Florida Senate - 2020                        COMMITTEE AMENDMENT
       Bill No. CS for CS for SB 1870
       
       
       
       
       
       
                                Ì228190$Î228190                         
       
                              LEGISLATIVE ACTION                        
                    Senate             .             House              
                  Comm: RCS            .                                
                  03/04/2020           .                                
                                       .                                
                                       .                                
                                       .                                
       —————————————————————————————————————————————————————————————————




       —————————————————————————————————————————————————————————————————
       The Committee on Appropriations (Hutson) recommended the
       following:
       
    1         Senate Amendment (with title amendment)
    2  
    3         Delete everything after the enacting clause
    4  and insert:
    5         Section 1. Subsection (2) of section 20.22, Florida
    6  Statutes, is amended to read:
    7         20.22 Department of Management Services.—There is created a
    8  Department of Management Services.
    9         (2) The following divisions, and programs, and services
   10  within the Department of Management Services are established:
   11         (a) Facilities Program.
   12         (b) The Florida Digital Service Division of State
   13  Technology, the director of which is appointed by the secretary
   14  of the department and shall serve as the state chief information
   15  officer. The state chief information officer must be a proven,
   16  effective administrator who must have at least 10 years of
   17  executive-level experience in the public or private sector,
   18  preferably with experience in the development of information
   19  technology strategic planning and the development and
   20  implementation of fiscal and substantive information technology
   21  policy and standards.
   22         (c) Workforce Program.
   23         (d)1. Support Program.
   24         2. Federal Property Assistance Program.
   25         (e) Administration Program.
   26         (f) Division of Administrative Hearings.
   27         (g) Division of Retirement.
   28         (h) Division of State Group Insurance.
   29         (i)Division of Telecommunications.
   30         Section 2. Paragraph (e) of subsection (2) of section
   31  110.205, Florida Statutes, is amended to read:
   32         110.205 Career service; exemptions.—
   33         (2) EXEMPT POSITIONS.—The exempt positions that are not
   34  covered by this part include the following:
   35         (e) The state chief information officer, the state chief
   36  data officer, and the state chief information security officer.
   37  Unless otherwise fixed by law, The Department of Management
   38  Services shall set the salary and benefits of these positions
   39  this position in accordance with the rules of the Senior
   40  Management Service.
   41         Section 3. Section 282.0041, Florida Statutes, is amended
   42  to read:
   43         282.0041 Definitions.—As used in this chapter, the term:
   44         (1) “Agency assessment” means the amount each customer
   45  entity must pay annually for services from the Department of
   46  Management Services and includes administrative and data center
   47  services costs.
   48         (2) “Agency data center” means agency space containing 10
   49  or more physical or logical servers.
   50         (3) “Breach” has the same meaning as provided in s.
   51  501.171.
   52         (4) “Business continuity plan” means a collection of
   53  procedures and information designed to keep an agency’s critical
   54  operations running during a period of displacement or
   55  interruption of normal operations.
   56         (5) “Cloud computing” has the same meaning as provided in
   57  Special Publication 800-145 issued by the National Institute of
   58  Standards and Technology.
   59         (6) “Computing facility” or “agency computing facility”
   60  means agency space containing fewer than a total of 10 physical
   61  or logical servers, but excluding single, logical-server
   62  installations that exclusively perform a utility function such
   63  as file and print servers.
   64         (7) “Customer entity” means an entity that obtains services
   65  from the Department of Management Services.
   66         (8) “Data” means a subset of structured information in a
   67  format that allows such information to be electronically
   68  retrieved and transmitted.
   69         (9) “Data governance” means the practice of organizing,
   70  classifying, securing, and implementing policies, procedures,
   71  and standards for the effective use of an organization’s data.
   72         (10) “Department” means the Department of Management
   73  Services.
   74         (11)(10) “Disaster recovery” means the process, policies,
   75  procedures, and infrastructure related to preparing for and
   76  implementing recovery or continuation of an agency’s vital
   77  technology infrastructure after a natural or human-induced
   78  disaster.
   79         (12)“Electronic” means technology having electrical,
   80  digital, magnetic, wireless, optical, electromagnetic, or
   81  similar capabilities.
   82         (13)“Electronic credential” means an electronic
   83  representation of the identity of a person, an organization, an
   84  application, or a device.
   85         (14)“Enterprise” means state agencies and the Department
   86  of Legal Affairs, the Department of Financial Services, and the
   87  Department of Agriculture and Consumer Services.
   88         (15)“Enterprise architecture” means a comprehensive
   89  operational framework that contemplates the needs and assets of
   90  the enterprise to support interoperability.
   91         (16)(11) “Enterprise information technology service” means
   92  an information technology service that is used in all agencies
   93  or a subset of agencies and is established in law to be
   94  designed, delivered, and managed at the enterprise level.
   95         (17)(12) “Event” means an observable occurrence in a system
   96  or network.
   97         (18)(13) “Incident” means a violation or imminent threat of
   98  violation, whether such violation is accidental or deliberate,
   99  of information technology resources, security, policies, or
  100  practices. An imminent threat of violation refers to a situation
  101  in which the state agency has a factual basis for believing that
  102  a specific incident is about to occur.
  103         (19)(14) “Information technology” means equipment,
  104  hardware, software, firmware, programs, systems, networks,
  105  infrastructure, media, and related material used to
  106  automatically, electronically, and wirelessly collect, receive,
  107  access, transmit, display, store, record, retrieve, analyze,
  108  evaluate, process, classify, manipulate, manage, assimilate,
  109  control, communicate, exchange, convert, converge, interface,
  110  switch, or disseminate information of any kind or form.
  111         (20)(15) “Information technology policy” means a definite
  112  course or method of action selected from among one or more
  113  alternatives that guide and determine present and future
  114  decisions.
  115         (21)(16) “Information technology resources” has the same
  116  meaning as provided in s. 119.011.
  117         (22)(17) “Information technology security” means the
  118  protection afforded to an automated information system in order
  119  to attain the applicable objectives of preserving the integrity,
  120  availability, and confidentiality of data, information, and
  121  information technology resources.
  122         (23)“Interoperability” means the technical ability to
  123  share and use data across and throughout the enterprise.
  124         (24)(18) “Open data” means data collected or created by a
  125  state agency, the Department of Legal Affairs, the Department of
  126  Financial Services, and the Department of Agriculture and
  127  Consumer Services, and structured in a way that enables the data
  128  to be fully discoverable and usable by the public. The term does
  129  not include data that are restricted from public disclosure
  130  distribution based on federal or state privacy, confidentiality,
  131  and security laws and regulations, including, but not limited
  132  to, those related to privacy, confidentiality, security,
  133  personal health, business or trade secret information, and
  134  exemptions from state public records laws; or data for which a
  135  state agency, the Department of Legal Affairs, the Department of
  136  Financial Services, or the Department of Agriculture and
  137  Consumer Services is statutorily authorized to assess a fee for
  138  its distribution.
  139         (25)(19) “Performance metrics” means the measures of an
  140  organization’s activities and performance.
  141         (26)(20) “Project” means an endeavor that has a defined
  142  start and end point; is undertaken to create or modify a unique
  143  product, service, or result; and has specific objectives that,
  144  when attained, signify completion.
  145         (27)(21) “Project oversight” means an independent review
  146  and analysis of an information technology project that provides
  147  information on the project’s scope, completion timeframes, and
  148  budget and that identifies and quantifies issues or risks
  149  affecting the successful and timely completion of the project.
