Florida Senate - 2020                        COMMITTEE AMENDMENT
       Bill No. CS for SB 1870
       
       
       
       
       
       
                                Ì142964>Î142964                         
       
                              LEGISLATIVE ACTION                        
                    Senate             .             House              
                  Comm: RCS            .                                
                  02/19/2020           .                                
                                       .                                
                                       .                                
                                       .                                
       —————————————————————————————————————————————————————————————————




       —————————————————————————————————————————————————————————————————
       The Committee on Banking and Insurance (Hutson) recommended the
       following:
       
    1         Senate Amendment (with title amendment)
    2  
    3         Delete everything after the enacting clause
    4  and insert:
    5         Section 1. Subsection (2) of section 20.22, Florida
    6  Statutes, is amended to read:
    7         20.22 Department of Management Services.—There is created a
    8  Department of Management Services.
    9         (2) The following divisions and programs within the
   10  Department of Management Services shall consist of the following
   11  are established:
   12         (a) The Facilities Program.
   13         (b) The Division of Telecommunications State Technology,
   14  the director of which is appointed by the secretary of the
   15  department and shall serve as the state chief information
   16  officer. The state chief information officer must be a proven,
   17  effective administrator who must have at least 10 years of
   18  executive-level experience in the public or private sector,
   19  preferably with experience in the development of information
   20  technology strategic planning and the development and
   21  implementation of fiscal and substantive information technology
   22  policy and standards.
   23         (c) The Workforce Program.
   24         (d)1. The Support Program.
   25         2. The Federal Property Assistance Program.
   26         (e) The Administration Program.
   27         (f) The Division of Administrative Hearings.
   28         (g) The Division of Retirement.
   29         (h) The Division of State Group Insurance.
   30         (i)The Florida Digital Service.
   31         Section 2. Section 282.0041, Florida Statutes, is amended
   32  to read:
   33         282.0041 Definitions.—As used in this chapter, the term:
   34         (1) “Agency assessment” means the amount each customer
   35  entity must pay annually for services from the Department of
   36  Management Services and includes administrative and data center
   37  services costs.
   38         (2) “Agency data center” means agency space containing 10
   39  or more physical or logical servers.
   40         (3) “Breach” has the same meaning as provided in s.
   41  501.171.
   42         (4) “Business continuity plan” means a collection of
   43  procedures and information designed to keep an agency’s critical
   44  operations running during a period of displacement or
   45  interruption of normal operations.
   46         (5) “Cloud computing” has the same meaning as provided in
   47  Special Publication 800-145 issued by the National Institute of
   48  Standards and Technology.
   49         (6) “Computing facility” or “agency computing facility”
   50  means agency space containing fewer than a total of 10 physical
   51  or logical servers, but excluding single, logical-server
   52  installations that exclusively perform a utility function such
   53  as file and print servers.
   54         (7) “Credential service provider” means a provider
   55  competitively procured by the department to supply secure
   56  identity management and verification services based on open
   57  standards to qualified entities.
   58         (8) “Customer entity” means an entity that obtains services
   59  from the Department of Management Services.
   60         (9)(8) “Data” means a subset of structured information in a
   61  format that allows such information to be electronically
   62  retrieved and transmitted.
   63         (10)“Data-call” means an electronic transaction with the
   64  credential service provider that verifies the authenticity of a
   65  digital identity by querying enterprise data.
   66         (11)(9) “Department” means the Department of Management
   67  Services.
   68         (12)(10) “Disaster recovery” means the process, policies,
   69  procedures, and infrastructure related to preparing for and
   70  implementing recovery or continuation of an agency’s vital
   71  technology infrastructure after a natural or human-induced
   72  disaster.
   73         (13)“Electronic” means technology having electrical,
   74  digital, magnetic, wireless, optical, electromagnetic, or
   75  similar capabilities.
   76         (14)“Electronic credential” means an electronic
   77  representation of the identity of a person, an organization, an
   78  application, or a device.
   79         (15)“Enterprise” means the collection of state agencies as
   80  defined in subsection (35). The term includes the Department of
   81  Legal Affairs, the Department of Agriculture and Consumer
   82  Services, and the Department of Financial Services.
   83         (16)“Enterprise architecture” means a comprehensive
   84  operational framework that contemplates the needs and assets of
   85  the enterprise to support interoperability across state
   86  government.
   87         (17)(11) “Enterprise information technology service” means
   88  an information technology service that is used in all agencies
   89  or a subset of agencies and is established in law to be
   90  designed, delivered, and managed at the enterprise level.
   91         (18)(12) “Event” means an observable occurrence in a system
   92  or network.
   93         (19)(13) “Incident” means a violation or imminent threat of
   94  violation, whether such violation is accidental or deliberate,
   95  of information technology resources, security, policies, or
   96  practices. An imminent threat of violation refers to a situation
   97  in which the state agency has a factual basis for believing that
   98  a specific incident is about to occur.
   99         (20)(14) “Information technology” means equipment,
  100  hardware, software, firmware, programs, systems, networks,
  101  infrastructure, media, and related material used to
  102  automatically, electronically, and wirelessly collect, receive,
  103  access, transmit, display, store, record, retrieve, analyze,
  104  evaluate, process, classify, manipulate, manage, assimilate,
  105  control, communicate, exchange, convert, converge, interface,
  106  switch, or disseminate information of any kind or form.
  107         (21)(15) “Information technology policy” means a definite
  108  course or method of action selected from among one or more
  109  alternatives that guide and determine present and future
  110  decisions.
  111         (22)(16) “Information technology resources” has the same
  112  meaning as provided in s. 119.011.
  113         (23)(17) “Information technology security” means the
  114  protection afforded to an automated information system in order
  115  to attain the applicable objectives of preserving the integrity,
  116  availability, and confidentiality of data, information, and
  117  information technology resources.
  118         (24)“Interoperability” means the technical ability to
  119  share and use data across and throughout the enterprise.
  120         (25)(18) “Open data” means data collected or created by a
  121  state agency, including the Department of Legal Affairs, the
  122  Department of Agriculture and Consumer Services, and the
  123  Department of Financial Services, and structured in a way that
  124  enables the data to be fully discoverable and usable by the
  125  public. The term does not include data that are restricted from
  126  public disclosure distribution based on federal or state
  127  privacy, confidentiality, and security laws and regulations or
  128  data for which a state agency is statutorily authorized to
  129  assess a fee for its distribution.
  130         (26)(19) “Performance metrics” means the measures of an
  131  organization’s activities and performance.
  132         (27)(20) “Project” means an endeavor that has a defined
  133  start and end point; is undertaken to create or modify a unique
  134  product, service, or result; and has specific objectives that,
  135  when attained, signify completion.
