having pled guilty or nolo contendere to, or being
586 convicted of, any felony or crime punishable by imprisonment of
587 1 year or more under the law of any state or the United States,
588 or any crime involving fraud, moral turpitude, or dishonest
589 dealing.
590 (t)(s) Aiding, assisting, procuring, advising, or abetting
591 any person in violating a provision of this chapter or any order
592 or rule of the office or commission.
593 (u)(t) Failure to pay any fee, charge, or cost imposed or
594 assessed under this chapter.
595 (v)(u) Failing to pay a fine assessed by the office within
596 30 days after the due date as stated in a final order.
597 (w)(v) Failure to pay any judgment entered by any court
598 within 30 days after the judgment becomes final.
599 (x)(w) Engaging or advertising engagement in the business
600 of a money services business or deferred presentment provider
601 without a license, unless exempted from licensure.
602 (y)(x) Payment to the office for a license or other fee,
603 charge, cost, or fine with a check or electronic transmission of
604 funds that is dishonored by the applicant’s or licensee’s
605 financial institution.
606 (z)(y) Violations of 31 C.F.R. ss. 1010.306, 1010.311,
607 1010.312, 1010.340, 1010.410, 1010.415, 1022.210, 1022.320,
608 1022.380, and 1022.410, and United States Treasury Interpretive
609 Release 2004-1.
610 (aa)(z) Any practice or conduct that creates the likelihood
611 of a material loss, insolvency, or dissipation of assets of a
612 money services business or otherwise materially prejudices the
613 interests of its customers.
614 (bb)(aa) Failure of a check casher to maintain a federally
615 insured depository account as required by s. 560.309.
616 (cc)(bb) Failure of a check casher to deposit into its own
617 federally insured depository account any payment instrument
618 cashed as required by s. 560.309.
619 (dd)(cc) Violating any provision of the Military Lending
620 Act, 10 U.S.C. s. 987, or the regulations adopted under that act
621 in 32 C.F.R. part 232, in connection with a deferred presentment
622 transaction conducted under part IV of this chapter.
623 (ee) Failure to comply with the notification requirements
624 in s. 501.171(3) and (4).
625 (2) Pursuant to s. 120.60(6), The office shall issue an
626 emergency suspension order suspending may summarily suspend the
627 license of a money services business if the office finds that a
628 licensee poses a danger deemed by the Legislature to be an
629 immediate and, serious danger to the public health, safety, and
630 welfare. A proceeding in which the office seeks the issuance of
631 a final order for the summary suspension of a licensee shall be
632 conducted by the commissioner of the office, or his or her
633 designee, who shall issue such order.
634 (a) An emergency suspension order under this subsection may
635 be issued without prior notice and an opportunity to be heard.
636 An emergency suspension order must:
637 1. State the grounds on which the order is based;
638 2. Advise the licensee against whom the order is directed
639 that the order takes effect immediately and, to the extent
640 applicable, requires the licensee to immediately cease and
641 desist from the conduct or violation that is the subject of the
642 order or to take the affirmative action stated in the order as
643 necessary to correct a condition resulting from the conduct or
644 violation or as otherwise appropriate;
645 3. Be delivered by personal delivery or sent by certified
646 mail, return receipt requested, to the licensee against whom the
647 order is directed at the licensee’s last known address; and
648 4. Include a notice that the licensee subject to the
649 emergency suspension order may seek judicial review pursuant to
650 s. 120.68.
651 (b) An emergency suspension order is effective as soon as
652 the licensee against whom the order is directed has actual or
653 constructive knowledge of the issuance of the order.
654 (c) The office shall institute timely proceedings under ss.
655 120.569 and 120.57 after issuance of an emergency suspension
656 order.
657 (d) A licensee subject to an emergency suspension order may
658 seek judicial review pursuant to s. 120.68.
659 (e) The following acts are deemed by the Legislature to
660 constitute an immediate and serious danger to the public health,
661 safety, and welfare, and the office shall may immediately issue
662 an emergency suspension order to suspend the license of a money
663 services business if:
664 1.(a) The money services business fails to provide to the
665 office, upon written request, any of the records required by s.