  150         (28)(22) “Risk assessment” means the process of identifying
  151  security risks, determining their magnitude, and identifying
  152  areas needing safeguards.
  153         (29)(23) “Service level” means the key performance
  154  indicators (KPI) of an organization or service which must be
  155  regularly performed, monitored, and achieved.
  156         (30)(24) “Service-level agreement” means a written contract
  157  between the Department of Management Services and a customer
  158  entity which specifies the scope of services provided, service
  159  level, the duration of the agreement, the responsible parties,
  160  and service costs. A service-level agreement is not a rule
  161  pursuant to chapter 120.
  162         (31)(25) “Stakeholder” means a person, group, organization,
  163  or state agency involved in or affected by a course of action.
  164         (32)(26) “Standards” means required practices, controls,
  165  components, or configurations established by an authority.
  166         (33)(27) “State agency” means any official, officer,
  167  commission, board, authority, council, committee, or department
  168  of the executive branch of state government; the Justice
  169  Administrative Commission; and the Public Service Commission.
  170  The term does not include university boards of trustees or state
  171  universities. As used in part I of this chapter, except as
  172  otherwise specifically provided, the term does not include the
  173  Department of Legal Affairs, the Department of Agriculture and
  174  Consumer Services, or the Department of Financial Services.
  175         (34)(28) “SUNCOM Network” means the state enterprise
  176  telecommunications system that provides all methods of
  177  electronic or optical telecommunications beyond a single
  178  building or contiguous building complex and used by entities
  179  authorized as network users under this part.
  180         (35)(29) “Telecommunications” means the science and
  181  technology of communication at a distance, including electronic
  182  systems used in the transmission or reception of information.
  183         (36)(30) “Threat” means any circumstance or event that has
  184  the potential to adversely impact a state agency’s operations or
  185  assets through an information system via unauthorized access,
  186  destruction, disclosure, or modification of information or
  187  denial of service.
  188         (37)(31) “Variance” means a calculated value that
  189  illustrates how far positive or negative a projection has
  190  deviated when measured against documented estimates within a
  191  project plan.
  192         Section 4. Section 282.0051, Florida Statutes, is amended
  193  to read:
  194         282.0051 Department of Management Services; Florida Digital
  195  Service; powers, duties, and functions.—
  196         (1)The Florida Digital Service has been created within the
  197  department to propose innovative solutions that securely
  198  modernize state government, including technology and information
  199  services, to achieve value through digital transformation and
  200  interoperability, and to fully support the cloud-first policy as
  201  specified in s. 282.206. The department, through the Florida
  202  Digital Service, shall have the following powers, duties, and
  203  functions:
  204         (a)(1) Develop and publish information technology policy
  205  for the management of the state’s information technology
  206  resources.
  207         (b)(2)Develop an enterprise architecture that:
  208         1.Acknowledges the unique needs of the entities within the
  209  enterprise in the development and publication of standards and
  210  terminologies to facilitate digital interoperability;
  211         2.Supports the cloud-first policy as specified in s.
  212  282.206; and
  213         3.Addresses how information technology infrastructure may
  214  be modernized to achieve cloud-first objectives Establish and
  215  publish information technology architecture standards to provide
  216  for the most efficient use of the state’s information technology
  217  resources and to ensure compatibility and alignment with the
  218  needs of state agencies. The department shall assist state
  219  agencies in complying with the standards.
  220         (c)(3) Establish project management and oversight standards
  221  with which state agencies must comply when implementing
  222  information technology projects. The department, acting through
  223  the Florida Digital Service, shall provide training
  224  opportunities to state agencies to assist in the adoption of the
  225  project management and oversight standards. To support data
  226  driven decisionmaking, the standards must include, but are not
  227  limited to:
  228         1.(a) Performance measurements and metrics that objectively
  229  reflect the status of an information technology project based on
  230  a defined and documented project scope, cost, and schedule.
  231         2.(b) Methodologies for calculating acceptable variances in
  232  the projected versus actual scope, schedule, or cost of an
  233  information technology project.
  234         3.(c) Reporting requirements, including requirements
  235  designed to alert all defined stakeholders that an information
  236  technology project has exceeded acceptable variances defined and
  237  documented in a project plan.
  238         4.(d) Content, format, and frequency of project updates.
  239         (d)(4) Perform project oversight on all state agency
  240  information technology projects that have total project costs of
  241  $10 million or more and that are funded in the General
  242  Appropriations Act or any other law. The department, acting
  243  through the Florida Digital Service, shall report at least
  244  quarterly to the Executive Office of the Governor, the President
  245  of the Senate, and the Speaker of the House of Representatives
  246  on any information technology project that the department
  247  identifies as high-risk due to the project exceeding acceptable
  248  variance ranges defined and documented in a project plan. The
  249  report must include a risk assessment, including fiscal risks,
  250  associated with proceeding to the next stage of the project, and
  251  a recommendation for corrective actions required, including
  252  suspension or termination of the project.
  253         (e)(5) Identify opportunities for standardization and
  254  consolidation of information technology services that support
  255  interoperability and the cloud-first policy, as specified in s.
  256  282.206, and business functions and operations, including
  257  administrative functions such as purchasing, accounting and
  258  reporting, cash management, and personnel, and that are common
  259  across state agencies. The department, acting through the
  260  Florida Digital Service, shall biennially on January 1 of each
  261  even-numbered year April 1 provide recommendations for
  262  standardization and consolidation to the Executive Office of the
  263  Governor, the President of the Senate, and the Speaker of the
  264  House of Representatives.
  265         (f)(6) Establish best practices for the procurement of
  266  information technology products and cloud-computing services in
  267  order to reduce costs, increase the quality of data center
  268  services, or improve government services.
  269         (g)(7) Develop standards for information technology reports
  270  and updates, including, but not limited to, operational work
  271  plans, project spend plans, and project status reports, for use
  272  by state agencies.
  273         (h)(8) Upon request, assist state agencies in the
  274  development of information technology-related legislative budget
  275  requests.
  276         (i)(9) Conduct annual assessments of state agencies to
  277  determine compliance with all information technology standards
  278  and guidelines developed and published by the department and
  279  provide results of the assessments to the Executive Office of
  280  the Governor, the President of the Senate, and the Speaker of
  281  the House of Representatives.
  282         (j)(10) Provide operational management and oversight of the
  283  state data center established pursuant to s. 282.201, which
  284  includes:
  285         1.(a) Implementing industry standards and best practices
  286  for the state data center’s facilities, operations, maintenance,
  287  planning, and management processes.
  288         2.(b) Developing and implementing cost-recovery mechanisms
  289  that recover the full direct and indirect cost of services
  290  through charges to applicable customer entities. Such cost
  291  recovery mechanisms must comply with applicable state and
  292  federal regulations concerning distribution and use of funds and
  293  must ensure that, for any fiscal year, no service or customer
  294  entity subsidizes another service or customer entity. The
  295  Florida Digital Service may recommend other payment mechanisms
  296  to the Executive Office of the Governor, the President of the
  297  Senate, and the Speaker of the House of Representatives. Such
  298  mechanism may be implemented only if specifically authorized by
  299  the Legislature.
  300         3.(c) Developing and implementing appropriate operating
  301  guidelines and procedures necessary for the state data center to
  302  perform its duties pursuant to s. 282.201. The guidelines and
  303  procedures must comply with applicable state and federal laws,
  304  regulations, and policies and conform to generally accepted
  305  governmental accounting and auditing standards. The guidelines
  306  and procedures must include, but need not be limited to:
  307         a.1. Implementing a consolidated administrative support
  308  structure responsible for providing financial management,
  309  procurement, transactions involving real or personal property,
  310  human resources, and operational support.
