Florida Senate - 2020                        COMMITTEE AMENDMENT
       Bill No. SB 1870
       
       
       
       
       
       
                                Ì427788fÎ427788                         
       
                              LEGISLATIVE ACTION                        
                    Senate             .             House              
                   Comm: RS            .                                
                  02/12/2020           .                                
                                       .                                
                                       .                                
                                       .                                
       —————————————————————————————————————————————————————————————————




       —————————————————————————————————————————————————————————————————
       The Committee on Innovation, Industry, and Technology (Hutson)
       recommended the following:
       
    1         Senate Amendment (with title amendment)
    2  
    3         Delete everything after the enacting clause
    4  and insert:
    5         Section 1. Subsection (2) of section 20.22, Florida
    6  Statutes, is amended to read:
    7         20.22 Department of Management Services.—There is created a
    8  Department of Management Services.
    9         (2) The following divisions and programs within the
   10  Department of Management Services shall consist of the following
   11  are established:
   12         (a) The Facilities Program.
   13         (b) The Division of Telecommunications State Technology,
   14  the director of which is appointed by the secretary of the
   15  department and shall serve as the state chief information
   16  officer. The state chief information officer must be a proven,
   17  effective administrator who must have at least 10 years of
   18  executive-level experience in the public or private sector,
   19  preferably with experience in the development of information
   20  technology strategic planning and the development and
   21  implementation of fiscal and substantive information technology
   22  policy and standards.
   23         (c) The Workforce Program.
   24         (d)1. The Support Program.
   25         2. The Federal Property Assistance Program.
   26         (e) The Administration Program.
   27         (f) The Division of Administrative Hearings.
   28         (g) The Division of Retirement.
   29         (h) The Division of State Group Insurance.
   30         (i)The Florida Digital Service.
   31         Section 2. Section 282.0051, Florida Statutes, is amended
   32  to read:
   33         282.0051 Florida Digital Service Department of Management
   34  Services; powers, duties, and functions.—There is established
   35  the Florida Digital Service within the department to create
   36  innovative solutions that securely modernize state government
   37  and achieve value through digital transformation and
   38  interoperability.
   39         (1)As used in this section, the term:
   40         (a)“Credential service provider” means a provider
   41  competitively procured by the department to supply secure
   42  identity management and verification services based on open
   43  standards to qualified entities.
   44         (b)“Data call” means an electronic transaction with the
   45  credential service provider which verifies the authenticity of a
   46  digital identity by querying enterprise data.
   47         (c)“Electronic” means technology having electrical,
   48  digital, magnetic, wireless, optical, electromagnetic, or
   49  similar capabilities.
   50         (d)“Electronic credential” means an electronic
   51  representation of a physical driver license or identification
   52  card which is viewable in an electronic format and is capable of
   53  being verified and authenticated.
   54         (e)“Electronic credential provider” means a qualified
   55  entity contracted with the department to provide electronic
   56  credentials to eligible driver license or identification card
   57  holders.
   58         (f)“Enterprise” means the collection of state agencies as
   59  defined in s. 282.0041, except that the term includes the
   60  Department of Legal Affairs, the Department of Agriculture and
   61  Consumer Services, the Department of Financial Services, and the
   62  judicial branch.
   63         (g)“Enterprise architecture” means a comprehensive
   64  operational framework that contemplates the needs and assets of
   65  the enterprise to support interoperability across state
   66  government.
   67         (h)“Interoperability” means the technical ability to share
   68  and use data across and throughout the enterprise.
   69         (i)“Qualified entity” means a public or private entity or
   70  individual that enters into a binding agreement with the
   71  department, meets usage criteria, agrees to terms and
   72  conditions, and is subsequently and prescriptively authorized by
   73  the department to access data under the terms of that agreement.
   74         (2) The Florida Digital Service department shall have the
   75  following powers, duties, and functions in full support of the
   76  cloud-first policy as described in s. 282.206:
   77         (a)(1) Develop and publish information technology policy
   78  for the management of the state’s information technology
   79  resources.
   80         (b)(2) Establish and publish information technology
   81  architecture standards to provide for the most efficient use of
   82  the state’s information technology resources and to ensure
   83  compatibility and alignment with the needs of state agencies.
   84  The Florida Digital Service department shall assist state
   85  agencies in complying with the standards.
   86         (c)(3) Establish project management and oversight standards
   87  with which state agencies must comply when implementing projects
   88  that have an information technology component projects. The
   89  Florida Digital Service department shall provide training
   90  opportunities to state agencies to assist in the adoption of the
   91  project management and oversight standards. To support data
   92  driven decisionmaking, the standards must include, but are not
   93  limited to:
   94         1.(a) Performance measurements and metrics that objectively
   95  reflect the status of a project with an information technology
   96  component project based on a defined and documented project
   97  scope, cost, and schedule.
   98         2.(b) Methodologies for calculating acceptable variances in
   99  the projected versus actual scope, schedule, or cost of a
  100  project with an information technology component project.
  101         3.(c) Reporting requirements, including requirements
  102  designed to alert all defined stakeholders that a project with
  103  an information technology component project has exceeded
  104  acceptable variances defined and documented in a project plan.
  105         4.(d) Content, format, and frequency of project updates.