666 560.123, s. 560.1235, s. 560.211, or s. 560.310 or any rule
667 adopted under those sections. The suspension may be rescinded if
668 the licensee submits the requested records to the office.
669 2.(b) The money services business fails to maintain a
670 federally insured depository account as required by s.
671 560.208(4) or s. 560.309.
672 3.(c) A natural person required to be listed on the license
673 application for a money services business pursuant to s.
674 560.141(1)(a)3. is criminally charged with, or arrested for, a
675 crime described in paragraph (1)(o), paragraph (1)(p), or
676 paragraph(1)(q).
677 Section 11. Section 560.1311, Florida Statutes, is created
678 to read:
679 560.1311 Information security programs.—
680 (1) DEFINITIONS.—As used in this section, the term:
681 (a) “Customer” means a person who seeks to obtain or who
682 obtains or has obtained a financial product or service from a
683 licensee.
684 (b) “Customer information” means any record containing
685 nonpublic personal information about a customer of a financial
686 transaction, whether on paper, electronic, or in other forms,
687 which is handled or maintained by or on behalf of the licensee
688 or its affiliates.
689 (c) “Cybersecurity event” means an event resulting in
690 unauthorized access to, or disruption or misuse of, an
691 information system or customer information stored on such
692 information system. The term does not include the unauthorized
693 acquisition of encrypted customer information if the encryption
694 process or key is not also acquired, released, or used without
695 authorization. The term does not include an event with regard to
696 which the licensee has determined that the customer information
697 accessed by an unauthorized person has not been used or released
698 and has been returned or destroyed.
699 (d) “Encrypted” means the transformation of data into a
700 form that results in a low probability of assigning meaning
701 without the use of a protective process or key.
702 (e) “Financial product or service” means any product or
703 service offered by a licensee under this chapter.
704 (f) “Information security program” means the
705 administrative, technical, or physical safeguards used to
706 access, collect, distribute, process, protect, store, use,
707 transmit, dispose of, or otherwise handle customer information.
708 (g) “Information system” means a discrete set of electronic
709 information resources organized for the collection, processing,
710 maintenance, use, sharing, dissemination, or disposition of
711 electronic information, as well as any specialized system such
712 as an industrial process control system, telephone switching and
713 private branch exchange system, or environmental control system,
714 which contain customer information or which are connected to a
715 system that contains customer information.
716 (h) “Licensee” means a person licensed under this chapter.
717 (i)1. “Nonpublic personal information” means:
718 a. Personally identifiable financial information; and
719 b. Any list, description, or other grouping of customers
720 which is derived using any personally identifiable financial
721 information that is not publicly available, such as account
722 numbers, including any list of individuals’ names and street
723 addresses which is derived, in whole or in part, using
724 personally identifiable financial information that is not
725 publicly available.
726 2. The term does not include:
727 a. Publicly available information, except as included on a
728 list, description, or other grouping of customers described in
729 sub-subparagraph 1.b.;
730 b. Any list, description, or other grouping of consumers,
731 or any publicly available information pertaining to such list,
732 description, or other grouping of consumers, which is derived
733 without using any personally identifiable financial information
734 that is not publicly available; or
735 c. Any list of individuals’ names and addresses which
736 contains only publicly available information, is not derived, in
737 whole or in part, using personally identifiable financial
738 information that is not publicly available, and is not disclosed
739 in a manner that indicates that any of the individuals on the
740 list is a customer of a licensee.
741 3. As used in this paragraph, the term:
742 a.(I) “Personally identifiable financial information” means
743 any information that:
744 (A) A customer provides to a licensee to obtain a financial
745 product or service, such as information that a customer provides
746 to a licensee on an application to obtain a loan or other
747 financial product or service;
748 (B) A licensee receives about a consumer which is obtained
749 during or as a result of any transaction involving a financial
750 product or service between the licensee and the customer, such
751 as information collected through an information-collecting
752 device from a web server; or
753 (C) A licensee otherwise obtains about a customer in
754 connection with providing a financial product or service to the
755 customer, such as the fact that an individual is or has been one
756 of the licensee’s customers or has obtained a financial product
757 or service from the licensee.