  311         b.2. Implementing an annual reconciliation process to
  312  ensure that each customer entity is paying for the full direct
  313  and indirect cost of each service as determined by the customer
  314  entity’s use of each service.
  315         c.3. Providing rebates that may be credited against future
  316  billings to customer entities when revenues exceed costs.
  317         d.4. Requiring customer entities to validate that
  318  sufficient funds exist in the appropriate data processing
  319  appropriation category or will be transferred into the
  320  appropriate data processing appropriation category before
  321  implementation of a customer entity’s request for a change in
  322  the type or level of service provided, if such change results in
  323  a net increase to the customer entity’s cost for that fiscal
  324  year.
  325         e.5. By November 15 of each year, providing to the Office
  326  of Policy and Budget in the Executive Office of the Governor and
  327  to the chairs of the legislative appropriations committees the
  328  projected costs of providing data center services for the
  329  following fiscal year.
  330         f.6. Providing a plan for consideration by the Legislative
  331  Budget Commission if the cost of a service is increased for a
  332  reason other than a customer entity’s request made pursuant to
  333  sub-subparagraph d. subparagraph 4. Such a plan is required only
  334  if the service cost increase results in a net increase to a
  335  customer entity for that fiscal year.
  336         g.7. Standardizing and consolidating procurement and
  337  contracting practices.
  338         4.(d) In collaboration with the Department of Law
  339  Enforcement, developing and implementing a process for
  340  detecting, reporting, and responding to information technology
  341  security incidents, breaches, and threats.
  342         5.(e) Adopting rules relating to the operation of the state
  343  data center, including, but not limited to, budgeting and
  344  accounting procedures, cost-recovery methodologies, and
  345  operating procedures.
  346         (k)Conduct a market analysis not less frequently than
  347  every 3 years beginning in 2021 to determine whether the
  348  information technology resources within the enterprise are
  349  utilized in the most cost-effective and cost-efficient manner,
  350  while recognizing that the replacement of certain legacy
  351  information technology systems within the enterprise may be cost
  352  prohibitive or cost inefficient due to the remaining useful life
  353  of those resources; whether the enterprise is complying with the
  354  cloud-first policy specified in s. 282.206; and whether the
  355  enterprise is utilizing best practices with respect to
  356  information technology, information services, and the
  357  acquisition of emerging technologies and information services.
  358  Each market analysis shall be used to prepare a strategic plan
  359  for continued and future information technology and information
  360  services for the enterprise, including, but not limited to,
  361  proposed acquisition of new services or technologies and
  362  approaches to the implementation of any new services or
  363  technologies. Copies of each market analysis and accompanying
  364  strategic plan must be submitted to the Executive Office of the
  365  Governor, the President of the Senate, and the Speaker of the
  366  House of Representatives not later than December 31 of each year
  367  that a market analysis is conducted.
  368         (f) Conducting an annual market analysis to determine
  369  whether the state’s approach to the provision of data center
  370  services is the most effective and cost-efficient manner by
  371  which its customer entities can acquire such services, based on
  372  federal, state, and local government trends; best practices in
  373  service provision; and the acquisition of new and emerging
  374  technologies. The results of the market analysis shall assist
  375  the state data center in making adjustments to its data center
  376  service offerings.
  377         (l)(11) Recommend other information technology services
  378  that should be designed, delivered, and managed as enterprise
  379  information technology services. Recommendations must include
  380  the identification of existing information technology resources
  381  associated with the services, if existing services must be
  382  transferred as a result of being delivered and managed as
  383  enterprise information technology services.
  384         (m)(12) In consultation with state agencies, propose a
  385  methodology and approach for identifying and collecting both
  386  current and planned information technology expenditure data at
  387  the state agency level.
  388         (n)1.(13)(a) Notwithstanding any other law, provide project
  389  oversight on any information technology project of the
  390  Department of Financial Services, the Department of Legal
  391  Affairs, and the Department of Agriculture and Consumer Services
  392  which has a total project cost of $25 million or more and which
  393  impacts one or more other agencies. Such information technology
  394  projects must also comply with the applicable information
  395  technology architecture, project management and oversight, and
  396  reporting standards established by the department, acting
  397  through the Florida Digital Service.
  398         2.(b) When performing the project oversight function
  399  specified in subparagraph 1. paragraph (a), report at least
  400  quarterly to the Executive Office of the Governor, the President
  401  of the Senate, and the Speaker of the House of Representatives
  402  on any information technology project that the department,
  403  acting through the Florida Digital Service, identifies as high
  404  risk due to the project exceeding acceptable variance ranges
  405  defined and documented in the project plan. The report shall
  406  include a risk assessment, including fiscal risks, associated
  407  with proceeding to the next stage of the project and a
  408  recommendation for corrective actions required, including
  409  suspension or termination of the project.
  410         (o)(14) If an information technology project implemented by
  411  a state agency must be connected to or otherwise accommodated by
  412  an information technology system administered by the Department
  413  of Financial Services, the Department of Legal Affairs, or the
  414  Department of Agriculture and Consumer Services, consult with
  415  these departments regarding the risks and other effects of such
  416  projects on their information technology systems and work
  417  cooperatively with these departments regarding the connections,
  418  interfaces, timing, or accommodations required to implement such
  419  projects.
  420         (p)(15) If adherence to standards or policies adopted by or
  421  established pursuant to this section causes conflict with
  422  federal regulations or requirements imposed on an entity within
  423  the enterprise a state agency and results in adverse action
  424  against an entity the state agency or federal funding, work with
  425  the entity state agency to provide alternative standards,
  426  policies, or requirements that do not conflict with the federal
  427  regulation or requirement. The department, acting through the
  428  Florida Digital Service, shall annually report such alternative
  429  standards to the Executive Office of the Governor, the President
  430  of the Senate, and the Speaker of the House of Representatives.
  431         (q)1.(16)(a) Establish an information technology policy for
  432  all information technology-related state contracts, including
  433  state term contracts for information technology commodities,
  434  consultant services, and staff augmentation services. The
  435  information technology policy must include:
  436         a.1. Identification of the information technology product
  437  and service categories to be included in state term contracts.
  438         b.2. Requirements to be included in solicitations for state
  439  term contracts.
  440         c.3. Evaluation criteria for the award of information
  441  technology-related state term contracts.
  442         d.4. The term of each information technology-related state
  443  term contract.
  444         e.5. The maximum number of vendors authorized on each state
  445  term contract.
  446         2.(b) Evaluate vendor responses for information technology
  447  related state term contract solicitations and invitations to
  448  negotiate.
  449         3.(c) Answer vendor questions on information technology
  450  related state term contract solicitations.
  451         4.(d) Ensure that the information technology policy
  452  established pursuant to subparagraph 1. paragraph (a) is
  453  included in all solicitations and contracts that are
  454  administratively executed by the department.
  455         (r)(17) Recommend potential methods for standardizing data
  456  across state agencies which will promote interoperability and
  457  reduce the collection of duplicative data.
  458         (s)(18) Recommend open data technical standards and
  459  terminologies for use by the enterprise state agencies.
  460         (t)Ensure that enterprise information technology solutions
  461  are capable of utilizing an electronic credential and comply
  462  with the enterprise architecture standards.
  463         (2)(a)The Secretary of Management Services shall designate
  464  a state chief information officer, who shall administer the
  465  Florida Digital Service. The state chief information officer,
  466  prior to appointment, must have at least 5 years of experience
  467  in the development of information system strategic planning and
  468  development or information technology policy, and, preferably,
  469  have leadership-level experience in the design, development, and
  470  deployment of interoperable software and data solutions.