  136         (28)(21) “Project oversight” means an independent review
  137  and analysis of an information technology project that provides
  138  information on the project’s scope, completion timeframes, and
  139  budget and that identifies and quantifies issues or risks
  140  affecting the successful and timely completion of the project.
  141         (29)“Qualified entity” means a public or private entity or
  142  individual that enters into a binding agreement with the
  143  department, meets usage criteria, agrees to terms and
  144  conditions, and is subsequently and prescriptively authorized by
  145  the department to access data under the terms of that agreement
  146  as specified in s. 282.0051.
  147         (30)(22) “Risk assessment” means the process of identifying
  148  security risks, determining their magnitude, and identifying
  149  areas needing safeguards.
  150         (31)(23) “Service level” means the key performance
  151  indicators (KPI) of an organization or service which must be
  152  regularly performed, monitored, and achieved.
  153         (32)(24) “Service-level agreement” means a written contract
  154  between the Department of Management Services and a customer
  155  entity which specifies the scope of services provided, service
  156  level, the duration of the agreement, the responsible parties,
  157  and service costs. A service-level agreement is not a rule
  158  pursuant to chapter 120.
  159         (33)(25) “Stakeholder” means a person, group, organization,
  160  or state agency involved in or affected by a course of action.
  161         (34)(26) “Standards” means required practices, controls,
  162  components, or configurations established by an authority.
  163         (35)(27) “State agency” means any official, officer,
  164  commission, board, authority, council, committee, or department
  165  of the executive branch of state government; the Justice
  166  Administrative Commission; and the Public Service Commission.
  167  The term does not include university boards of trustees or state
  168  universities. As used in part I of this chapter, except as
  169  otherwise specifically provided, the term does not include the
  170  Department of Legal Affairs, the Department of Agriculture and
  171  Consumer Services, or the Department of Financial Services.
  172         (36)(28) “SUNCOM Network” means the state enterprise
  173  telecommunications system that provides all methods of
  174  electronic or optical telecommunications beyond a single
  175  building or contiguous building complex and used by entities
  176  authorized as network users under this part.
  177         (37)(29) “Telecommunications” means the science and
  178  technology of communication at a distance, including electronic
  179  systems used in the transmission or reception of information.
  180         (38)(30) “Threat” means any circumstance or event that has
  181  the potential to adversely impact a state agency’s operations or
  182  assets through an information system via unauthorized access,
  183  destruction, disclosure, or modification of information or
  184  denial of service.
  185         (39)(31) “Variance” means a calculated value that
  186  illustrates how far positive or negative a projection has
  187  deviated when measured against documented estimates within a
  188  project plan.
  189         Section 3. Section 282.0051, Florida Statutes, is amended
  190  to read:
  191         282.0051 Florida Digital Service Department of Management
  192  Services; powers, duties, and functions.—There is established
  193  the Florida Digital Service within the department to create
  194  innovative solutions that securely modernize state government,
  195  achieve value through digital transformation and
  196  interoperability, and fully support the cloud-first policy as
  197  specified in s. 282.206.
  198         (1) The Florida Digital Service department shall have the
  199  following powers, duties, and functions:
  200         (a)(1) Develop and publish information technology policy
  201  for the management of the state’s information technology
  202  resources.
  203         (b)(2)Develop an enterprise architecture that:
  204         1.Acknowledges the unique needs of those included within
  205  the enterprise, resulting in the publication of standards,
  206  terminologies, and procurement guidelines to facilitate digital
  207  interoperability;
  208         2.Supports the cloud-first policy as specified in s.
  209  282.206; and
  210         3.Addresses how information technology infrastructure may
  211  be modernized to achieve cloud-first objectives Establish and
  212  publish information technology architecture standards to provide
  213  for the most efficient use of the state’s information technology
  214  resources and to ensure compatibility and alignment with the
  215  needs of state agencies. The department shall assist state
  216  agencies in complying with the standards.
  217         (c)(3) Establish project management and oversight standards
  218  with which state agencies must comply when implementing projects
  219  that have an information technology component projects. The
  220  Florida Digital Service department shall provide training
  221  opportunities to state agencies to assist in the adoption of the
  222  project management and oversight standards. To support data
  223  driven decisionmaking, the standards must include, but are not
  224  limited to:
  225         1.(a) Performance measurements and metrics that objectively
  226  reflect the status of a project with an information technology
  227  component project based on a defined and documented project
  228  scope, cost, and schedule.
  229         2.(b) Methodologies for calculating acceptable variances in
  230  the projected versus actual scope, schedule, or cost of a
  231  project with an information technology component project.
  232         3.(c) Reporting requirements, including requirements
  233  designed to alert all defined stakeholders that a project with
  234  an information technology component project has exceeded
  235  acceptable variances defined and documented in a project plan.
  236         4.(d) Content, format, and frequency of project updates.
  237         (d)(4) Perform project oversight on all state agency
  238  information technology projects that have an information
  239  technology component with a total project cost costs of $10
  240  million or more and that are funded in the General
  241  Appropriations Act or any other law. The Florida Digital Service
  242  department shall report at least quarterly to the Executive
  243  Office of the Governor, the President of the Senate, and the
  244  Speaker of the House of Representatives on any project with an
  245  information technology component project that the Florida
  246  Digital Service department identifies as high-risk due to the
  247  project exceeding acceptable variance ranges defined and
  248  documented in a project plan. The report must include a risk
  249  assessment, including fiscal risks, associated with proceeding
  250  to the next stage of the project, and a recommendation for
  251  corrective actions required, including suspension or termination
  252  of the project. The Florida Digital Service shall establish a
  253  process for state agencies to apply for an exception to the
  254  requirements of this paragraph for a specific project with an
  255  information technology component.
  256         (e)(5) Identify opportunities for standardization and
  257  consolidation of information technology services that support
  258  interoperability and the cloud-first policy as specified in s.
  259  282.206, business functions and operations, including
  260  administrative functions such as purchasing, accounting and
  261  reporting, cash management, and personnel, and that are common
  262  across state agencies. The Florida Digital Service department
  263  shall biennially on April 1 provide recommendations for
  264  standardization and consolidation to the Executive Office of the
  265  Governor, the President of the Senate, and the Speaker of the
  266  House of Representatives.
  267         (f)(6) Establish best practices for the procurement of
  268  information technology products and cloud-computing services in
  269  order to reduce costs, increase the quality of data center
  270  services, or improve government services.
  271         (g)(7) Develop standards for information technology reports
  272  and updates, including, but not limited to, operational work
  273  plans, project spend plans, and project status reports, for use
  274  by state agencies.
  275         (h)(8) Upon request, assist state agencies in the
  276  development of information technology-related legislative budget
  277  requests.