  106         (d)(4) Perform project oversight on all state agency
  107  information technology projects that have an information
  108  technology component and a total project cost costs of $10
  109  million or more and that are funded in the General
  110  Appropriations Act or any other law. The Florida Digital Service
  111  department shall report at least quarterly to the Executive
  112  Office of the Governor, the President of the Senate, and the
  113  Speaker of the House of Representatives on any project with an
  114  information technology component which project that the Florida
  115  Digital Service department identifies as high-risk due to the
  116  project exceeding acceptable variance ranges defined and
  117  documented in a project plan. The report must include a risk
  118  assessment, including fiscal risks, associated with proceeding
  119  to the next stage of the project, and a recommendation for
  120  corrective actions required, including suspension or termination
  121  of the project. The Florida Digital Service may establish a
  122  process for state agencies to apply for an exception to the
  123  requirements of this paragraph.
  124         (e)(5) Identify opportunities for standardization and
  125  consolidation of information technology services that support
  126  interoperability and the cloud-first policy as described in s.
  127  282.206, business functions and operations, including
  128  administrative functions such as purchasing, accounting and
  129  reporting, cash management, and personnel, and that are common
  130  across state agencies. The Florida Digital Service department
  131  shall biennially on April 1 provide recommendations for
  132  standardization and consolidation to the Executive Office of the
  133  Governor, the President of the Senate, and the Speaker of the
  134  House of Representatives.
  135         (f)(6) Establish best practices for the procurement of
  136  information technology products and cloud-computing services in
  137  order to reduce costs, increase the quality of data center
  138  services, or improve government services.
  139         (g)(7) Develop standards for information technology reports
  140  and updates, including, but not limited to, operational work
  141  plans, project spend plans, and project status reports, for use
  142  by state agencies.
  143         (h)(8) Upon request, assist state agencies in the
  144  development of information technology-related legislative budget
  145  requests.
  146         (i)(9) Conduct annual assessments of state agencies to
  147  determine compliance with all information technology standards
  148  and guidelines developed and published by the Florida Digital
  149  Service department and provide results of the assessments to the
  150  Executive Office of the Governor, the President of the Senate,
  151  and the Speaker of the House of Representatives.
  152         (j)(10) Provide operational management and oversight of the
  153  state data center established pursuant to s. 282.201, which
  154  includes:
  155         1.(a) Implementing industry standards and best practices
  156  for the state data center’s facilities, operations, maintenance,
  157  planning, and management processes.
  158         2.(b) Developing and implementing cost-recovery or other
  159  payment mechanisms that recover the full direct and indirect
  160  cost of services through charges to applicable customer
  161  entities. Such cost-recovery or other payment mechanisms must
  162  comply with applicable state and federal regulations concerning
  163  distribution and use of funds and must ensure that, for any
  164  fiscal year, no service or customer entity subsidizes another
  165  service or customer entity.
  166         3.(c) Developing and implementing appropriate operating
  167  guidelines and procedures necessary for the state data center to
  168  perform its duties pursuant to s. 282.201. The guidelines and
  169  procedures must comply with applicable state and federal laws,
  170  regulations, and policies and conform to generally accepted
  171  governmental accounting and auditing standards. The guidelines
  172  and procedures must include, but need not be limited to:
  173         a.1. Implementing a consolidated administrative support
  174  structure responsible for providing financial management,
  175  procurement, transactions involving real or personal property,
  176  human resources, and operational support.
  177         b.2. Implementing an annual reconciliation process to
  178  ensure that each customer entity is paying for the full direct
  179  and indirect cost of each service as determined by the customer
  180  entity’s use of each service.
  181         c.3. Providing rebates that may be credited against future
  182  billings to customer entities when revenues exceed costs.
  183         d.4. Requiring customer entities to validate that
  184  sufficient funds exist in the appropriate data processing
  185  appropriation category or will be transferred into the
  186  appropriate data processing appropriation category before
  187  implementation of a customer entity’s request for a change in
  188  the type or level of service provided, if such change results in
  189  a net increase to the customer entity’s cost for that fiscal
  190  year.
  191         e.5. By November 15 of each year, providing to the Office
  192  of Policy and Budget in the Executive Office of the Governor and
  193  to the chairs of the legislative appropriations committees the
  194  projected costs of providing data center services for the
  195  following fiscal year.
  196         f.6. Providing a plan for consideration by the Legislative
  197  Budget Commission if the cost of a service is increased for a
  198  reason other than a customer entity’s request made pursuant to
  199  sub-subparagraph d. subparagraph 4. Such a plan is required only
  200  if the service cost increase results in a net increase to a
  201  customer entity for that fiscal year.
  202         g.7. Standardizing and consolidating procurement and
  203  contracting practices.
  204         4.(d) In collaboration with the Department of Law
  205  Enforcement, developing and implementing a process for
  206  detecting, reporting, and responding to information technology
  207  security incidents, breaches, and threats.
  208         5.(e) Adopting rules relating to the operation of the state
  209  data center, including, but not limited to, budgeting and
  210  accounting procedures, cost-recovery or other payment
  211  methodologies, and operating procedures.
  212         (f) Conducting an annual market analysis to determine
  213  whether the state’s approach to the provision of data center
  214  services is the most effective and cost-efficient manner by
  215  which its customer entities can acquire such services, based on
  216  federal, state, and local government trends; best practices in
  217  service provision; and the acquisition of new and emerging
  218  technologies. The results of the market analysis shall assist
  219  the state data center in making adjustments to its data center
  220  service offerings.