  471         (b)The state chief information officer, in consultation
  472  with the Secretary of Management Services, shall designate a
  473  state chief data officer. The chief data officer must be a
  474  proven and effective administrator who must have significant and
  475  substantive experience in data management, data governance,
  476  interoperability, and security.
  477         (3)The department, acting through the Florida Digital
  478  Service and from funds appropriated to the Florida Digital
  479  Service, shall:
  480         (a)Create, not later than October 1, 2021, and maintain a
  481  comprehensive indexed data catalog in collaboration with the
  482  enterprise that lists the data elements housed within the
  483  enterprise and the legacy system or application in which these
  484  data elements are located. The data catalog must, at a minimum,
  485  specifically identify all data that is restricted from public
  486  disclosure based on federal or state laws and regulations and
  487  require that all such information be protected in accordance
  488  with s. 282.318.
  489         (b)Develop and publish, not later than October 1, 2021, in
  490  collaboration with the enterprise, a data dictionary for each
  491  agency that reflects the nomenclature in the comprehensive
  492  indexed data catalog.
  493         (c)Adopt, by rule, standards that support the creation and
  494  deployment of an application programming interface to facilitate
  495  integration throughout the enterprise.
  496         (d)Adopt, by rule, standards necessary to facilitate a
  497  secure ecosystem of data interoperability that is compliant with
  498  the enterprise architecture.
  499         (e)Adopt, by rule, standards that facilitate the
  500  deployment of applications or solutions to the existing
  501  enterprise system in a controlled and phased approach.
  502         (f)After submission of documented use cases developed in
  503  conjunction with the affected agencies, assist the affected
  504  agencies with the deployment, contingent upon a specific
  505  appropriation therefor, of new interoperable applications and
  506  solutions:
  507         1.For the Department of Health, the Agency for Health Care
  508  Administration, the Agency for Persons with Disabilities, the
  509  Department of Education, the Department of Elderly Affairs, and
  510  the Department of Children and Families.
  511         2.To support military members, veterans, and their
  512  families.
  513         (4)Upon the adoption of the enterprise architecture
  514  standards in rule, the department, acting through the Florida
  515  Digital Service, may develop a process to:
  516         (a)Receive written notice from the entities within the
  517  enterprise of any planned procurement of an information
  518  technology project that is subject to enterprise architecture
  519  standards.
  520         (b)Participate in the development of specifications and
  521  recommend modifications to any planned procurement by state
  522  agencies so that the procurement complies with the enterprise
  523  architecture.
  524         (5)The department, acting through the Florida Digital
  525  Service, may not retrieve or disclose any data without a shared
  526  data agreement in place between the department and the
  527  enterprise entity that has primary custodial responsibility of,
  528  or data-sharing responsibility for, that data.
  529         (6)The department, acting through the Florida Digital
  530  Service, shall adopt rules to administer this section.
  531         (19) Adopt rules to administer this section.
  532         Section 5. Section 282.00515, Florida Statutes, is amended
  533  to read:
  534         282.00515 Duties of Cabinet agencies.—
  535         (1) The Department of Legal Affairs, the Department of
  536  Financial Services, and the Department of Agriculture and
  537  Consumer Services shall adopt the standards established in s.
  538  282.0051(1)(b), (c), and (s) and (3)(e) s. 282.0051(2), (3), and
  539  (7) or adopt alternative standards based on best practices and
  540  industry standards that allow for open data interoperability.
  541         (2) If the Department of Legal Affairs, the Department of
  542  Financial Services, or the Department of Agriculture and
  543  Consumer Services adopts alternative standards in lieu of the
  544  enterprise architecture standards adopted pursuant to s.
  545  282.0051, such department must notify the Governor, the
  546  President of the Senate, and the Speaker of the House of
  547  Representatives in writing of the adoption of the alternative
  548  standards and provide a justification for adoption of the
  549  alternative standards and explain how the agency will achieve
  550  open data interoperability.
  551         (3)The Department of Legal Affairs, the Department of
  552  Financial Services, and the Department of Agriculture and
  553  Consumer Services, and may contract with the department to
  554  provide or perform any of the services and functions described
  555  in s. 282.0051 for the Department of Legal Affairs, the
  556  Department of Financial Services, or the Department of
  557  Agriculture and Consumer Services.
  558         (4)(a)Nothing in this section or in s. 282.0051 requires
  559  the Department of Legal Affairs, the Department of Financial
  560  Services, or the Department of Agriculture and Consumer Services
  561  to integrate with information technology outside its own
  562  department or with the Florida Digital Service.
  563         (b)The department, acting through the Florida Digital
  564  Service, may not retrieve or disclose any data without a shared
  565  data agreement in place between the department and the
  566  Department of Legal Affairs, the Department of Financial
  567  Services, or the Department of Agriculture and Consumer
  568  Services.
  569         Section 6. Paragraph (a) of subsection (3), paragraphs (d),
  570  (e), (g), and (j) of subsection (4), and subsection (5) of
  571  section 282.318, Florida Statutes, are amended to read:
  572         282.318 Security of data and information technology.—
  573         (3) The department is responsible for establishing
  574  standards and processes consistent with generally accepted best
  575  practices for information technology security, to include
  576  cybersecurity, and adopting rules that safeguard an agency’s
  577  data, information, and information technology resources to
  578  ensure availability, confidentiality, and integrity and to
  579  mitigate risks. The department shall also:
  580         (a) Designate an employee of the Florida Digital Service as
  581  the a state chief information security officer. The state chief
  582  information security officer who must have experience and
  583  expertise in security and risk management for communications and
  584  information technology resources.
  585         (4) Each state agency head shall, at a minimum:
  586         (d) Conduct, and update every 3 years, a comprehensive risk
  587  assessment, which may be completed by a private sector vendor,
  588  to determine the security threats to the data, information, and
  589  information technology resources, including mobile devices and
  590  print environments, of the agency. The risk assessment must
  591  comply with the risk assessment methodology developed by the
  592  department and is confidential and exempt from s. 119.07(1),
  593  except that such information shall be available to the Auditor
  594  General, the Florida Digital Service Division of State
  595  Technology within the department, the Cybercrime Office of the
  596  Department of Law Enforcement, and, for state agencies under the
  597  jurisdiction of the Governor, the Chief Inspector General.
  598         (e) Develop, and periodically update, written internal
  599  policies and procedures, which include procedures for reporting
  600  information technology security incidents and breaches to the
  601  Cybercrime Office of the Department of Law Enforcement and the
  602  Florida Digital Service Division of State Technology within the
  603  department. Such policies and procedures must be consistent with
  604  the rules, guidelines, and processes established by the
  605  department to ensure the security of the data, information, and
  606  information technology resources of the agency. The internal
  607  policies and procedures that, if disclosed, could facilitate the
  608  unauthorized modification, disclosure, or destruction of data or
  609  information technology resources are confidential information
  610  and exempt from s. 119.07(1), except that such information shall
  611  be available to the Auditor General, the Cybercrime Office of
  612  the Department of Law Enforcement, the Florida Digital Service
  613  Division of State Technology within the department, and, for
  614  state agencies under the jurisdiction of the Governor, the Chief
  615  Inspector General.
  616         (g) Ensure that periodic internal audits and evaluations of
  617  the agency’s information technology security program for the
  618  data, information, and information technology resources of the
  619  agency are conducted. The results of such audits and evaluations
  620  are confidential information and exempt from s. 119.07(1),
  621  except that such information shall be available to the Auditor
  622  General, the Cybercrime Office of the Department of Law
  623  Enforcement, the Florida Digital Service Division of State
  624  Technology within the department, and, for agencies under the
  625  jurisdiction of the Governor, the Chief Inspector General.