  278         (i)(9) Conduct annual assessments of state agencies to
  279  determine compliance with all information technology standards
  280  and guidelines developed and published by the Florida Digital
  281  Service department and provide results of the assessments to the
  282  Executive Office of the Governor, the President of the Senate,
  283  and the Speaker of the House of Representatives.
  284         (j)(10) Provide operational management and oversight of the
  285  state data center established pursuant to s. 282.201, which
  286  includes:
  287         1.(a) Implementing industry standards and best practices
  288  for the state data center’s facilities, operations, maintenance,
  289  planning, and management processes.
  290         2.(b) Developing and implementing cost-recovery or other
  291  payment mechanisms that recover the full direct and indirect
  292  cost of services through charges to applicable customer
  293  entities. Such cost-recovery or other payment mechanisms must
  294  comply with applicable state and federal regulations concerning
  295  distribution and use of funds and must ensure that, for any
  296  fiscal year, no service or customer entity subsidizes another
  297  service or customer entity.
  298         3.(c) Developing and implementing appropriate operating
  299  guidelines and procedures necessary for the state data center to
  300  perform its duties pursuant to s. 282.201. The guidelines and
  301  procedures must comply with applicable state and federal laws,
  302  regulations, and policies and conform to generally accepted
  303  governmental accounting and auditing standards. The guidelines
  304  and procedures must include, but need not be limited to:
  305         a.1. Implementing a consolidated administrative support
  306  structure responsible for providing financial management,
  307  procurement, transactions involving real or personal property,
  308  human resources, and operational support.
  309         b.2. Implementing an annual reconciliation process to
  310  ensure that each customer entity is paying for the full direct
  311  and indirect cost of each service as determined by the customer
  312  entity’s use of each service.
  313         c.3. Providing rebates that may be credited against future
  314  billings to customer entities when revenues exceed costs.
  315         d.4. Requiring customer entities to validate that
  316  sufficient funds exist in the appropriate data processing
  317  appropriation category or will be transferred into the
  318  appropriate data processing appropriation category before
  319  implementation of a customer entity’s request for a change in
  320  the type or level of service provided, if such change results in
  321  a net increase to the customer entity’s cost for that fiscal
  322  year.
  323         e.5. By November 15 of each year, providing to the Office
  324  of Policy and Budget in the Executive Office of the Governor and
  325  to the chairs of the legislative appropriations committees the
  326  projected costs of providing data center services for the
  327  following fiscal year.
  328         f.6. Providing a plan for consideration by the Legislative
  329  Budget Commission if the cost of a service is increased for a
  330  reason other than a customer entity’s request made pursuant to
  331  sub-subparagraph d. subparagraph 4. Such a plan is required only
  332  if the service cost increase results in a net increase to a
  333  customer entity for that fiscal year.
  334         g.7. Standardizing and consolidating procurement and
  335  contracting practices.
  336         4.(d) In collaboration with the Department of Law
  337  Enforcement, developing and implementing a process for
  338  detecting, reporting, and responding to information technology
  339  security incidents, breaches, and threats.
  340         5.(e) Adopting rules relating to the operation of the state
  341  data center, including, but not limited to, budgeting and
  342  accounting procedures, cost-recovery or other payment
  343  methodologies, and operating procedures.
  344         (f) Conducting an annual market analysis to determine
  345  whether the state’s approach to the provision of data center
  346  services is the most effective and cost-efficient manner by
  347  which its customer entities can acquire such services, based on
  348  federal, state, and local government trends; best practices in
  349  service provision; and the acquisition of new and emerging
  350  technologies. The results of the market analysis shall assist
  351  the state data center in making adjustments to its data center
  352  service offerings.
  353         (k)(11) Recommend other information technology services
  354  that should be designed, delivered, and managed as enterprise
  355  information technology services. Recommendations must include
  356  the identification of existing information technology resources
  357  associated with the services, if existing services must be
  358  transferred as a result of being delivered and managed as
  359  enterprise information technology services.
  360         (l)(12) In consultation with state agencies, propose a
  361  methodology and approach for identifying and collecting both
  362  current and planned information technology expenditure data at
  363  the state agency level.
  364         (m)1.(13)(a) Notwithstanding any other law, provide project
  365  oversight on any project with an information technology
  366  component project of the Department of Financial Services, the
  367  Department of Legal Affairs, and the Department of Agriculture
  368  and Consumer Services which has a total project cost of $25
  369  million or more and which impacts one or more other agencies.
  370  Such projects with an information technology component projects
  371  must also comply with the applicable information technology
  372  architecture, project management and oversight, and reporting
  373  standards established by the Florida Digital Service department.
  374  The Florida Digital Service shall establish a process for the
  375  Department of Financial Services, the Department of Legal
  376  Affairs, and the Department of Agriculture and Consumer Services
  377  to apply for an exception to the requirements of this paragraph
  378  for a specific project with an information technology component.
  379         2.(b) When performing the project oversight function
  380  specified in subparagraph 1. paragraph (a), report at least
  381  quarterly to the Executive Office of the Governor, the President
  382  of the Senate, and the Speaker of the House of Representatives
  383  on any project with an information technology component project
  384  that the Florida Digital Service department identifies as high
  385  risk due to the project exceeding acceptable variance ranges
  386  defined and documented in the project plan. The report shall
  387  include a risk assessment, including fiscal risks, associated
  388  with proceeding to the next stage of the project and a
  389  recommendation for corrective actions required, including
  390  suspension or termination of the project.
  391         (n)(14) If a project with an information technology
  392  component project implemented by a state agency must be
  393  connected to or otherwise accommodated by an information
  394  technology system administered by the Department of Financial
  395  Services, the Department of Legal Affairs, or the Department of
  396  Agriculture and Consumer Services, consult with these
  397  departments regarding the risks and other effects of such
  398  projects on their information technology systems and work
  399  cooperatively with these departments regarding the connections,
  400  interfaces, timing, or accommodations required to implement such
  401  projects.
  402         (o)(15) If adherence to standards or policies adopted by or
  403  established pursuant to this section causes conflict with
  404  federal regulations or requirements imposed on a state agency
  405  and results in adverse action against the state agency or
  406  federal funding, work with the state agency to provide
  407  alternative standards, policies, or requirements that do not
  408  conflict with the federal regulation or requirement. The Florida
  409  Digital Service department shall annually report such
  410  alternative standards to the Governor, the President of the
  411  Senate, and the Speaker of the House of Representatives.
  412         (p)1.(16)(a) Establish an information technology policy for
  413  all information technology-related state contracts, including
  414  state term contracts for information technology commodities,
  415  consultant services, and staff augmentation services. The
  416  information technology policy must include:
  417         a.1. Identification of the information technology product
  418  and service categories to be included in state term contracts.