  221         (k)(11) Recommend other information technology services
  222  that should be designed, delivered, and managed as enterprise
  223  information technology services. Recommendations must include
  224  the identification of existing information technology resources
  225  associated with the services, if existing services must be
  226  transferred as a result of being delivered and managed as
  227  enterprise information technology services.
  228         (l)(12) In consultation with state agencies, propose a
  229  methodology and approach for identifying and collecting both
  230  current and planned information technology expenditure data at
  231  the state agency level.
  232         (m)1.(13)(a) Notwithstanding any other law, provide project
  233  oversight on any project with an information technology
  234  component project of the Department of Financial Services, the
  235  Department of Legal Affairs, and the Department of Agriculture
  236  and Consumer Services which has a total project cost of $25
  237  million or more and which impacts one or more other agencies.
  238  Such projects with an information technology component projects
  239  must also comply with the applicable information technology
  240  architecture, project management and oversight, and reporting
  241  standards established by the Florida Digital Service department.
  242  The Florida Digital Service may establish a process for state
  243  agencies to apply for an exception to the requirements of this
  244  subparagraph.
  245         2.(b) When performing the project oversight function
  246  specified in subparagraph 1. paragraph (a), report at least
  247  quarterly to the Executive Office of the Governor, the President
  248  of the Senate, and the Speaker of the House of Representatives
  249  on any project with an information technology component project
  250  that the Florida Digital Service department identifies as high
  251  risk due to the project exceeding acceptable variance ranges
  252  defined and documented in the project plan. The report shall
  253  include a risk assessment, including fiscal risks, associated
  254  with proceeding to the next stage of the project and a
  255  recommendation for corrective actions required, including
  256  suspension or termination of the project.
  257         (n)(14) If a project with an information technology
  258  component project implemented by a state agency must be
  259  connected to or otherwise accommodated by an information
  260  technology system administered by the Department of Financial
  261  Services, the Department of Legal Affairs, or the Department of
  262  Agriculture and Consumer Services, consult with these
  263  departments regarding the risks and other effects of such
  264  projects on their information technology systems and work
  265  cooperatively with these departments regarding the connections,
  266  interfaces, timing, or accommodations required to implement such
  267  projects.
  268         (o)(15) If adherence to standards or policies adopted by or
  269  established pursuant to this section causes conflict with
  270  federal regulations or requirements imposed on a state agency
  271  and results in adverse action against the state agency or
  272  federal funding, work with the state agency to provide
  273  alternative standards, policies, or requirements that do not
  274  conflict with the federal regulation or requirement. The Florida
  275  Digital Service department shall annually report such
  276  alternative standards to the Governor, the President of the
  277  Senate, and the Speaker of the House of Representatives.
  278         (p)1.(16)(a) Establish an information technology policy for
  279  all information technology-related state contracts, including
  280  state term contracts for information technology commodities,
  281  consultant services, and staff augmentation services. The
  282  information technology policy must include:
  283         a.1. Identification of the information technology product
  284  and service categories to be included in state term contracts.
  285         b.2. Requirements to be included in solicitations for state
  286  term contracts.
  287         c.3. Evaluation criteria for the award of information
  288  technology-related state term contracts.
  289         d.4. The term of each information technology-related state
  290  term contract.
  291         e.5. The maximum number of vendors authorized on each state
  292  term contract.
  293         2.(b) Evaluate vendor responses for information technology
  294  related state term contract solicitations and invitations to
  295  negotiate.
  296         3.(c) Answer vendor questions on information technology
  297  related state term contract solicitations.
  298         4.(d) Ensure that the information technology policy
  299  established pursuant to subparagraph 1. paragraph (a) is
  300  included in all solicitations and contracts that are
  301  administratively executed by the department.
  302         (q)(17) Recommend potential methods for standardizing data
  303  across state agencies which will promote interoperability and
  304  reduce the collection of duplicative data.
  305         (r)(18) Recommend open data technical standards and
  306  terminologies for use by state agencies.
  307         (3)(a)The Secretary of Management Services shall appoint a
  308  state chief information officer, who shall administer the
  309  Florida Digital Service and is included in the Senior Management
  310  Service.
  311         (b)The state chief information officer shall appoint a
  312  chief data officer, who shall report to the state chief
  313  information officer and is included in the Senior Management
  314  Service.
  315         (4)The Florida Digital Service shall develop a
  316  comprehensive enterprise architecture that:
  317         (a)Recognizes the unique needs of those included within
  318  the enterprise and that results in the publication of standards,
  319  terminologies, and procurement guidelines to facilitate digital
  320  interoperability.
  321         (b)Supports the cloud-first policy as described in s.
  322  282.206.
  323         (c)Addresses how information technology infrastructure may
  324  be modernized to achieve current and future cloud-first
  325  objectives.
  326         (5)The Florida Digital Service shall:
  327         (a)Upon the receipt of an appropriation or approval of a
  328  budget amendment, create and maintain a comprehensive indexed
  329  data catalog that lists what data elements are housed within the
  330  enterprise and in which legacy system or application these data
  331  elements are located.
  332         (b)Upon the receipt of an appropriation or approval of a
  333  budget amendment, develop and publish, in collaboration with the
  334  enterprise, a data dictionary for each agency which reflects the
  335  nomenclature in the comprehensive indexed data catalog.