  626         (j) Develop a process for detecting, reporting, and
  627  responding to threats, breaches, or information technology
  628  security incidents which is consistent with the security rules,
  629  guidelines, and processes established by the department Agency
  630  for State Technology.
  631         1. All information technology security incidents and
  632  breaches must be reported to the Florida Digital Service
  633  Division of State Technology within the department and the
  634  Cybercrime Office of the Department of Law Enforcement and must
  635  comply with the notification procedures and reporting timeframes
  636  established pursuant to paragraph (3)(c).
  637         2. For information technology security breaches, state
  638  agencies shall provide notice in accordance with s. 501.171.
  639         3. Records held by a state agency which identify detection,
  640  investigation, or response practices for suspected or confirmed
  641  information technology security incidents, including suspected
  642  or confirmed breaches, are confidential and exempt from s.
  643  119.07(1) and s. 24(a), Art. I of the State Constitution, if the
  644  disclosure of such records would facilitate unauthorized access
  645  to or the unauthorized modification, disclosure, or destruction
  646  of:
  647         a. Data or information, whether physical or virtual; or
  648         b. Information technology resources, which includes:
  649         (I) Information relating to the security of the agency’s
  650  technologies, processes, and practices designed to protect
  651  networks, computers, data processing software, and data from
  652  attack, damage, or unauthorized access; or
  653         (II) Security information, whether physical or virtual,
  654  which relates to the agency’s existing or proposed information
  655  technology systems.
  656  
  657  Such records shall be available to the Auditor General, the
  658  Florida Digital Service Division of State Technology within the
  659  department, the Cybercrime Office of the Department of Law
  660  Enforcement, and, for state agencies under the jurisdiction of
  661  the Governor, the Chief Inspector General. Such records may be
  662  made available to a local government, another state agency, or a
  663  federal agency for information technology security purposes or
  664  in furtherance of the state agency’s official duties. This
  665  exemption applies to such records held by a state agency before,
  666  on, or after the effective date of this exemption. This
  667  subparagraph is subject to the Open Government Sunset Review Act
  668  in accordance with s. 119.15 and shall stand repealed on October
  669  2, 2021, unless reviewed and saved from repeal through
  670  reenactment by the Legislature.
  671         (5) The portions of risk assessments, evaluations, external
  672  audits, and other reports of a state agency’s information
  673  technology security program for the data, information, and
  674  information technology resources of the state agency which are
  675  held by a state agency are confidential and exempt from s.
  676  119.07(1) and s. 24(a), Art. I of the State Constitution if the
  677  disclosure of such portions of records would facilitate
  678  unauthorized access to or the unauthorized modification,
  679  disclosure, or destruction of:
  680         (a) Data or information, whether physical or virtual; or
  681         (b) Information technology resources, which include:
  682         1. Information relating to the security of the agency’s
  683  technologies, processes, and practices designed to protect
  684  networks, computers, data processing software, and data from
  685  attack, damage, or unauthorized access; or
  686         2. Security information, whether physical or virtual, which
  687  relates to the agency’s existing or proposed information
  688  technology systems.
  689  
  690  Such portions of records shall be available to the Auditor
  691  General, the Cybercrime Office of the Department of Law
  692  Enforcement, the Florida Digital Service Division of State
  693  Technology within the department, and, for agencies under the
  694  jurisdiction of the Governor, the Chief Inspector General. Such
  695  portions of records may be made available to a local government,
  696  another state agency, or a federal agency for information
  697  technology security purposes or in furtherance of the state
  698  agency’s official duties. For purposes of this subsection,
  699  “external audit” means an audit that is conducted by an entity
  700  other than the state agency that is the subject of the audit.
  701  This exemption applies to such records held by a state agency
  702  before, on, or after the effective date of this exemption. This
  703  subsection is subject to the Open Government Sunset Review Act
  704  in accordance with s. 119.15 and shall stand repealed on October
  705  2, 2021, unless reviewed and saved from repeal through
  706  reenactment by the Legislature.
  707         Section 7. Subsection (4) of section 287.0591, Florida
  708  Statutes, is amended to read:
  709         287.0591 Information technology.—
  710         (4) If the department issues a competitive solicitation for
  711  information technology commodities, consultant services, or
  712  staff augmentation contractual services, the Florida Digital
  713  Service Division of State Technology within the department shall
  714  participate in such solicitations.
  715         Section 8. Paragraph (a) of subsection (3) of section
  716  365.171, Florida Statutes, is amended to read:
  717         365.171 Emergency communications number E911 state plan.—
  718         (3) DEFINITIONS.—As used in this section, the term:
  719         (a) “Office” means the Division of Telecommunications State
  720  Technology within the Department of Management Services, as
  721  designated by the secretary of the department.
  722         Section 9. Paragraph (s) of subsection (3) of section
  723  365.172, Florida Statutes, is amended to read:
  724         365.172 Emergency communications number “E911.”—
  725         (3) DEFINITIONS.—Only as used in this section and ss.
  726  365.171, 365.173, 365.174, and 365.177, the term:
  727         (s) “Office” means the Division of Telecommunications State
  728  Technology within the Department of Management Services, as
  729  designated by the secretary of the department.
  730         Section 10. Paragraph (a) of subsection (1) of section
  731  365.173, Florida Statutes, is amended to read:
  732         365.173 Communications Number E911 System Fund.—
  733         (1) REVENUES.—
  734         (a) Revenues derived from the fee levied on subscribers
  735  under s. 365.172(8) must be paid by the board into the State
  736  Treasury on or before the 15th day of each month. Such moneys
  737  must be accounted for in a special fund to be designated as the
  738  Emergency Communications Number E911 System Fund, a fund created
  739  in the Division of Telecommunications State Technology, or other
  740  office as designated by the Secretary of Management Services.
  741         Section 11. Subsection (5) of section 943.0415, Florida
  742  Statutes, is amended to read:
  743         943.0415 Cybercrime Office.—There is created within the
  744  Department of Law Enforcement the Cybercrime Office. The office
  745  may:
  746         (5) Consult with the Florida Digital Service Division of
  747  State Technology within the Department of Management Services in
  748  the adoption of rules relating to the information technology
  749  security provisions in s. 282.318.
  750         Section 12. Effective January 1, 2021, section 559.952,
  751  Florida Statutes, is created to read:
  752         559.952 Financial Technology Sandbox.—
  753         (1) SHORT TITLE.—This section may be cited as the
  754  “Financial Technology Sandbox.”
  755         (2) CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—There is
  756  created the Financial Technology Sandbox within the Office of
  757  Financial Regulation to allow financial technology innovators to
  758  test new products and services in a supervised, flexible
  759  regulatory sandbox using exceptions to specified general law and
  760  waivers of the corresponding rule requirements under defined
  761  conditions. The creation of a supervised, flexible regulatory
  762  sandbox provides a welcoming business environment for technology
  763  innovators and may lead to significant business growth.
  764         (3) DEFINITIONS.—As used in this section, the term:
  765         (a) “Business entity” means a domestic corporation or other
  766  organized domestic entity with a physical presence, other than
  767  that of a registered office or agent or virtual mailbox, in this
  768  state.
  769         (b) “Commission” means the Financial Services Commission.