758 (II) The term “personally identifiable financial
759 information” does not include:
760 (A) A list of names and addresses of customers of an entity
761 that is not a financial institution; or
762 (B) Information that does not identify a customer, such as
763 blind data or aggregate information that does not contain
764 personal identifiers such as account numbers, names, or
765 addresses.
766 b.(I) “Publicly available information” means any
767 information that a licensee has a reasonable basis to believe is
768 lawfully made available to the general public from:
769 (A) Federal, state, or local government records, such as
770 government real estate records or security interest filings;
771 (B) Widely distributed media, such as information from a
772 telephone records repository or directory, a television or radio
773 program, a newspaper, a social media platform, or a website that
774 is available to the general public on an unrestricted basis. A
775 website is not restricted merely because an Internet service
776 provider or a site operator requires a fee or a password, so
777 long as access is available to the general public; or
778 (C) Disclosures to the general public which are required to
779 be made by federal, state, or local law.
780 (II) As used in this sub-subparagraph, the term “reasonable
781 basis to believe is lawfully made available to the general
782 public” relating to any information means that the person has
783 taken steps to determine:
784 (A) That the information is of the type that is available
785 to the general public, such as information included on the
786 public record in the jurisdiction where the mortgage would be
787 recorded; and
788 (B) Whether an individual can direct that the information
789 not be made available to the general public and, if so, the
790 customer to whom the information relates has not done so, such
791 as when a telephone number is listed in a telephone directory
792 and the customer has informed the licensee that the telephone
793 number is not unlisted.
794 (j) “Third-party service provider” means a person, other
795 than a licensee, which contracts with a licensee to maintain,
796 process, or store nonpublic personal information, or is
797 otherwise permitted access to nonpublic personal information
798 through its provision of services to a licensee.
799 (2) INFORMATION SECURITY PROGRAM.—
800 (a) Each licensee shall develop, implement, and maintain a
801 comprehensive written information security program that contains
802 administrative, technical, and physical safeguards for the
803 protection of the licensee’s information system and nonpublic
804 personal information.
805 (b) Each licensee shall ensure that the information
806 security program meets all of the following criteria:
807 1. Be commensurate with the following measures:
808 a. Size and complexity of the licensee.
809 b. Nature and scope of the licensee’s activities, including
810 the licensee’s use of third-party service providers.
811 c. Sensitivity of nonpublic personal information that is
812 used by the licensee or that is in the licensee’s possession,
813 custody, or control.
814 2. Be designed to do all of the following:
815 a. Protect the security and confidentiality of nonpublic
816 personal information and the security of the licensee’s
817 information system.
818 b. Protect against threats or hazards to the security or
819 integrity of nonpublic personal information and the licensee’s
820 information system.
821 c. Protect against unauthorized access to or the use of
822 nonpublic personal information and minimize the likelihood of
823 harm to any customer.
824 3. Define and periodically reevaluate the retention
825 schedule and the mechanism for the destruction of nonpublic
826 personal information if retention is no longer necessary for the
827 licensee’s business operations or is no longer required by
828 applicable law.
829 4. Regularly test and monitor systems and procedures for
830 the detection of actual and attempted attacks on, or intrusions
831 into, the licensee’s information system.
832 5. Be monitored, evaluated, and adjusted, as necessary, to
833 meet all of the following requirements:
834 a. Determine whether the licensee’s information security
835 program is consistent with relevant changes in technology.
836 b. Confirm the licensee’s information security program
837 accounts for the sensitivity of nonpublic personal information.
838 c. Identify changes that may be necessary to the licensee’s
839 information system.
840 d. Mitigate any internal or external threats to nonpublic
841 personal information.
842 e. Amend the licensee’s information security program for
843 any material changes to the licensee’s business arrangements,
844 including, but not limited to, mergers and acquisitions,
845 alliances and joint ventures, and outsourcing arrangements.
846 (c)1. As part of a licensee’s information security program,
847 the licensee shall establish a written incident response plan
848 designed to promptly respond to, and recover from, a
849 cybersecurity event that compromises:
850 a. The confidentiality, integrity, or availability of
851 nonpublic personal information in the licensee’s possession;
852 b. The licensee’s information system; or
853 c. The continuing functionality of any aspect of the
854 licensee’s operations.