  336         (c)Review and document use cases across the enterprise
  337  architecture.
  338         (d)Develop solutions for authorized or mandated use cases
  339  in collaboration with the enterprise.
  340         (e)Upon the receipt of an appropriation or approval of a
  341  budget amendment, develop, publish, and manage an application
  342  programming interface to facilitate integration throughout the
  343  enterprise.
  344         (f)Facilitate collaborative analysis of enterprise
  345  architecture data to improve service delivery.
  346         (g)Upon the receipt of an appropriation or approval of a
  347  budget amendment, provide a testing environment in which any
  348  newly developed solution can be tested for compliance within the
  349  enterprise architecture and for functionality assurance before
  350  deployment.
  351         (h)Create the functionality necessary for a secure
  352  ecosystem of data interoperability which is compliant with the
  353  enterprise architecture and allows for a qualified entity to
  354  access the stored data under the terms of the agreement with the
  355  department.
  356         (i)1.By utilizing existing resources or through the
  357  approval of an appropriation or budget amendment, procure a
  358  credential service provider through a competitive process
  359  pursuant to s. 287.057. The terms of the contract developed from
  360  such procurement shall pay for the value on a per-data call or
  361  subscription basis, and there shall be no cost to the department
  362  or law enforcement for using the services provided by the
  363  credential service provider.
  364         a.The department shall enter into agreements with
  365  electronic credential providers that have the technological
  366  capabilities necessary to integrate with the credential service
  367  provider; ensure secure validation and authentication of data;
  368  meet usage criteria; agree to terms and conditions, privacy
  369  policies, and uniform remittance terms relating to the
  370  consumption of an electronic credential; and include clear,
  371  enforceable, and significant penalties for violations of the
  372  agreements.
  373         b.Revenue generated must be collected by the department
  374  and deposited into the operating trust fund within the
  375  department for distribution pursuant to a legislative
  376  appropriation and department agreements with the credential
  377  service provider, the electronic credential providers, and the
  378  qualified entities. The terms of the agreements between the
  379  department and the credential service provider, the electronic
  380  credential providers, and the qualified entities must be based
  381  on the per-data call or subscription charges to validate and
  382  authenticate an electronic credential and allow the department
  383  to recover any state costs for implementing and administering an
  384  electronic credential solution. Provider revenues may not be
  385  derived from any other transactions that generate revenue for
  386  the department outside of the per-data call or subscription
  387  charges. Nothing herein shall be construed as a restriction on a
  388  provider’s ability to generate additional revenues from third
  389  parties outside of the terms of the agreement.
  390         2.Upon the signing of the enterprise architecture terms of
  391  service and privacy policies, provide to qualified entities and
  392  electronic credential providers appropriate access to the stored
  393  data to facilitate authorized integrations to collaboratively
  394  and less expensively, or at no taxpayer cost, solve enterprise
  395  use cases.
  396         (j)Architect and deploy applications or solutions to
  397  existing enterprise obligations in a controlled and phased
  398  approach, including, but not limited to:
  399         1.Digital licenses, including full identification
  400  management.
  401         2.Upon the receipt of an appropriation or approval of a
  402  budget amendment, interoperability that enables supervisors of
  403  elections to authenticate voter eligibility in real time at the
  404  point of service.
  405         3.The criminal justice database.
  406         4.Motor vehicle insurance cancellation integration between
  407  insurers and the Department of Highway Safety and Motor
  408  Vehicles.
  409         5.Upon the receipt of an appropriation or approval of a
  410  budget amendment, interoperability solutions between agencies,
  411  including, but not limited to, the Department of Health, the
  412  Agency for Health Care Administration, the Agency for Persons
  413  with Disabilities, the Department of Education, the Department
  414  of Elderly Affairs, and the Department of Children and Families.
  415         6.Interoperability solutions to support military members,
  416  veterans, and their families.
  417         (6)The Florida Digital Service may develop a process to:
  418         (a)Upon the request of funds in a legislative budget
  419  request, receive written notice from state agencies within the
  420  enterprise of any planned or existing procurement of an
  421  information technology project that is subject to governance by
  422  the enterprise architecture.
  423         (b)Intervene in any planned procurement by a state agency
  424  so that it complies with the enterprise architecture.
  425         (c)Report to the legislative branch on any project within
  426  the judicial branch which does not comply with the enterprise
  427  architecture, while understanding the separation of powers.
  428         (7)(19)The Florida Digital Service may adopt rules to
  429  administer this section.
  430         Section 3. Section 282.00515, Florida Statutes, is amended
  431  to read:
  432         282.00515 Enterprise Architecture Advisory Council Duties
  433  of Cabinet agencies.—
  434         (1)(a)The Enterprise Architecture Advisory Council, an
  435  advisory council as defined in s. 20.03(7), is established
  436  within the Department of Management Services. The council shall
  437  comply with the requirements of s. 20.052 except as otherwise
  438  provided in this section.
  439         (b)The council shall consist of:
  440         1.The Governor or his or her designee.
  441         2.Three members appointed by the Governor.
  442         3.The director of the Office of Policy and Budget in the
  443  Executive Office of the Governor, or his or her designee.
  444         4.The Secretary of Management Services or his or her
  445  designee.
  446         5.The state chief information officer or his or her
  447  designee.
  448         6.The Chief Justice of the Supreme Court or his or her
  449  designee.
  450         7.The President of the Senate or his or her designee.