  770         (c) “Consumer” means a person in this state, whether a
  771  natural person or a business organization, who purchases, uses,
  772  receives, or enters into an agreement to purchase, use, or
  773  receive an innovative financial product or service made
  774  available through the Financial Technology Sandbox.
  775         (d) “Control person” means an individual, a partnership, a
  776  corporation, a trust, or other organization that possesses the
  777  power, directly or indirectly, to direct the management or
  778  policies of a company, whether through ownership of securities,
  779  by contract, or through other means. A person is presumed to
  780  control a company if, with respect to a particular company, that
  781  person:
  782         1. Is a director, a general partner, or an officer
  783  exercising executive responsibility or having similar status or
  784  functions;
  785         2. Directly or indirectly may vote 10 percent or more of a
  786  class of a voting security or sell or direct the sale of 10
  787  percent or more of a class of voting securities; or
  788         3. In the case of a partnership, may receive upon
  789  dissolution or has contributed 10 percent or more of the
  790  capital.
  791         (e) “Corresponding rule requirements” means the commission
  792  rules, or portions thereof, which implement the general laws
  793  enumerated in paragraph (4)(a).
  794         (f) “Financial product or service” means a product or
  795  service related to a consumer finance loan, as defined in s.
  796  516.01, or a money transmitter or payment instrument seller, as
  797  those terms are defined in s. 560.103, including mediums of
  798  exchange that are in electronic or digital form, which is
  799  subject to the general laws enumerated in paragraph (4)(a) and
  800  corresponding rule requirements and which is under the
  801  jurisdiction of the office.
  802         (g) “Financial Technology Sandbox” means the program
  803  created by this section which allows a licensee to make an
  804  innovative financial product or service available to consumers
  805  during a sandbox period through exceptions to general laws and
  806  waivers of corresponding rule requirements.
  807         (h) “Innovative” means new or emerging technology, or new
  808  uses of existing technology, which provide a product, service,
  809  business model, or delivery mechanism to the public and which
  810  are not known to have a comparable offering in this state
  811  outside the Financial Technology Sandbox.
  812         (i) “Licensee” means a business entity that has been
  813  approved by the office to participate in the Financial
  814  Technology Sandbox.
  815         (j) “Office” means, unless the context clearly indicates
  816  otherwise, the Office of Financial Regulation.
  817         (k) “Sandbox period” means the initial 24-month period in
  818  which the office has authorized a licensee to make an innovative
  819  financial product or service available to consumers, and any
  820  extension granted pursuant to subsection (7).
  821         (4) EXCEPTIONS TO GENERAL LAW AND WAIVERS OF RULE
  822  REQUIREMENTS.—
  823         (a) Notwithstanding any other law, upon approval of a
  824  Financial Technology Sandbox application, the following
  825  provisions and corresponding rule requirements are not
  826  applicable to the licensee during the sandbox period:
  827         1. Section 516.03(1), except for the application fee, the
  828  investigation fee, the requirement to provide the social
  829  security numbers of control persons, evidence of liquid assets
  830  of at least $25,000, and the office’s authority to investigate
  831  the applicant’s background. The office may prorate the license
  832  renewal fee for an extension granted under subsection (7).
  833         2. Section 516.05(1) and (2), except that the office shall
  834  investigate the applicant’s background.
  835         3. Section 560.109, only to the extent that the section
  836  requires the office to examine a licensee at least once every 5
  837  years.
  838         4. Section 560.118(2).
  839         5. Section 560.125(1), only to the extent that subsection
  840  would prohibit a licensee from engaging in the business of a
  841  money transmitter or payment instrument seller during the
  842  sandbox period.
  843         6. Section 560.125(2), only to the extent that subsection
  844  would prohibit a licensee from appointing an authorized vendor
  845  during the sandbox period. Any authorized vendor of such a
  846  licensee during the sandbox period remains liable to the holder
  847  or remitter.
  848         7. Section 560.128.
  849         8. Section 560.141, except for s. 560.141(1)(a)1., 3., 7.
  850  10. and (b), (c), and (d).
  851         9. Section 560.142(1) and (2), except that the office may
  852  prorate, but may not entirely eliminate, the license renewal
  853  fees in s. 560.143 for an extension granted under subsection
  854  (7).
  855         10. Section 560.143(2), only to the extent necessary for
  856  proration of the renewal fee under subparagraph 9.
  857         11. Section 560.204(1), only to the extent that subsection
  858  would prohibit a licensee from engaging in, or advertising that
  859  it engages in, the selling or issuing of payment instruments or
  860  in the activity of a money transmitter during the sandbox
  861  period.
  862         12. Section 560.205(2).
  863         13. Section 560.208(2).
  864         14. Section 560.209, only to the extent that the office may
  865  modify, but may not entirely eliminate, the net worth, corporate
  866  surety bond, and collateral deposit amounts required under that
  867  section. The modified amounts must be in such lower amounts that
  868  the office determines to be commensurate with the factors under
  869  paragraph (5)(c) and the maximum number of consumers authorized
  870  to receive the financial product or service under this section.
  871         (b) The office may approve a Financial Technology Sandbox
  872  application if one or more of the general laws enumerated in
  873  paragraph (a) currently prevent the innovative financial product
  874  or service from being made available to consumers and if all
  875  other requirements of this section are met.
  876         (c) A licensee may conduct business through electronic
  877  means, including through the Internet or a software application.
  878         (5) FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS FOR
  879  APPROVAL.—
  880         (a) Before filing an application for licensure under this
  881  section, a substantially affected person may seek a declaratory
  882  statement pursuant to s. 120.565 regarding the applicability of
  883  a statute, a rule, or an agency order to the petitioner’s
  884  particular set of circumstances or a variance or waiver of a
  885  rule pursuant to s. 120.542.
  886         (b) Before making an innovative financial product or
  887  service available to consumers in the Financial Technology
  888  Sandbox, a business entity must file with the office an
  889  application for licensure under the Financial Technology
  890  Sandbox. The commission shall, by rule, prescribe the form and
  891  manner of the application and how the office will evaluate and
  892  apply each of the factors specified in paragraph (c).
  893         1. The application must specify each general law enumerated
  894  in paragraph (4)(a) which currently prevents the innovative
  895  financial product or service from being made available to
  896  consumers and the reasons why those provisions of general law
  897  prevent the innovative financial product or service from being
  898  made available to consumers.
  899         2. The application must contain sufficient information for
  900  the office to evaluate the factors specified in paragraph (c).
  901         3. An application submitted on behalf of a business entity
  902  must include evidence that the business entity has authorized
  903  the person to submit the application on behalf of the business
  904  entity intending to make an innovative financial product or
  905  service available to consumers.
  906         4. The application must specify the maximum number of
  907  consumers, which may not exceed the number of consumers
  908  specified in paragraph (f), to whom the applicant proposes to
  909  provide the innovative financial product or service.
  910         5. The application must include a proposed draft of the
  911  statement or statements meeting the requirements of paragraph
  912  (6)(b) which the applicant proposes to provide to consumers.
  913         (c) The office shall approve or deny in writing a Financial
  914  Technology Sandbox application within 60 days after receiving
  915  the completed application. The office and the applicant may
  916  jointly agree to extend the time beyond 60 days. Consistent with
  917  this section, the office may impose conditions on any approval.
  918  In deciding whether to approve or deny an application for
  919  licensure, the office must consider each of the following:
  920         1. The nature of the innovative financial product or
  921  service proposed to be made available to consumers in the
  922  Financial Technology Sandbox, including all relevant technical
  923  details.