  419         b.2. Requirements to be included in solicitations for state
  420  term contracts.
  421         c.3. Evaluation criteria for the award of information
  422  technology-related state term contracts.
  423         d.4. The term of each information technology-related state
  424  term contract.
  425         e.5. The maximum number of vendors authorized on each state
  426  term contract.
  427         2.(b) Evaluate vendor responses for information technology
  428  related state term contract solicitations and invitations to
  429  negotiate.
  430         3.(c) Answer vendor questions on information technology
  431  related state term contract solicitations.
  432         4.(d) Ensure that the information technology policy
  433  established pursuant to subparagraph 1. paragraph (a) is
  434  included in all solicitations and contracts that are
  435  administratively executed by the department.
  436         (q)(17) Recommend potential methods for standardizing data
  437  across state agencies which will promote interoperability and
  438  reduce the collection of duplicative data.
  439         (r)(18) Recommend open data technical standards and
  440  terminologies for use by the enterprise state agencies.
  441         (2)(a)The Secretary of Management Services shall designate
  442  a state chief information officer, who shall administer the
  443  Florida Digital Service and is included in the Senior Management
  444  Service.
  445         (b)The state chief information officer shall designate a
  446  chief data officer, who shall report to the state chief
  447  information officer and is included in the Senior Management
  448  Service.
  449         (3)The Florida Digital Service shall, pursuant to
  450  legislative appropriation:
  451         (a)Create and maintain a comprehensive indexed data
  452  catalog that lists what data elements are housed within the
  453  enterprise and in which legacy system or application these data
  454  elements are located.
  455         (b)Develop and publish, in collaboration with the
  456  enterprise, a data dictionary for each agency which reflects the
  457  nomenclature in the comprehensive indexed data catalog.
  458         (c)Review and document use cases across the enterprise
  459  architecture.
  460         (d)Develop and publish standards that support the creation
  461  and deployment of application programming interfaces to
  462  facilitate integration throughout the enterprise.
  463         (e)Publish standards necessary to facilitate a secure
  464  ecosystem of data interoperability which is compliant with the
  465  enterprise architecture and allows for a qualified entity to
  466  access the enterprise’s data under the terms of the agreements
  467  with the department. However, enterprise data do not include
  468  data that are restricted from public distribution based on
  469  federal or state privacy, confidentiality, or security laws and
  470  regulations.
  471         (f)Publish standards that facilitate the deployment of
  472  applications or solutions to existing enterprise obligations in
  473  a controlled and phased approach, including, but not limited to:
  474         1.Electronic credentials, including digital proofs of a
  475  driver license as specified in s. 322.032.
  476         2.Interoperability that enables supervisors of elections
  477  to authenticate voter eligibility in real time at the point of
  478  service.
  479         3.The criminal justice database.
  480         4.Motor vehicle insurance cancellation integration between
  481  insurers and the Department of Highway Safety and Motor
  482  Vehicles.
  483         5.Interoperability solutions between agencies, including,
  484  but not limited to, the Department of Health, the Agency for
  485  Health Care Administration, the Agency for Persons with
  486  Disabilities, the Department of Education, the Department of
  487  Elderly Affairs, and the Department of Children and Families.
  488         6.Interoperability solutions to support military members,
  489  veterans, and their families.
  490         (4) Pursuant to legislative authorization and subject to
  491  appropriation:
  492         (a) The department may procure a credential service
  493  provider through a competitive process pursuant to s. 287.057.
  494  The terms of the contract developed from such procurement must
  495  pay for the value on a per-data-call or subscription basis, and
  496  there shall be no cost to the enterprise or law enforcement for
  497  using the services provided by the credential service provider.
  498         (b) The department may enter into agreements with qualified
  499  entities that have the technological capabilities necessary to
  500  integrate with the credential service provider; ensure secure
  501  validation and authentication of data; meet usage criteria; and
  502  agree to terms and conditions, privacy policies, and uniform
  503  remittance terms relating to the consumption of enterprise data.
  504  Enterprise data do not include data that are restricted from
  505  public disclosure based on federal or state privacy,
  506  confidentiality, or security laws and regulations. These
  507  agreements must include clear, enforceable, and significant
  508  penalties for violations of the agreements.
  509         (c) The terms of the agreements between the department and
  510  the credential service provider and between the department and
  511  the qualified entities must be based on the per-data-call or
  512  subscription charges to validate and authenticate an electronic
  513  credential and allow the department to recover any state costs
  514  for implementing and administering an electronic credential
  515  solution. Credential service provider and qualifying entity
  516  revenues may not be derived from any other transactions that
  517  generate revenue for the enterprise outside of the per-data-call
  518  or subscription charges.
  519         (d) All revenues generated from the agreements with the
  520  credential service provider and qualified entities shall be
  521  remitted to the department, and the department shall deposit
  522  these revenues into the Department of Management Services
  523  Operating Trust Fund for distribution pursuant to a legislative
  524  appropriation and department agreements with the credential
  525  service provider and qualified entities.
  526         (e) Upon the signing of the agreement and the enterprise
  527  architecture terms of service and privacy policies with a
  528  qualified entity, the department shall facilitate authorized
  529  integrations between the qualified entity and the credential
  530  service provider.
  531         (5)Upon the adoption of the enterprise architecture, the
  532  Florida Digital Service may develop a process to:
  533         (a)Receive written notice from the enterprise of any
  534  procurement of an information technology project that is subject
  535  to enterprise architecture standards.
  536         (b)Participate in the development of specifications and
  537  recommend modifications of any procurement by state agencies so
  538  that the procurement complies with the enterprise architecture.
  539         (6)(19)The Florida Digital Service may adopt rules to
  540  administer this section.
  541         Section 4. Section 282.00515, Florida Statutes, is amended
  542  to read:
  543         282.00515 Duties of Cabinet agencies.—
  544         (1) The Department of Legal Affairs, the Department of
  545  Financial Services, and the Department of Agriculture and
  546  Consumer Services shall adopt the standards established in s.
  547  282.0051(1)(b), (c), (g), (r), and (3)(e) s. 282.0051(2), (3),
  548  and (7) or adopt alternative standards based on best practices
  549  and industry standards that allow for the interoperability of
  550  open data within the enterprise.
  551         (2)If the Department of Legal Affairs, the Department of
  552  Financial Services, or the Department of Agriculture and
  553  Consumer Services adopts alternative standards in lieu of the
  554  enterprise architecture standards in s. 282.0051, such agency
  555  shall notify the Governor, the President of the Senate, and
  556  Speaker of the House of Representatives in writing before the
  557  adoption of the alternative standards and annually thereafter,
  558  until such agency adopts the enterprise architecture standards
  559  in s. 282.0051. The notification must include the following:
  560         (a)A detailed plan of how such agency will comply with the
  561  interoperability requirements referenced in this chapter.