  451         8.The Speaker of the House of Representatives or his or
  452  her designee.
  453         9.The chief information officer of the Department of
  454  Financial Services or his or her designee.
  455         10.The chief information officer of the Department of
  456  Legal Affairs or his or her designee.
  457         11.The chief information officer of the Department of
  458  Agriculture and Consumer Services or his or her designee.
  459         (2)(a)The members appointed in this section shall be
  460  appointed to terms of 4 years. However, for the purpose of
  461  providing staggered terms:
  462         1.The appointments by the Governor and the director of the
  463  Office of Policy and Budget in the Executive Office of the
  464  Governor are for initial terms of 2 years.
  465         2.The appointments by the Secretary of Management Services
  466  and the state chief information officer are for initial terms of
  467  4 years.
  468         3.The appointment by the Chief Justice is for an initial
  469  term of 3 years.
  470         4.The appointments by the President of the Senate and the
  471  Speaker of the House of Representatives are for initial terms of
  472  2 years.
  473         5.The appointments by the chief information officers of
  474  the Department of Financial Services, the Department of Legal
  475  Affairs, and the Department of Agriculture and Consumer Services
  476  are for initial terms of 2 years.
  477         (b)A vacancy on the council shall be filled in the same
  478  manner as the original appointment for the unexpired term.
  479         (c)The council shall meet semiannually, beginning October
  480  1, 2020, to discuss implementation, management, and coordination
  481  of the enterprise architecture as defined in s. 282.0051(1);
  482  identify potential issues and threats with specific use cases;
  483  and develop proactive solutions The Department of Legal Affairs,
  484  the Department of Financial Services, and the Department of
  485  Agriculture and Consumer Services shall adopt the standards
  486  established in s. 282.0051(2), (3), and (7) or adopt alternative
  487  standards based on best practices and industry standards, and
  488  may contract with the department to provide or perform any of
  489  the services and functions described in s. 282.0051 for the
  490  Department of Legal Affairs, the Department of Financial
  491  Services, or the Department of Agriculture and Consumer
  492  Services.
  493         Section 4. Paragraph (a) of subsection (3) of section
  494  282.318, Florida Statutes, is amended to read:
  495         282.318 Security of data and information technology.—
  496         (3) The department is responsible for establishing
  497  standards and processes consistent with generally accepted best
  498  practices for information technology security, to include
  499  cybersecurity, and adopting rules that safeguard an agency’s
  500  data, information, and information technology resources to
  501  ensure availability, confidentiality, and integrity and to
  502  mitigate risks. The department shall also:
  503         (a) Designate a state chief information security officer,
  504  who shall be appointed by and report to the state chief
  505  information officer of the Florida Digital Service, and who is
  506  in the Senior Management Service. The state chief information
  507  security officer must have experience and expertise in security
  508  and risk management for communications and information
  509  technology resources.
  510         Section 5. Subsection (4) of section 287.0591, Florida
  511  Statutes, is amended to read:
  512         287.0591 Information technology.—
  513         (4) If the department issues a competitive solicitation for
  514  information technology commodities, consultant services, or
  515  staff augmentation contractual services, the Florida Digital
  516  Service Division of State Technology within the department shall
  517  participate in such solicitations.
  518         Section 6. Paragraph (a) of subsection (3) of section
  519  365.171, Florida Statutes, is amended to read:
  520         365.171 Emergency communications number E911 state plan.—
  521         (3) DEFINITIONS.—As used in this section, the term:
  522         (a) “Office” means the Division of Telecommunications State
  523  Technology within the Department of Management Services, as
  524  designated by the secretary of the department.
  525         Section 7. Paragraph (s) of subsection (3) of section
  526  365.172, Florida Statutes, is amended to read:
  527         365.172 Emergency communications number “E911.”—
  528         (3) DEFINITIONS.—Only as used in this section and ss.
  529  365.171, 365.173, 365.174, and 365.177, the term:
  530         (s) “Office” means the Division of Telecommunications State
  531  Technology within the Department of Management Services, as
  532  designated by the secretary of the department.
  533         Section 8. Paragraph (a) of subsection (1) of section
  534  365.173, Florida Statutes, is amended to read:
  535         365.173 Communications Number E911 System Fund.—
  536         (1) REVENUES.—
  537         (a) Revenues derived from the fee levied on subscribers
  538  under s. 365.172(8) must be paid by the board into the State
  539  Treasury on or before the 15th day of each month. Such moneys
  540  must be accounted for in a special fund to be designated as the
  541  Emergency Communications Number E911 System Fund, a fund created
  542  in the Division of Telecommunications State Technology, or other
  543  office as designated by the Secretary of Management Services.
  544         Section 9. Subsection (5) of section 943.0415, Florida
  545  Statutes, is amended to read:
  546         943.0415 Cybercrime Office.—There is created within the
  547  Department of Law Enforcement the Cybercrime Office. The office
  548  may:
  549         (5) Consult with the Florida Digital Service Division of
  550  State Technology within the Department of Management Services in
  551  the adoption of rules relating to the information technology
  552  security provisions in s. 282.318.
  553         Section 10. Effective January 1, 2021, section 559.952,
  554  Florida Statutes, is created to read:
  555         559.952 Financial Technology Sandbox.—
  556         (1)SHORT TITLE.—This section may be cited as the
  557  “Financial Technology Sandbox.”