  924         2. The potential risk to consumers and the methods that
  925  will be used to protect consumers and resolve complaints during
  926  the sandbox period.
  927         3. The business plan proposed by the applicant, including
  928  company information, market analysis, and financial projections
  929  or pro forma financial statements, and evidence of the financial
  930  viability of the applicant.
  931         4. Whether the applicant has the necessary personnel,
  932  adequate financial and technical expertise, and a sufficient
  933  plan to test, monitor, and assess the innovative financial
  934  product or service.
  935         5. Whether any control person of the applicant, regardless
  936  of adjudication, has pled no contest to, has been convicted or
  937  found guilty of, or is currently under investigation for fraud,
  938  a state or federal securities violation, a property-based
  939  offense, or a crime involving moral turpitude or dishonest
  940  dealing, in which case the application to the Financial
  941  Technology Sandbox must be denied.
  942         6. A copy of the disclosures that will be provided to
  943  consumers under paragraph (6)(b).
  944         7. The financial responsibility of the applicant and any
  945  control person, including whether the applicant or any control
  946  person has a history of unpaid liens, unpaid judgments, or other
  947  general history of nonpayment of legal debts, including, but not
  948  limited to, having been the subject of a petition for bankruptcy
  949  under the United States Bankruptcy Code within the past 7
  950  calendar years.
  951         8. Any other factor that the office determines to be
  952  relevant.
  953         (d) The office may not approve an application if:
  954         1. The applicant had a prior Financial Technology Sandbox
  955  application that was approved and that related to a
  956  substantially similar financial product or service;
  957         2. Any control person of the applicant was substantially
  958  involved in the development, operation, or management with
  959  another Financial Technology Sandbox applicant whose application
  960  was approved and whose application related to a substantially
  961  similar financial product or service; or
  962         3. The applicant or any control person has failed to
  963  affirmatively demonstrate financial responsibility.
  964         (e) Upon approval of an application, the office shall
  965  notify the licensee that the licensee is exempt from the
  966  provisions of general law enumerated in paragraph (4)(a) and the
  967  corresponding rule requirements during the sandbox period. The
  968  office shall post on its website notice of the approval of the
  969  application, a summary of the innovative financial product or
  970  service, and the contact information of the licensee.
  971         (f) The office, on a case-by-case basis, shall specify the
  972  maximum number of consumers authorized to receive an innovative
  973  financial product or service, after consultation with the
  974  Financial Technology Sandbox applicant. The office may not
  975  authorize more than 15,000 consumers to receive the financial
  976  product or service until the licensee has filed the first report
  977  required under subsection (8). After the filing of that report,
  978  if the licensee demonstrates adequate financial capitalization,
  979  risk management processes, and management oversight, the office
  980  may authorize up to 25,000 consumers to receive the financial
  981  product or service.
  982         (g) A licensee has a continuing obligation to promptly
  983  inform the office of any material change to the information
  984  provided under paragraph (b).
  985         (6) OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—
  986         (a) A licensee may make an innovative financial product or
  987  service available to consumers during the sandbox period.
  988         (b)1. Before a consumer purchases, uses, receives, or
  989  enters into an agreement to purchase, use, or receive an
  990  innovative financial product or service through the Financial
  991  Technology Sandbox, the licensee must provide a written
  992  statement of all of the following to the consumer:
  993         a. The name and contact information of the licensee.
  994         b. That the financial product or service has been
  995  authorized to be made available to consumers for a temporary
  996  period by the office, under the laws of this state.
  997         c. That the state does not endorse the financial product or
  998  service.
  999         d. That the financial product or service is undergoing
 1000  testing, may not function as intended, and may entail financial
 1001  risk.
 1002         e. That the licensee is not immune from civil liability for
 1003  any losses or damages caused by the financial product or
 1004  service.
 1005         f. The expected end date of the sandbox period.
 1006         g. The contact information for the office and notification
 1007  that suspected legal violations, complaints, or other comments
 1008  related to the financial product or service may be submitted to
 1009  the office.
 1010         h. Any other statements or disclosures required by rule of
 1011  the commission which are necessary to further the purposes of
 1012  this section.
 1013         2. The written statement under subparagraph 1. must contain
 1014  an acknowledgment from the consumer, which must be retained for
 1015  the duration of the sandbox period by the licensee.
 1016         (c) The office may enter into an agreement with a state,
 1017  federal, or foreign regulatory agency to allow licensees under
 1018  the Financial Technology Sandbox to make their products or
 1019  services available in other jurisdictions. The commission shall
 1020  adopt rules to implement this paragraph.
 1021         (d) The office may examine the records of a licensee at any
 1022  time, with or without prior notice.
 1023         (7) EXTENSIONS AND CONCLUSION OF SANDBOX PERIOD.—
 1024         (a) A licensee may apply for one extension of the initial
 1025  24-month sandbox period for 12 additional months for a purpose
 1026  specified in subparagraph (b)1. or subparagraph (b)2. A complete
 1027  application for an extension must be filed with the office at
 1028  least 90 days before the conclusion of the initial sandbox
 1029  period. The office shall approve or deny the application for
 1030  extension in writing at least 35 days before the conclusion of
 1031  the initial sandbox period. In determining whether to approve or
 1032  deny an application for extension of the sandbox period, the
 1033  office must, at a minimum, consider the current status of the
 1034  factors previously considered under paragraph (5)(c).
 1035         (b) An application for an extension under paragraph (a)
 1036  must cite one of the following reasons as the basis for the
 1037  application and must provide all relevant supporting
 1038  information:
 1039         1. Amendments to general law or rules are necessary to
 1040  offer the innovative financial product or service in this state
 1041  permanently.
 1042         2. An application for a license that is required in order
 1043  to offer the innovative financial product or service in this
 1044  state permanently has been filed with the office and approval is
 1045  pending.
 1046         (c) At least 30 days before the conclusion of the initial
 1047  24-month sandbox period or the extension, whichever is later, a
 1048  licensee shall provide written notification to consumers
 1049  regarding the conclusion of the initial sandbox period or the
 1050  extension and may not make the financial product or service
 1051  available to any new consumers after the conclusion of the
 1052  initial sandbox period or the extension, whichever is later,
 1053  until legal authority outside of the Financial Technology
 1054  Sandbox exists for the licensee to make the financial product or
 1055  service available to consumers. After the conclusion of the
 1056  sandbox period or the extension, whichever is later, the
 1057  business entity formerly licensed under the Financial Technology
 1058  Sandbox may:
 1059         1. Collect and receive money owed to the business entity or
 1060  pay money owed by the business entity, based on agreements with
 1061  consumers made before the conclusion of the sandbox period or
 1062  the extension.
 1063         2. Take necessary legal action.
 1064         3. Take other actions authorized by commission rule which
 1065  are not inconsistent with this section.
 1066         (8) REPORT.—A licensee shall submit a report to the office
 1067  twice a year as prescribed by commission rule. The report must,
 1068  at a minimum, include financial reports and the number of
 1069  consumers who have received the financial product or service.
 1070         (9) CONSTRUCTION.—A business entity whose Financial
 1071  Technology Sandbox application is approved under this section:
 1072         (a) Is licensed under chapter 516, chapter 560, or both
 1073  chapters 516 and 560, as applicable to the business entity’s
 1074  activities.
 1075         (b) Is subject to any provision of chapter 516 or chapter
 1076  560 not specifically excepted under paragraph (4)(a), as
 1077  applicable to the business entity’s activities, and must comply
 1078  with such provisions.