855 2. The written incident response plan must address all of
856 the following:
857 a. The licensee’s internal process for responding to a
858 cybersecurity event.
859 b. The goals of the licensee’s incident response plan.
860 c. The assignment of clear roles, responsibilities, and
861 levels of decisionmaking authority for the licensee’s personnel
862 that participate in the incident response plan.
863 d. External communications, internal communications, and
864 information sharing related to a cybersecurity event.
865 e. The identification of remediation requirements for
866 weaknesses identified in information systems and associated
867 controls.
868 f. The documentation and reporting regarding cybersecurity
869 events and related incident response activities.
870 g. The evaluation and revision of the incident response
871 plan, as appropriate, following a cybersecurity event.
872 h. The process by which notice must be given as required
873 under subsection (3) and s. 501.171(3) and (4).
874 (d)1. This section does not apply to a licensee that has
875 fewer than:
876 a. Twenty individuals on its workforce, including employees
877 and independent contractors; or
878 b. Five hundred customers during a calendar year.
879 2. A licensee that no longer qualifies for exemption under
880 subparagraph 1. has 180 calendar days to comply with this
881 section after the date of the disqualification.
882 (e) Each licensee shall maintain a copy of the information
883 security program for a minimum of 5 years and shall make it
884 available to the office upon request or as part of an
885 examination.
886 (3) NOTICE TO OFFICE OF SECURITY BREACH.—Each licensee
887 shall provide notice to the office of any breach of security, as
888 defined in s. 501.171(1), affecting 500 or more individuals in
889 this state at a time and in the manner prescribed by commission
890 rule.
891 (4) CONSTRUCTION.—This section may not be construed to
892 relieve a covered entity from complying with s. 501.171. To the
893 extent a licensee is a covered entity, as defined in s.
894 501.171(1), the licensee remains subject to s. 501.171.
895 (5) RULES.—The commission shall adopt rules to administer
896 this section, including rules that allow a licensee that is in
897 compliance with the Federal Trade Commission’s Standards for
898 Safeguarding Customer Information, 16 C.F.R. part 314, to be
899 deemed in compliance with subsection (2).
900 Section 12. Subsection (10) of section 560.309, Florida
901 Statutes, is amended to read:
902 560.309 Conduct of business.—
903 (10) If a check is returned to a licensee from a payor
904 financial institution due to lack of funds, a closed account, or
905 a stop-payment order, the licensee may seek collection pursuant
906 to s. 68.065. In seeking collection, the licensee must comply
907 with the prohibitions against harassment or abuse, false or
908 misleading representations, and unfair practices in the Florida
909 Consumer Collection Practices Act under part VI of chapter 559,
910 including s. 559.77. The licensee must also comply with the Fair
911 Debt Collections Practices Act, 15 U.S.C. ss. 1692d, 1692e, and
912 1692f if the licensee uses a third-party debt collector or any
913 name other than its own to collect such debts. A violation of
914 this subsection is a deceptive and unfair trade practice and
915 constitutes a violation of the Deceptive and Unfair Trade
916 Practices Act under part II of chapter 501. In addition, a
917 licensee must comply with the applicable provisions of the
918 Consumer Collection Practices Act under part VI of chapter 559,
919 including s. 559.77.
920 Section 13. Subsection (3) of section 560.405, Florida
921 Statutes, is amended to read:
922 560.405 Deposit; redemption.—
923 (3) Notwithstanding subsection (1), in lieu of presentment,
924 a deferred presentment provider may allow the check to be
925 redeemed at any time upon payment of the outstanding transaction
926 balance and earned fees. Redemption in cash must be treated in
927 the same manner as redemption through a debit card transaction.
928 However, payment may not be made in the form of a personal check
929 or through a credit card transaction. Upon redemption, the
930 deferred presentment provider must return the drawer’s check and
931 provide a signed, dated receipt showing that the drawer’s check
932 has been redeemed.