  558         (2)CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—There is
  559  created the Financial Technology Sandbox within the Office of
  560  Financial Regulation to allow financial technology innovators to
  561  test new products and services in a supervised, flexible
  562  regulatory sandbox using waivers of specified general law and
  563  corresponding rule requirements under defined conditions. The
  564  creation of a supervised, flexible regulatory sandbox provides a
  565  welcoming business environment for technology innovators and may
  566  lead to significant business growth.
  567         (3)DEFINITIONS.—As used in this section, the term:
  568         (a)“Commission” means the Financial Services Commission.
  569         (b)“Consumer” means a person in this state, whether a
  570  natural person or a business entity, who purchases, uses,
  571  receives, or enters into an agreement to purchase, use, or
  572  receive an innovative financial product or service made
  573  available through the Financial Technology Sandbox.
  574         (c)“Financial product or service” means a product or
  575  service related to finance, including securities, consumer
  576  credit, or money transmission, which is traditionally subject to
  577  general law or rule requirements in the provisions enumerated in
  578  paragraph (4)(a) and which is under the jurisdiction of the
  579  office.
  580         (d)“Financial Technology Sandbox” means the program
  581  created in this section which allows a person to make an
  582  innovative financial product or service available to consumers
  583  through waiver of the provisions enumerated in paragraph (4)(a)
  584  during a sandbox period through a waiver of general laws or rule
  585  requirements, or portions thereof, as specified in this section.
  586         (e)“Innovative” means new or emerging technology, or new
  587  uses of existing technology, which provides a product, service,
  588  business model, or delivery mechanism to the public.
  589         (f)“Office” means, unless the context clearly indicates
  590  otherwise, the Office of Financial Regulation.
  591         (g)“Sandbox period” means the period, initially not longer
  592  than 24 months, in which the office has:
  593         1.Authorized an innovative financial product or service to
  594  be made available to consumers.
  595         2.Granted the person who makes the innovative financial
  596  product or service available a waiver of general law or
  597  corresponding rule requirements, as determined by the office, so
  598  that the authorization under subparagraph 1. is possible.
  599         (4)WAIVERS OF GENERAL LAW AND RULE REQUIREMENTS.—
  600         (a)Upon approval of a Financial Technology Sandbox
  601  application, the office may grant an applicant a waiver of a
  602  requirement, or a portion thereof, which is imposed by a general
  603  law or corresponding rule in any of the following provisions, if
  604  all of the conditions in paragraph (b) are met:
  605         1.Section 560.1105.
  606         2.Section 560.118.
  607         3.Section 560.125, except for s. 560.125(2).
  608         4.Section 560.128.
  609         5.Section 560.1401, except for s. 560.1401(2)-(4).
  610         6.Section 560.141, except for s. 560.141(1)(b)-(d).
  611         7.Section 560.142, except that the office may prorate, but
  612  may not entirely waive, the license renewal fees provided in ss.
  613  560.142 and 560.143 for an extension granted under subsection
  614  (7).
  615         8.Section 560.143(2) to the extent necessary for proration
  616  of the renewal fee under subparagraph 7.
  617         9.Section 560.205, except for s. 560.205(1) and (3).
  618         10.Section 560.208, except for s. 560.208(3)-(6).
  619         11.Section 560.209, except that the office may modify, but
  620  may not entirely waive, the net worth, corporate surety bond,
  621  and collateral deposit amounts required under s. 560.209. The
  622  modified amounts must be in such lower amounts that the office
  623  determines to be commensurate with the considerations under
  624  paragraph (5)(e) and the maximum number of consumers authorized
  625  to receive the financial product or service under this section.
  626         12.Section 516.03, except for the license and
  627  investigation fee. The office may prorate, but not entirely
  628  waive, the license renewal fees for an extension granted under
  629  subsection (7). The office may not waive the evidence of liquid
  630  assets of at least $25,000.
  631         13.Section 516.05, except that the office may make an
  632  investigation of the facts concerning the applicant’s
  633  background.
  634         14.Section 516.12.
  635         15.Section 516.19.
  636         16.Section 517.07.
  637         17.Section 517.12.
  638         18.Section 517.121.
  639         19.Section 520.03, except for the application fee. The
  640  office may prorate, but not entirely waive, the license renewal
  641  fees for an extension granted under subsection (7).
  642         20.Section 520.12.
  643         21.Section 520.25.
  644         22.Section 520.32, except for the application fee. The
  645  office may prorate, but not entirely waive, the license renewal
  646  fees for an extension granted under subsection (7).
  647         23.Section 520.39.
  648         24.Section 520.52, except for the application fee. The
  649  office may prorate, but not entirely waive, the license renewal
  650  fees for an extension granted under subsection (7).
  651         25.Section 520.57.
  652         26.Section 520.63, except for the application fee. The
  653  office may prorate, but not entirely waive, the license renewal
  654  fees for an extension granted under subsection (7).
  655         27.Section 520.997.
  656         28.Section 520.98.
  657         29.Section 537.004, except for s. 537.004(2) and (5). The
  658  office may prorate, but not entirely waive, the license renewal
  659  fees for an extension granted under subsection (7).
  660         30.Section 537.005, except that the office may modify, but
  661  not entirely waive, the corporate surety bond amount required by
  662  s. 537.005. The modified amount must be in such lower amount
  663  that the office determines to be commensurate with the
  664  considerations under paragraph (5)(e) and the maximum number of
  665  consumers authorized to receive the product or service under
  666  this section.