  562         (b)An estimated cost and time difference between adhering
  563  to the enterprise architecture or choosing alternative
  564  standards.
  565         (c)A detailed security risk assessment of adopting
  566  alternative standards versus adopting the enterprise
  567  architecture.
  568         (d)Certification by the agency head or the agency head’s
  569  designated representative that the agency’s strategic and
  570  operational information technology security plans as required by
  571  s. 282.318(4) include provisions related to interoperability.
  572         (3)The Department of Legal Affairs, the Department of
  573  Financial Services, or the Department of Agriculture and
  574  Consumer Services may contract with the department to provide or
  575  perform any of the services and functions described in s.
  576  282.0051.
  577         (4)(a)This section or s. 282.0051 does not require the
  578  Department of Legal Affairs, the Department of Financial
  579  Services, or the Department of Agriculture and Consumer Services
  580  to integrate with any information technology outside its own
  581  department or contract with a credential service provider.
  582         (b)The Florida Digital Service may not retrieve or publish
  583  data without a data sharing agreement in place between the
  584  Florida Digital Service and the Department of Legal Affairs, the
  585  Department of Financial Services, or the Department of
  586  Agriculture and Consumer Services, and may contract with the
  587  department to provide or perform any of the services and
  588  functions described in s. 282.0051 for the Department of Legal
  589  Affairs, the Department of Financial Services, or the Department
  590  of Agriculture and Consumer Services.
  591         Section 5. Paragraph (a) of subsection (3) of section
  592  282.318, Florida Statutes, is amended to read:
  593         282.318 Security of data and information technology.—
  594         (3) The department is responsible for establishing
  595  standards and processes consistent with generally accepted best
  596  practices for information technology security, to include
  597  cybersecurity, and adopting rules that safeguard an agency’s
  598  data, information, and information technology resources to
  599  ensure availability, confidentiality, and integrity and to
  600  mitigate risks. The department shall also:
  601         (a) Designate a state chief information security officer
  602  who shall report to the state chief information officer of the
  603  Florida Digital Service and is in the Senior Management Service.
  604  The state chief information security officer must have
  605  experience and expertise in security and risk management for
  606  communications and information technology resources.
  607         Section 6. Subsection (4) of section 287.0591, Florida
  608  Statutes, is amended to read:
  609         287.0591 Information technology.—
  610         (4) If the department issues a competitive solicitation for
  611  information technology commodities, consultant services, or
  612  staff augmentation contractual services, the Florida Digital
  613  Service Division of State Technology within the department shall
  614  participate in such solicitations.
  615         Section 7. Paragraph (a) of subsection (3) of section
  616  365.171, Florida Statutes, is amended to read:
  617         365.171 Emergency communications number E911 state plan.—
  618         (3) DEFINITIONS.—As used in this section, the term:
  619         (a) “Office” means the Division of Telecommunications State
  620  Technology within the Department of Management Services, as
  621  designated by the secretary of the department.
  622         Section 8. Paragraph (s) of subsection (3) of section
  623  365.172, Florida Statutes, is amended to read:
  624         365.172 Emergency communications number “E911.”—
  625         (3) DEFINITIONS.—Only as used in this section and ss.
  626  365.171, 365.173, 365.174, and 365.177, the term:
  627         (s) “Office” means the Division of Telecommunications State
  628  Technology within the Department of Management Services, as
  629  designated by the secretary of the department.
  630         Section 9. Paragraph (a) of subsection (1) of section
  631  365.173, Florida Statutes, is amended to read:
  632         365.173 Communications Number E911 System Fund.—
  633         (1) REVENUES.—
  634         (a) Revenues derived from the fee levied on subscribers
  635  under s. 365.172(8) must be paid by the board into the State
  636  Treasury on or before the 15th day of each month. Such moneys
  637  must be accounted for in a special fund to be designated as the
  638  Emergency Communications Number E911 System Fund, a fund created
  639  in the Division of Telecommunications State Technology, or other
  640  office as designated by the Secretary of Management Services.
  641         Section 10. Subsection (5) of section 943.0415, Florida
  642  Statutes, is amended to read:
  643         943.0415 Cybercrime Office.—There is created within the
  644  Department of Law Enforcement the Cybercrime Office. The office
  645  may:
  646         (5) Consult with the Florida Digital Service Division of
  647  State Technology within the Department of Management Services in
  648  the adoption of rules relating to the information technology
  649  security provisions in s. 282.318.
  650         Section 11. Effective January 1, 2021, section 559.952,
  651  Florida Statutes, is created to read:
  652         559.952 Financial Technology Sandbox.—
  653         (1)SHORT TITLE.—This section may be cited as the
  654  “Financial Technology Sandbox.”
  655         (2)CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—There is
  656  created the Financial Technology Sandbox within the Office of
  657  Financial Regulation to allow financial technology innovators to
  658  test new products and services in a supervised, flexible
  659  regulatory sandbox using exceptions to specified general law and
  660  waivers of the corresponding rule requirements under defined
  661  conditions. The creation of a supervised, flexible regulatory
  662  sandbox provides a welcoming business environment for technology
  663  innovators and may lead to significant business growth.
  664         (3)DEFINITIONS.—As used in this section, the term:
  665         (a)“Business entity” means a domestic corporation or other
  666  organized domestic entity with a physical presence, other than
  667  that of a registered office or agent or virtual mailbox, in this
  668  state.
  669         (b)“Commission” means the Financial Services Commission.
  670         (c)“Consumer” means a person in this state, whether a
  671  natural person or a business entity, who purchases, uses,
  672  receives, or enters into an agreement to purchase, use, or
  673  receive an innovative financial product or service made
  674  available through the Financial Technology Sandbox.
  675         (d)“Control person” means an individual, a partnership, a
  676  corporation, a trust, or other organization that possesses the
  677  power, directly or indirectly, to direct the management or
  678  policies of a company, whether through ownership of securities,
  679  by contract, or through other means. A person is presumed to
  680  control a company if, with respect to a particular company, that
  681  person:
  682         1. Is a director, a general partner, or an officer
  683  exercising executive responsibility or having similar status or
  684  functions;
  685         2. Directly or indirectly may vote 10 percent or more of a
  686  class of a voting security or sell or direct the sale of 10
  687  percent or more of a class of voting securities; or
  688         3. In the case of a partnership, may receive upon
  689  dissolution or has contributed 10 percent or more of the
  690  capital.
  691         (e)“Financial product or service” means a product or
  692  service related to a consumer finance loan, as defined in s.
  693  516.01, or a money transmitter and payment instrument seller, as
  694  defined in s. 560.103, including mediums of exchange that are in
  695  electronic or digital form, which is subject to general law or
  696  corresponding rule requirements in the sections enumerated in
  697  paragraph (4)(a) and which is under the jurisdiction of the
  698  office.