933 Section 14. Subsection (2) of section 560.406, Florida
934 Statutes, is amended to read:
935 560.406 Worthless checks.—
936 (2) If a check is returned to a deferred presentment
937 provider from a payor financial institution due to insufficient
938 funds, a closed account, or a stop-payment order, the deferred
939 presentment provider may pursue all legally available civil
940 remedies to collect the check, including, but not limited to,
941 the imposition of all charges imposed on the deferred
942 presentment provider by the financial institution. In its
943 collection practices, a deferred presentment provider must
944 comply with the prohibitions against harassment or abuse, false
945 or misleading representations, and unfair practices that are
946 contained in the Florida Consumer Collection Practices Act under
947 part VI of chapter 559, including s. 559.77. A deferred
948 presentment provider must also comply with the Fair Debt
949 Collections Practices Act, 15 U.S.C. ss. 1692d, 1692e, and 1692f
950 if the deferred presentment provider uses a third-party debt
951 collector or any name other than its own to collect such debts.
952 A violation of this act is a deceptive and unfair trade practice
953 and constitutes a violation of the Deceptive and Unfair Trade
954 Practices Act under part II of chapter 501. In addition, a
955 deferred presentment provider must comply with the applicable
956 provisions of the Consumer Collection Practices Act under part
957 VI of chapter 559, including s. 559.77.
958 Section 15. Section 655.0171, Florida Statutes, is created
959 to read:
960 655.0171 Requirements for customer data security and for
961 notices of security breaches.—
962 (1) DEFINITIONS.—As used in this section, the term:
963 (a) “Breach of security” or “breach” means unauthorized
964 access of data in electronic form containing personal
965 information. Good faith access of personal information by an
966 employee or agent of a financial institution does not constitute
967 a breach of security, provided that the information is not used
968 for a purpose unrelated to the business or subject to further
969 unauthorized use. As used in this paragraph, the term “data in
970 electronic form” means any data stored electronically or
971 digitally on any computer system or other database and includes
972 recordable tapes and other mass storage devices.
973 (b) “Department” means the Department of Legal Affairs.
974 (c)1. “Personal information” means:
975 a. An individual’s first name, or first initial, and last
976 name, in combination with any of the following data elements for
977 that individual:
978 (I) A social security number;
979 (II) A driver license or identification card number,
980 passport number, military identification number, or other
981 similar number issued on a government document used to verify
982 identity;
983 (III) A financial account number or credit or debit card
984 number, in combination with any required security code, access
985 code, or password that is necessary to permit access to the
986 individual’s financial account;
987 (IV) The individual’s biometric data as defined in s.
988 501.702; or
989 (V) Any information regarding the individual’s geolocation;
990 or
991 b. A username or e-mail address, in combination with a
992 password or security question and answer that would permit
993 access to an online account.
994 2. The term does not include information about an
995 individual which has been made publicly available by a federal,
996 state, or local governmental entity. The term also does not
997 include information that is encrypted, secured, or modified by
998 any other method or technology that removes elements that
999 personally identify an individual or that otherwise renders the
1000 information unusable.
1001 (2) REQUIREMENTS FOR DATA SECURITY.—Each financial
1002 institution shall take reasonable measures to protect and secure
1003 data that are in electronic form and that contain personal
1004 information.
1005 (3) NOTICE TO OFFICE AND DEPARTMENT OF SECURITY BREACH.—
1006 (a)1. Each financial institution shall provide notice to
1007 the office of any breach of security affecting 500 or more
1008 individuals in this state. Such notice must be provided to the
1009 office as expeditiously as practicable, but no later than 30
1010 days after the determination of the breach or the determination
1011 of a reason to believe that a breach has occurred.
1012 2. The written notice to the office must include the items
1013 required under s. 501.171(3)(b).
1014 3. A financial institution must provide the following
1015 information to the office upon its request:
1016 a. A police report, incident report, or computer forensics
1017 report.
1018 b. A copy of the policies in place regarding breaches.
1019 c. Steps that have been taken to rectify the breach.
1020 4. A financial institution may provide the office with
1021 supplemental information regarding a breach at any time.
1022 (b) Each financial institution shall provide notice to the
1023 department of any breach of security affecting 500 or more
1024 individuals in this state. Such notice must be provided to the
1025 department in accordance with s. 501.171.