  667         31.Section 537.007.
  668         32.Section 537.009.
  669         33.Section 537.015.
  670         (b)During a sandbox period, the office may grant a waiver
  671  of a requirement, or a portion thereof, imposed by a general law
  672  or corresponding rule in any provision enumerated in paragraph
  673  (a) if all of the following conditions are met:
  674         1.The general law or corresponding rule currently prevents
  675  the innovative financial product or service to be made available
  676  to consumers.
  677         2.The waiver is not broader than necessary to accomplish
  678  the purposes and standards specified in this section, as
  679  determined by the office.
  680         3.No provision relating to the liability of an
  681  incorporator, director, or officer of the applicant is eligible
  682  for a waiver.
  683         4.The other requirements of this section are met.
  684         (5)FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS FOR
  685  APPROVAL.
  686         (a)Before filing an application to enter the Financial
  687  Technology Sandbox, a substantially affected person may seek a
  688  declaratory statement pursuant to s. 120.565 regarding the
  689  applicability of a statute, rule, or agency order to the
  690  petitioner’s particular set of circumstances.
  691         (b)Before making an innovative financial product or
  692  service available to consumers in the Financial Technology
  693  Sandbox, a person must file an application with the office. The
  694  commission shall prescribe by rule the form and manner of the
  695  application.
  696         1.In the application, the person must specify the general
  697  law or rule requirements for which a waiver is sought and the
  698  reasons why these requirements prevent the innovative financial
  699  product or service from being made available to consumers.
  700         2.The application must also contain the information
  701  specified in paragraph (e).
  702         (c)A business entity filing an application under this
  703  section must be a domestic corporation or other organized
  704  domestic entity with a physical presence, other than that of a
  705  registered office or agent or virtual mailbox, in this state.
  706         (d)Before a person applies on behalf of a business entity
  707  intending to make an innovative financial product or service
  708  available to consumers, the person must obtain the consent of
  709  the business entity.
  710         (e)The office shall approve or deny in writing a Financial
  711  Technology Sandbox application within 60 days after receiving
  712  the completed application. The office and the applicant may
  713  jointly agree to extend the time beyond 60 days. Consistent with
  714  this section, the office may impose conditions on any approval.
  715  In deciding to approve or deny an application, the office must
  716  consider each of the following:
  717         1.The nature of the innovative financial product or
  718  service proposed to be made available to consumers in the
  719  Financial Technology Sandbox, including all relevant technical
  720  details.
  721         2.The potential risk to consumers and the methods that
  722  will be used to protect consumers and resolve complaints during
  723  the sandbox period.
  724         3.The business plan proposed by the applicant, including a
  725  statement regarding the applicant’s current and proposed
  726  capitalization.
  727         4.Whether the applicant has the necessary personnel,
  728  adequate financial and technical expertise, and a sufficient
  729  plan to test, monitor, and assess the innovative financial
  730  product or service.
  731         5.Whether any person substantially involved in the
  732  development, operation, or management of the applicant’s
  733  innovative financial product or service has pled no contest to,
  734  has been convicted or found guilty of, or is currently under
  735  investigation for, fraud, a state or federal securities
  736  violation, any property-based offense, or any crime involving
  737  moral turpitude or dishonest dealing. A plea of no contest, a
  738  conviction, or a finding of guilt must be reported under this
  739  subparagraph regardless of adjudication.
  740         6.A copy of the disclosures that will be provided to
  741  consumers under paragraph (6)(c).
  742         7.The financial responsibility of any person substantially
  743  involved in the development, operation, or management of the
  744  applicant’s innovative financial product or service.
  745         8.Any other factor that the office determines to be
  746  relevant.
  747         (f)The office may not approve an application if:
  748         1.The applicant had a prior Financial Technology Sandbox
  749  application that was approved and that related to a
  750  substantially similar financial product or service; or
  751         2.Any person substantially involved in the development,
  752  operation, or management of the applicant’s innovative financial
  753  product or service was substantially involved with another
  754  Financial Technology Sandbox applicant whose application was
  755  approved and whose application related to a substantially
  756  similar financial product or service.
  757         (g)Upon approval of an application, the office shall
  758  specify the general law or rule requirements, or portions
  759  thereof, for which a waiver is granted during the sandbox period
  760  and the length of the initial sandbox period, not to exceed 24
  761  months. The office shall post on its website notice of the
  762  approval of the application, a summary of the innovative
  763  financial product or service, and the contact information of the
  764  person making the financial product or service available.
  765         (6)OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.
  766         (a)A person whose Financial Technology Sandbox application
  767  is approved may make an innovative financial product or service
  768  available to consumers during the sandbox period.
  769         (b)The office may, on a case-by-case basis and after
  770  consultation with the person who makes the financial product or
  771  service available to consumers, specify the maximum number of
  772  consumers authorized to receive an innovative financial product
  773  or service. The office may not authorize more than 15,000
  774  consumers to receive the financial product or service until the
  775  person who makes the financial product or service available to
  776  consumers has filed the first report required under subsection
  777  (8). After the filing of the report, if the person demonstrates
  778  adequate financial capitalization, risk management process, and
  779  management oversight, the office may authorize up to 25,000
  780  consumers to receive the financial product or service.