  699         (f)“Financial Technology Sandbox” means the program
  700  created in this section which allows a licensee to make an
  701  innovative financial product or service available to consumers
  702  as a person who makes and collects consumer finance loans, as
  703  defined in s. 516.01, or as a money transmitter or payment
  704  instrument seller, as defined in s. 560.103, during a sandbox
  705  period through an exception to general laws or a waiver of rule
  706  requirements, or portions thereof, as specified in this section.
  707         (g)“Innovative” means new or emerging technology, or new
  708  uses of existing technology, which provides a product, service,
  709  business model, or delivery mechanism to the public and which is
  710  not known to have a comparable offering in this state outside
  711  the Financial Technology Sandbox.
  712         (h)“Licensee” means a person who has been approved by the
  713  office to participate in the Financial Technology Sandbox.
  714         (i)“Office” means, unless the context clearly indicates
  715  otherwise, the Office of Financial Regulation.
  716         (j)“Sandbox period” means the period, initially not longer
  717  than 24 months, in which the office has:
  718         1.Authorized an innovative financial product or service to
  719  be made available to consumers.
  720         2.Granted the licensee who makes the innovative financial
  721  product or service available an exception to general law or a
  722  waiver of the corresponding rule requirements, as determined by
  723  the office, so that the authorization under subparagraph 1. is
  724  possible.
  725         (4)EXCEPTIONS TO GENERAL LAW AND WAIVERS OF RULE
  726  REQUIREMENTS.—
  727         (a) Notwithstanding any other law, upon approval of a
  728  Financial Technology Sandbox application, the office shall grant
  729  an applicant a license and a waiver of a requirement, or a
  730  portion thereof, which is imposed by rule as authorized by any
  731  of the following provisions of general law, if all of the
  732  conditions in paragraph (b) are met. If the application is
  733  approved for a person who otherwise would be subject to chapter
  734  516 or chapter 560, the following provisions are not applicable
  735  to the licensee:
  736         1. Section 516.03, except for the application fee for a
  737  license, the investigation fee, evidence of liquid assets of at
  738  least $25,000, and the office’s authority to make an
  739  investigation of the facts concerning the applicant’s background
  740  as provided in s. 516.03(1). The office may prorate the license
  741  renewal fees for an extension granted under subsection (7).
  742         2. Section 516.05, except for s. 516.05(4), (5), and (7)
  743  (9).
  744         3.Section 560.109, to the extent that it requires the
  745  office to examine a licensee at least once every 5 years.
  746         4.Section 560.118, except for s. 560.118(1).
  747         5.Section 560.125(1), to the extent that subsection would
  748  prohibit a licensee from engaging in the business of a money
  749  services business during the sandbox period; and s. 560.125(2),
  750  to the extent that subsection would prohibit a licensee from
  751  appointing an authorized vendor during the sandbox period.
  752         6.Section 560.128.
  753         7.Section 560.141, except for s. 560.141(1)(a)3., 8., 9.,
  754  and 10. and (1)(b), (c), and (d).
  755         8.Section 560.142, except that the office may prorate, but
  756  may not entirely waive, the license renewal fees provided in ss.
  757  560.142 and 560.143 for an extension granted under subsection
  758  (7).
  759         9.Section 560.143(2), to the extent necessary for
  760  proration of the renewal fee under subparagraph 8.
  761         10.Section 560.204(1), to the extent that subsection would
  762  prohibit a licensee from engaging in, or advertising it engages
  763  in, the selling or issuing of payment instruments or in the
  764  activity of a money transmitter during the sandbox period.
  765         11.Section 560.205, except for s. 560.205(1), (3), and
  766  (4).
  767         12.Section 560.208, except for s. 560.208(3)-(6).
  768         13.Section 560.209, except that the office may modify, but
  769  may not entirely waive, the net worth, corporate surety bond,
  770  and collateral deposit amounts required under that section. The
  771  modified amounts must be in such lower amounts that the office
  772  determines to be commensurate with the considerations under
  773  paragraph (5)(d) and the maximum number of consumers authorized
  774  to receive the financial product or service under this section.
  775         (b)The office may grant, during a sandbox period, an
  776  exception of a requirement, or a portion thereof, imposed by a
  777  general law or waiver of a corresponding rule in any section
  778  enumerated in paragraph (a) to a licensee, if all of the
  779  following conditions are met:
  780         1.The general law or corresponding rule currently prevents
  781  the innovative financial product or service from being made
  782  available to consumers.
  783         2.The exceptions or rule waivers are not broader than
  784  necessary to accomplish the purposes and standards specified in
  785  this section, as determined by the office.
  786         3.No provision relating to the liability of an
  787  incorporator, a director, or an officer of the applicant is
  788  eligible for a waiver.
  789         4.The other requirements of this section are met.
  790         (5)FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS FOR
  791  APPROVAL.
  792         (a)Before filing an application for licensure under this
  793  section, a substantially affected person may seek a declaratory
  794  statement pursuant to s. 120.565 regarding the applicability of
  795  a statute, a rule, or an agency order to the petitioner’s
  796  particular set of circumstances.
  797         (b)Before making an innovative financial product or
  798  service available to consumers in the Financial Technology
  799  Sandbox, a person must file an application for licensure with
  800  the office. The commission shall, by rule, prescribe the form
  801  and manner of the application.
  802         1.In the application, the person must specify the general
  803  law or rule requirements for which an exception or waiver is
  804  sought and the reasons why these requirements prevent the
  805  innovative financial product or service from being made
  806  available to consumers.
  807         2.The application also must contain the information
  808  specified in paragraph (d).
  809         (c)1.A business entity may file an application for
  810  licensure.
  811         2.Before a person applies on behalf of a business entity
  812  intending to make an innovative financial product or service
  813  available to consumers, the person must obtain the consent of
  814  the business entity.
  815         (d)The office shall approve or deny in writing a Financial
  816  Technology Sandbox application within 60 days after receiving
  817  the completed application. The office and the applicant may
  818  jointly agree to extend the time beyond 60 days. Consistent with
  819  this section, the office may impose conditions on any approval.
  820  In deciding whether to approve or deny an application for
  821  licensure, the office must consider each of the following:
  822         1.The nature of the innovative financial product or
  823  service proposed to be made available to consumers in the
  824  Financial Technology Sandbox, including all relevant technical
  825  details.
  826         2.The potential risk to consumers and the methods that
  827  will be used to protect consumers and resolve complaints during
  828  the sandbox period.
  829         3.The business plan proposed by the applicant, including
  830  company information, market analysis, and financial projections
  831  or pro forma financial statements.