1026 (4) NOTICE TO INDIVIDUALS OF SECURITY BREACH.—Each
1027 financial institution shall give notice to each individual in
1028 this state whose personal information was, or the financial
1029 institution reasonably believes to have been, accessed as a
1030 result of the breach in accordance with s. 501.171(4). The
1031 notice must be provided no later than 30 days after the
1032 determination of the breach or the determination of a reason to
1033 believe that a breach has occurred. A financial institution may
1034 receive 15 additional days to provide notice to individuals of a
1035 security breach as required in this subsection if good cause for
1036 delay is provided in writing to the office within 30 days after
1037 determination of the breach or determination of the reason to
1038 believe that a breach has occurred.
1039 (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a financial
1040 institution discovers circumstances requiring notice pursuant to
1041 this section of more than 1,000 individuals at a single time,
1042 the financial institution shall also notify, without
1043 unreasonable delay, all consumer reporting agencies that compile
1044 and maintain files on consumers on a nationwide basis, as
1045 defined in the Fair Credit Reporting Act, 15 U.S.C. s. 1681a(p),
1046 of the timing, distribution, and content of the notices.
1047 Section 16. Present subsections (3), (4), and (5) of
1048 section 655.032, Florida Statutes, are redesignated as
1049 subsections (4), (5), and (6), respectively, and a new
1050 subsection (3) is added to that section, to read:
1051 655.032 Investigations, subpoenas, hearings, and
1052 witnesses.—
1053 (3) The office may consider or use as part of any
1054 investigation pursuant to this section the information contained
1055 in any suspected financial exploitation report or any records
1056 generated as a result of such report which is obtained pursuant
1057 to s. 415.106(4).
1058 Section 17. Present paragraphs (c) through (f) of
1059 subsection (1) of section 655.045, Florida Statutes, are
1060 redesignated as paragraphs (d) through (g), respectively, a new
1061 paragraph (c) is added to that subsection, and present paragraph
1062 (d) of that subsection is amended, to read:
1063 655.045 Examinations, reports, and internal audits;
1064 penalty.—
1065 (1) The office shall conduct an examination of the
1066 condition of each state financial institution at least every 18
1067 months. The office may conduct more frequent examinations based
1068 upon the risk profile of the financial institution, prior
1069 examination results, or significant changes in the institution
1070 or its operations. The office may use continuous, phase, or
1071 other flexible scheduling examination methods for very large or
1072 complex state financial institutions and financial institutions
1073 owned or controlled by a multi-financial institution holding
1074 company. The office shall consider examination guidelines from
1075 federal regulatory agencies in order to facilitate, coordinate,
1076 and standardize examination processes.
1077 (c) The office may consider or use as part of any
1078 examination conducted pursuant to this section the information
1079 contained in any suspected financial exploitation report or any
1080 records generated as a result of such report which is obtained
1081 pursuant to s. 415.106(4).
1082 (e)(d) As used in this section, the term “costs” means the
1083
1084 ================= T I T L E A M E N D M E N T ================
1085 And the title is amended as follows:
1086 Delete lines 3 - 72
1087 and insert:
1088 amending s. 415.106, F.S.; requiring the Department of
1089 Children and Families to cooperate with and seek
1090 cooperation from the Office of Financial Regulation
1091 concerning certain protective investigations of
1092 suspected financial exploitation of specified adults;
1093 requiring the department to provide copies of certain
1094 suspected financial exploitation reports to the office
1095 within a certain timeframe; authorizing the department
1096 to provide copies of certain records at the request of
1097 the office within a specified timeframe; authorizing
1098 the office to use such reports or records as required
1099 or authorized in certain provisions; specifying that
1100 certain confidentiality provisions that apply to the
1101 department apply to the records of the office and its
1102 employees and agents; authorizing the department and
1103 the office to enter into a specified memorandum of
1104 agreement; amending s. 415.107, F.S.; revising the
1105 persons, officials, and agencies granted access to
1106 certain records relating to vulnerable adults;
1107 creating s. 494.00123, F.S.; defining terms; requiring
1108 loan originators, mortgage brokers, and mortgage
1109 lenders to develop, implement, and maintain
1110 comprehensive written information security programs
1111 for the protection of information systems and
1112 nonpublic personal information; providing requirements
1113 for such programs; requiring loan originators,
1114 mortgage brokers, and mortgage lenders to establish
1115 written incident response plans for specified
1116 purposes; providing requirements for such plans;
1117 providing applicability; providing compliance
1118 requirements under specified circumstances; requiring
1119 loan originators, mortgage brokers, and mortgage
1120 lenders to maintain copies of information security
1121 programs for a specified timeframe and to make them
1122 available to the office under certain circumstances;
1123 specifying requirements for notices of security
1124 breaches; providing construction; requiring the
1125 Financial Services Commission to adopt rules; amending
1126 s. 494.00255, F.S.; providing additional acts that
1127 constitute a ground for specified disciplinary actions
1128 against loan originators and mortgage brokers;
1129 amending s. 517.021, F.S.; revising the definition of
1130 the term “investment adviser”; defining terms;
1131 amending s. 517.061, F.S.; defining terms; amending s.