 1079         (c) May not engage in activities authorized under part III
 1080  of chapter 560, notwithstanding s. 560.204(2).
 1081         (10) VIOLATIONS AND PENALTIES.—
 1082         (a) A licensee who makes an innovative financial product or
 1083  service available to consumers in the Financial Technology
 1084  Sandbox remains subject to:
 1085         1. Civil damages for acts and omissions arising from or
 1086  related to any innovative financial product or services provided
 1087  or made available by the licensee or relating to this section.
 1088         2. All criminal and consumer protection laws and any other
 1089  statute not specifically excepted under paragraph (4)(a).
 1090         (b)1. The office may, by order, revoke or suspend a
 1091  licensee’s approval to participate in the Financial Technology
 1092  Sandbox if:
 1093         a. The licensee has violated or refused to comply with this
 1094  section, any statute not specifically excepted under paragraph
 1095  (4)(a), a rule of the commission that has not been waived, an
 1096  order of the office, or a condition placed by the office on the
 1097  approval of the licensee’s Financial Technology Sandbox
 1098  application;
 1099         b. A fact or condition exists that, if it had existed or
 1100  become known at the time that the Financial Technology Sandbox
 1101  application was pending, would have warranted denial of the
 1102  application or the imposition of material conditions;
 1103         c. A material error, false statement, misrepresentation, or
 1104  material omission was made in the Financial Technology Sandbox
 1105  application; or
 1106         d. After consultation with the licensee, the office
 1107  determines that continued testing of the innovative financial
 1108  product or service would:
 1109         (I) Be likely to harm consumers; or
 1110         (II) No longer serve the purposes of this section because
 1111  of the financial or operational failure of the financial product
 1112  or service.
 1113         2. Written notice of a revocation or suspension order made
 1114  under subparagraph 1. must be served using any means authorized
 1115  by law. If the notice relates to a suspension, the notice must
 1116  include any condition or remedial action that the licensee must
 1117  complete before the office lifts the suspension.
 1118         (c) The office may refer any suspected violation of law to
 1119  an appropriate state or federal agency for investigation,
 1120  prosecution, civil penalties, and other appropriate enforcement
 1121  action.
 1122         (d) If service of process on a licensee is not feasible,
 1123  service on the office is deemed service on the licensee.
 1124         (11) RULES AND ORDERS.—
 1125         (a) The commission shall adopt rules to administer this
 1126  section before approving any application under this section.
 1127         (b) The office may issue all necessary orders to enforce
 1128  this section and may enforce these orders in accordance with
 1129  chapter 120 or in any court of competent jurisdiction. These
 1130  orders include, but are not limited to, orders for payment of
 1131  restitution for harm suffered by consumers as a result of an
 1132  innovative financial product or service.
 1133         Section 13. For the 2020-2021 fiscal year, the sum of
 1134  $50,000 in nonrecurring funds is appropriated from the
 1135  Administrative Trust Fund to the Office of Financial Regulation
 1136  to implement s. 559.952, Florida Statutes, as created by this
 1137  act.
 1138         Section 14. The creation of s. 559.952, Florida Statutes,
 1139  and the appropriation to implement s. 559.952, Florida Statutes,
 1140  by this act shall take effect only if SB 1872 or similar
 1141  legislation takes effect and if such legislation is adopted in
 1142  the same legislative session or an extension thereof and becomes
 1143  a law.
 1144         Section 15. Except as otherwise expressly provided in this
 1145  act, this act shall take effect July 1, 2020.
 1146  
 1147  ================= T I T L E  A M E N D M E N T ================
 1148  And the title is amended as follows:
 1149         Delete everything before the enacting clause
 1150  and insert:
 1151                        A bill to be entitled                      
 1152         An act relating to technology innovation; amending s.
 1153         20.22, F.S.; establishing the Florida Digital Service
 1154         and the Division of Telecommunications within the
 1155         Department of Management Services; abolishing the
 1156         Division of State Technology within the department;
 1157         amending s. 110.205, F.S.; exempting the state chief
 1158         data officer and the state chief information security
 1159         officer within the Florida Digital Service from the
 1160         Career Service System; providing for the salary and
 1161         benefits of such positions to be set by the
 1162         department; amending s. 282.0041, F.S.; defining
 1163         terms; revising the definition of the term “open
 1164         data”; amending s. 282.0051, F.S.; revising
 1165         information technology-related powers, duties, and
 1166         functions of the department acting through the Florida
 1167         Digital Service; specifying the designation of the
 1168         state chief information officer and the state chief
 1169         data officer; specifying qualifications for such
 1170         positions; specifying requirements, contingent upon
 1171         legislative appropriation, for the department;
 1172         authorizing the department to develop a certain
 1173         process; prohibiting the department from retrieving or
 1174         disclosing any data without a certain shared-data
 1175         agreement in place; specifying rulemaking authority
 1176         for the department; amending s. 282.00515, F.S.;
 1177         requiring the Department of Legal Affairs, the
 1178         Department of Financial Services, or the Department of
 1179         Agriculture and Consumer Services to notify the
 1180         Governor and the Legislature and provide a certain
 1181         justification and explanation if such agency adopts
 1182         alternative standards to certain enterprise
 1183         architecture standards; providing construction;
 1184         prohibiting the department from retrieving or
 1185         disclosing any data without a certain shared-data
 1186         agreement in place; conforming a cross-reference;
 1187         amending ss. 282.318, 287.0591, 365.171, 365.172,
 1188         365.173, and 943.0415, F.S.; conforming provisions to
 1189         changes made by the act; creating s. 559.952, F.S.;
 1190         providing a short title; creating the Financial
 1191         Technology Sandbox within the Office of Financial
 1192         Regulation; defining terms; requiring the office, if
 1193         certain conditions are met, to grant a license to a
 1194         Financial Technology Sandbox applicant, grant
 1195         exceptions to specified provisions of general law
 1196         relating to consumer finance loans and money services
 1197         businesses, and grant waivers of certain rules;
 1198         authorizing a substantially affected person to seek a
 1199         declaratory statement before applying to the Financial
 1200         Technology Sandbox; specifying application
 1201         requirements and procedures; specifying requirements
 1202         and procedures for the office in reviewing and
 1203         approving or denying applications; providing
 1204         requirements for the office in specifying the number
 1205         of the consumers authorized to receive an innovative
 1206         financial product or service; specifying authorized
 1207         actions of, limitations on, and requirements for
 1208         licensees operating in the Financial Technology
 1209         Sandbox; requiring licensees to make a specified
 1210         disclosure to consumers; authorizing the office to
 1211         enter into certain agreements with other regulatory
 1212         agencies; authorizing the office to examine licensee
 1213         records; authorizing a licensee to apply for one
 1214         extension of an initial sandbox period for a certain
 1215         timeframe; specifying requirements and procedures for
 1216         applying for an extension; specifying requirements and
 1217         procedures for, and authorized actions of, licensees
 1218         when concluding a sandbox period or extension;
 1219         requiring licensees to submit certain reports to the
 1220         office at specified intervals; providing construction;
 1221         specifying the liability of a licensee; authorizing
 1222         the office to take certain disciplinary actions
 1223         against a licensee under certain circumstances;
 1224         providing construction relating to service of process;
 1225         specifying the rulemaking authority of the Financial
 1226         Services Commission; providing the office authority to
 1227         issue orders and enforce the orders; providing an
 1228         appropriation; providing that specified provisions of
 1229         the act are contingent upon passage of other
 1230         provisions addressing public records; providing
 1231         effective dates.