  832         4.Whether the applicant has the necessary personnel,
  833  adequate financial and technical expertise, and a sufficient
  834  plan to test, monitor, and assess the innovative financial
  835  product or service.
  836         5.If any control person of the applicant’s innovative
  837  financial product or service has pled no contest to, has been
  838  convicted or found guilty of, or is currently under
  839  investigation for, fraud, a state or federal securities
  840  violation, a property-based offense, or a crime involving moral
  841  turpitude or dishonest dealing, the application to the Financial
  842  Technology Sandbox must be denied. A plea of no contest, a
  843  conviction, or a finding of guilt must be reported under this
  844  subparagraph regardless of adjudication.
  845         6.A copy of the disclosures that will be provided to
  846  consumers under paragraph (6)(c).
  847         7.The financial responsibility of any control person.
  848         8.Any other factor that the office determines to be
  849  relevant.
  850         (e)The office may not approve an application if:
  851         1.The applicant had a prior Financial Technology Sandbox
  852  application that was approved and that related to a
  853  substantially similar financial product or service; or
  854         2.Any control person substantially involved in the
  855  development, operation, or management of the applicant’s
  856  innovative financial product or service was substantially
  857  involved in such with another Financial Technology Sandbox
  858  applicant whose application was approved and whose application
  859  related to a substantially similar financial product or service.
  860         (f)Upon approval of an application, the office shall
  861  specify the general law or rule requirements, or portions
  862  thereof, for which an exception or a waiver is granted during
  863  the sandbox period and the length of the initial sandbox period,
  864  not to exceed 24 months. The office shall post on its website
  865  notice of the approval of the application, a summary of the
  866  innovative financial product or service, and the contact
  867  information of the person making the financial product or
  868  service available.
  869         (6)OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.
  870         (a)A licensee under this section may make an innovative
  871  financial product or service available to consumers during the
  872  sandbox period.
  873         (b)The office, on a case-by-case basis, may specify the
  874  maximum number of consumers authorized to receive an innovative
  875  financial product or service, after consultation with the person
  876  who makes the financial product or service available to
  877  consumers. The office may not authorize more than 15,000
  878  consumers to receive the financial product or service until the
  879  licensee who makes the financial product or service available to
  880  consumers has filed the first report required under subsection
  881  (8). After the filing of that report, if the licensee
  882  demonstrates adequate financial capitalization, risk management
  883  processes, and management oversight, the office may authorize up
  884  to 25,000 consumers to receive the financial product or service.
  885         (c)1.Before a consumer purchases, uses, receives, or
  886  enters into an agreement to purchase, use, or receive an
  887  innovative financial product or service through the Financial
  888  Technology Sandbox, the licensee making the financial product or
  889  service available must provide a written statement of all of the
  890  following to the consumer:
  891         a.The name and contact information of the person making
  892  the financial product or service available to consumers.
  893         b.That the financial product or service has been
  894  authorized to be made available to consumers for a temporary
  895  period by the office, under the laws of this state.
  896         c.That the state does not endorse the financial product or
  897  service.
  898         d.That the financial product or service is undergoing
  899  testing, may not function as intended, and may entail financial
  900  risk.
  901         e.That the licensee making the financial product or
  902  service available to consumers is not immune from civil
  903  liability for any losses or damages caused by the financial
  904  product or service.
  905         f.The expected end date of the sandbox period.
  906         g.The contact information for the office and notification
  907  that suspected legal violations, complaints, or other comments
  908  related to the financial product or service may be submitted to
  909  the office.
  910         h.Any other statements or disclosures required by rule of
  911  the commission which are necessary to further the purposes of
  912  this section.
  913         2.The written statement must contain an acknowledgement
  914  from the consumer, which must be retained for the duration of
  915  the sandbox period by the licensee making the financial product
  916  or service available.
  917         (d)The office may enter into an agreement with a state,
  918  federal, or foreign regulatory agency to allow persons who make
  919  an innovative financial product or service available in this
  920  state through the Financial Technology Sandbox to make their
  921  products or services available in other jurisdictions. The
  922  commission shall adopt rules to implement this paragraph.
  923         (e)The office may examine the records of a licensee at any
  924  time, with or without prior notice.
  925         (7)EXTENSIONS AND CONCLUSION OF SANDBOX PERIOD.
  926         (a)A licensee may apply for an extension of the initial
  927  sandbox period for up to 12 additional months for a purpose
  928  specified in subparagraph (b)1. or subparagraph (b)2. A complete
  929  application for an extension must be filed with the office at
  930  least 90 days before the conclusion of the initial sandbox
  931  period. The office shall approve or deny the application for
  932  extension in writing at least 35 days before the conclusion of
  933  the initial sandbox period. In deciding to approve or deny an
  934  application for extension of the sandbox period, the office
  935  must, at a minimum, consider the current status of the factors
  936  previously considered under paragraph (5)(d).
  937         (b)An application for an extension under paragraph (a)
  938  must cite one of the following reasons as the basis for the
  939  application and must provide all relevant supporting information
  940  that:
  941         1.Amendments to general law or rules are necessary to
  942  offer the innovative financial product or service in this state
  943  permanently.
  944         2.An application for a license that is required in order
  945  to offer the innovative financial product or service in this
  946  state permanently has been filed with the office, and approval
  947  is pending.
  948         (c)At least 30 days before the conclusion of the initial
  949  sandbox period or the extension, whichever is later, a licensee
  950  shall provide written notification to consumers regarding the
  951  conclusion of the initial sandbox period or the extension and
  952  may not make the financial product or service available to any
  953  new consumers after the conclusion of the initial sandbox period
  954  or the extension, whichever is later, until legal authority
  955  outside of the Financial Technology Sandbox exists for the
  956  licensee to make the financial product or service available to
  957  consumers. After the conclusion of the sandbox period or the
  958  extension, whichever is later, the licensee may:
  959         1.Collect and receive money owed to the person or pay
  960  money owed by the person, based on agreements with consumers
  961  made before the conclusion of the sandbox period or the
  962  extension.
  963         2.Take necessary legal action.
  964         3.Take other actions authorized by commission rule which
  965  are not inconsistent with this subsection.
  966         (8)REPORT.A licensee shall submit a report to the office
  967  twice a year as prescribed by commission rule. The report must,
  968  at a minimum, include financial reports and the number of
  969  consumers who have received the financial product or service.
  970         (9)CONSTRUCTION.—A person whose Financial Technology
  971  Sandbox application is approved is deemed licensed under this
  972  section and is subject to chapter 516 or chapter 560 with the
  973  applicable exceptions to general law or waiver of the rule
  974  requirements of chapter 516 or chapter 560 specified under
  975  paragraph (4)(a), unless the person’s license has been revoked
  976  or suspended. Notwithstanding s. 560.204(2), a licensee may not
  977  engage in activities authorized under part III of chapter 560.