1132 517.201, F.S.; authorizing the office to make
1133 investigations and examinations to aid the Department
1134 of Children and Families with certain protective
1135 investigations; authorizing the office to consider or
1136 use certain information as part of certain
1137 investigations and examinations; amending s. 517.34,
1138 F.S.; revising the information required to be
1139 contained in the form by which a dealer or investment
1140 advisor notifies the office of certain delayed
1141 disbursements or transactions of funds or securities;
1142 providing construction; creating s. 520.135, F.S.;
1143 specifying that the rights and obligations of parties
1144 with respect to a surrendered or repossessed motor
1145 vehicle are exclusively governed by certain
1146 provisions; amending s. 560.114, F.S.; specifying the
1147 entities that are subject to certain disciplinary
1148 actions and penalties; revising the list of actions by
1149 money services businesses which constitute grounds for
1150 certain disciplinary actions and penalties; specifying
1151 requirements for emergency suspension orders that
1152 suspend money services business licenses; providing
1153 that an emergency suspension order is effective when
1154 the licensee against whom the order is directed has
1155 actual or constructive knowledge of the order;
1156 requiring the office to institute timely proceedings
1157 after issuance of an emergency suspension order;
1158 authorizing a licensee subject to an emergency
1159 suspension order to seek judicial review; requiring,
1160 rather than authorizing, the office to suspend
1161 licenses of money services businesses under certain
1162 circumstances; creating s. 560.1311, F.S.; defining
1163 terms; requiring money services businesses to develop,
1164 implement, and maintain comprehensive written
1165 information security programs for the protection of
1166 information systems and nonpublic personal
1167 information; specifying requirements for such
1168 programs; requiring money services businesses to
1169 establish written incident response plans for
1170 specified purposes; specifying requirements for such
1171 plans; providing applicability; specifying compliance
1172 requirements under specified circumstances; requiring
1173 money services businesses to maintain copies of
1174 information security programs for a specified
1175 timeframe and to make them available to the office
1176 under certain circumstances; specifying requirements
1177 for notices of security breaches; providing
1178 construction; requiring the commission to adopt rules;
1179 amending s. 560.309, F.S.; providing that licensees
1180 must comply with the Fair Debt Collections Practices
1181 Act only if the licensees meet certain criteria;
1182 amending s. 560.405, F.S.; specifying that redemption
1183 in cash must be treated in the same manner as
1184 redemption through debt card transactions; prohibiting
1185 redemption through a credit card transaction; amending
1186 s. 560.406, F.S.; providing that licensees must comply
1187 with the Fair Debt Collections Practices Act only if
1188 the licensees meet certain criteria; creating s.
1189 655.0171, F.S.; defining terms; requiring financial
1190 institutions to take measures to protect and secure
1191 certain data that contain personal information;
1192 providing requirements for notices of security
1193 breaches to the office, the Department of Legal
1194 Affairs, certain individuals, and certain credit
1195 reporting agencies; amending s. 655.032, F.S.;
1196 authorizing the office to consider or use certain
1197 information as part of certain investigations;
1198 amending s. 655.045, F.S.; authorizing the office to
1199 consider or use certain information as part of certain
1200 investigations; revising the timeline for