  978         (10)VIOLATIONS AND PENALTIES.
  979         (a)A licensee who makes an innovative financial product or
  980  service available to consumers in the Financial Technology
  981  Sandbox is:
  982         1.Not immune from civil damages for acts and omissions
  983  relating to this section.
  984         2.Subject to all criminal and any other statute not
  985  specifically excepted under paragraph (4)(a).
  986         (b)1.The office may, by order, revoke or suspend a license
  987  of a person to make an innovative financial product or service
  988  available to consumers if:
  989         a.The person has violated or refused to comply with this
  990  section, a rule of the commission, an order of the office, or a
  991  condition placed by the office on the approval of the person’s
  992  Financial Technology Sandbox application;
  993         b.A fact or condition exists that, if it had existed or
  994  become known at the time that the Financial Technology Sandbox
  995  application was pending, would have warranted denial of the
  996  application or the imposition of material conditions;
  997         c.A material error, false statement, misrepresentation, or
  998  material omission was made in the Financial Technology Sandbox
  999  application; or
 1000         d.After consultation with the licensee, the office
 1001  determines that continued testing of the innovative financial
 1002  product or service would:
 1003         (I)Be likely to harm consumers; or
 1004         (II)No longer serve the purposes of this section because
 1005  of the financial or operational failure of the financial product
 1006  or service.
 1007         2.Written notice of a revocation or suspension order made
 1008  under subparagraph 1. must be served using any means authorized
 1009  by law. If the notice relates to a suspension, the notice must
 1010  include any condition or remedial action that the person must
 1011  complete before the office lifts the suspension.
 1012         (c)The office may refer any suspected violation of law to
 1013  an appropriate state or federal agency for investigation,
 1014  prosecution, civil penalties, and other appropriate enforcement
 1015  action.
 1016         (d)If service of process on a person making an innovative
 1017  financial product or service available to consumers in the
 1018  Financial Technology Sandbox is not feasible, service on the
 1019  office is deemed service on such person.
 1020         (11)RULES AND ORDERS.
 1021         (a)The commission shall adopt rules to administer this
 1022  section.
 1023         (b)The office may issue all necessary orders to enforce
 1024  this section and may enforce these orders in accordance with
 1025  chapter 120 or in any court of competent jurisdiction. These
 1026  orders include, but are not limited to, orders for payment of
 1027  restitution for harm suffered by consumers as a result of an
 1028  innovative financial product or service.
 1029         Section 12. For the 2020-2021 fiscal year, the sum of
 1030  $50,000 in nonrecurring funds is appropriated from the
 1031  Administrative Trust Fund to the Office of Financial Regulation
 1032  to implement s. 559.952, Florida Statutes, as created by this
 1033  act.
 1034         Section 13. Except as otherwise expressly provided in this
 1035  act, this act shall take effect July 1, 2020.
 1036  
 1037  ================= T I T L E  A M E N D M E N T ================
 1038  And the title is amended as follows:
 1039         Delete everything before the enacting clause
 1040  and insert:
 1041                        A bill to be entitled                      
 1042         An act relating to technology innovation; amending s.
 1043         20.22, F.S.; renaming the Division of State Technology
 1044         within the Department of Management Services as the
 1045         Division of Telecommunications; deleting provisions
 1046         relating to the appointment of the Division of State
 1047         Technology’s director and qualifications for the state
 1048         chief information officer; adding the Florida Digital
 1049         Service to the department; amending s. 282.0041, F.S.;
 1050         defining terms; revising the definition of the term
 1051         “open data”; amending s. 282.0051, F.S.; establishing
 1052         the Florida Digital Service within the department;
 1053         transferring specified powers, duties, and functions
 1054         of the department to the Florida Digital Service and
 1055         revising such powers, duties, and functions; providing
 1056         for designations of a state chief information officer
 1057         and a chief data officer and specifying their duties;
 1058         specifying duties of, and authorized actions by, the
 1059         Florida Digital Service pursuant to legislative
 1060         appropriation; providing duties of, and authorized
 1061         actions by, the department, subject to legislative
 1062         authorization and appropriation; authorizing the
 1063         Florida Digital Service to adopt rules; amending s.
 1064         282.00515, F.S.; revising standards that the
 1065         Department of Legal Affairs, the Department of
 1066         Financial Services, and the Department of Agriculture
 1067         and Consumer Services must adopt; specifying
 1068         notification requirements to the Governor and the
 1069         Legislature if such an agency adopts alternative
 1070         standards; providing construction; prohibiting the
 1071         Florida Digital Service from retrieving or publishing
 1072         data without a data sharing agreement with such an
 1073         agency; amending ss. 282.318, 287.0591, 365.171,
 1074         365.172, 365.173, and 943.0415, F.S.; conforming
 1075         provisions to changes made by the act; creating s.
 1076         559.952, F.S.; providing a short title; creating the
 1077         Financial Technology Sandbox within the Office of
 1078         Financial Regulation; defining terms; requiring the
 1079         office, if certain conditions are met, to grant a
 1080         license to a Financial Technology Sandbox applicant,
 1081         grant exceptions to specified provisions of general
 1082         law relating to consumer finance loans and money
 1083         services businesses, and grant waivers of certain
 1084         rules; authorizing a substantially affected person to
 1085         seek a declaratory statement before applying to the
 1086         Financial Technology Sandbox; specifying application
 1087         requirements and procedures; specifying requirements,
 1088         restrictions, and procedures for the office in
 1089         reviewing and approving or denying applications;
 1090         requiring the office to post on its website certain
 1091         information relating to approved applications;
 1092         specifying authorized actions of, limitations on, and
 1093         requirements for licensees operating in the Financial
 1094         Technology Sandbox; specifying disclosure requirements
 1095         for licensees to consumers; authorizing the office to
 1096         enter into certain agreements with other regulatory
 1097         agencies; authorizing the office to examine licensee
 1098         records; authorizing a licensee to apply for an
 1099         extension of an initial sandbox period for a certain
 1100         timeframe; specifying requirements and procedures for
 1101         applying for an extension; specifying requirements and
 1102         procedures for, and authorized actions of, licensees
 1103         when concluding a sandbox period or extension;
 1104         requiring licensees to submit certain reports to the
 1105         office at specified intervals; providing construction;
 1106         specifying the liability of a licensee; authorizing
 1107         the office to take certain disciplinary actions
 1108         against a licensee under certain circumstances;
 1109         providing construction relating to service of process;
 1110         specifying the rulemaking authority of the Financial
 1111         Services Commission; providing the office authority to
 1112         issue orders and enforce the orders; providing an
 1113         appropriation; providing effective dates.