  781         (c)1.Before a consumer purchases, uses, receives, or
  782  enters into an agreement to purchase, use, or receive an
  783  innovative financial product or service through the Financial
  784  Technology Sandbox, the person making the financial product or
  785  service available must provide a written statement of all of the
  786  following to the consumer:
  787         a.The name and contact information of the person making
  788  the financial product or service available to consumers.
  789         b.That the financial product or service has been
  790  authorized to be made available to consumers for a temporary
  791  period by the office, under the laws of this state.
  792         c.That this state does not endorse the financial product
  793  or service.
  794         d.That the financial product or service is undergoing
  795  testing, may not function as intended, and may entail financial
  796  risk.
  797         e.That the person making the financial product or service
  798  available to consumers is not immune from civil liability for
  799  any losses or damages caused by the financial product or
  800  service.
  801         f.The expected end date of the sandbox period.
  802         g.The contact information for the office, and notification
  803  that suspected legal violations, complaints, or other comments
  804  related to the financial product or service may be submitted to
  805  the office.
  806         h.Any other statements or disclosures required by rule of
  807  the commission which are necessary to further the purposes of
  808  this section.
  809         2.The written statement must contain an acknowledgment
  810  from the consumer, which must be retained for the duration of
  811  the sandbox period by the person making the financial product or
  812  service available.
  813         (d)The office may enter into an agreement with a state,
  814  federal, or foreign regulatory agency to allow persons:
  815         1.Who make an innovative financial product or service
  816  available in this state through the Financial Technology Sandbox
  817  to make their products or services available in other
  818  jurisdictions.
  819         2.Who operate in similar financial technology sandboxes in
  820  other jurisdictions to make innovative financial products and
  821  services available in this state under the standards of this
  822  section.
  823         (e)1.A person whose Financial Technology Sandbox
  824  application is approved by the office shall maintain
  825  comprehensive records relating to the innovative financial
  826  product or service. The person shall keep these records for at
  827  least 5 years after the conclusion of the sandbox period. The
  828  commission may specify by rule additional records requirements.
  829         2.The office may examine the records maintained under
  830  subparagraph 1. at any time, with or without notice.
  831         (7)EXTENSIONS AND CONCLUSION OF SANDBOX PERIOD.
  832         (a)A person who is authorized to make an innovative
  833  financial product or service available to consumers may apply
  834  for an extension of the initial sandbox period for up to 12
  835  additional months for a purpose specified in subparagraph (b)1.
  836  or subparagraph (b)2. A complete application for an extension
  837  must be filed with the office at least 90 days before the
  838  conclusion of the initial sandbox period. The office shall
  839  approve or deny the application for extension in writing at
  840  least 35 days before the conclusion of the initial sandbox
  841  period. In deciding to approve or deny an application for
  842  extension of the sandbox period, the office must, at a minimum,
  843  consider the current status of the factors previously considered
  844  under paragraph (5)(e).
  845         (b)An application for an extension under paragraph (a)
  846  must cite one of the following reasons as the basis for the
  847  application and must provide all relevant supporting information
  848  that:
  849         1.Amendments to general law or rules are necessary to
  850  offer the innovative financial product or service in this state
  851  permanently.
  852         2.An application for a license that is required in order
  853  to offer the innovative financial product or service in this
  854  state permanently has been filed with the office, and approval
  855  is pending.
  856         (c)At least 30 days before the conclusion of the initial
  857  sandbox period or the extension, whichever is later, a person
  858  who makes an innovative financial product or service available
  859  shall provide written notification to consumers regarding the
  860  conclusion of the initial sandbox period or the extension and
  861  may not make the financial product or service available to any
  862  new consumers after the conclusion of the initial sandbox period
  863  or the extension, whichever is later, until legal authority
  864  outside of the Financial Technology Sandbox exists to make the
  865  financial product or service available to consumers. After the
  866  conclusion of the sandbox period or the extension, whichever is
  867  later, the person who makes the innovative financial product or
  868  service available may:
  869         1.Collect and receive money owed to the person or pay
  870  money owed by the person, based on agreements with consumers
  871  made before the conclusion of the sandbox period or the
  872  extension.
  873         2.Take necessary legal action.
  874         3.Take other actions authorized by commission rule which
  875  are not inconsistent with this subsection.
  876         (8)REPORT.A person authorized to make an innovative
  877  financial product or service available to consumers under this
  878  section shall submit a report to the office twice a year as
  879  prescribed by commission rule. The report must, at a minimum,
  880  include financial reports and the number of consumers who have
  881  received the financial product or service.
  882         (9)CONSTRUCTION.—A person whose Financial Technology
  883  Sandbox application is approved shall be deemed licensed under
  884  part II of chapter 560 unless the person’s authorization to make
  885  the financial product or service available to consumers under
  886  this section has been revoked or suspended.
  887         (10)VIOLATIONS AND PENALTIES.—
  888         (a)A person who makes an innovative financial product or
  889  service available to consumers in the Financial Technology
  890  Sandbox is:
  891         1.Not immune from civil damages for acts and omissions
  892  relating to this section.
  893         2.Subject to all criminal and consumer protection laws.
  894         (b)1.The office may, by order, revoke or suspend
  895  authorization granted to a person to make an innovative
  896  financial product or service available to consumers if:
  897         a.The person has violated or refused to comply with this
  898  section, a rule of the commission, an order of the office, or a
  899  condition placed by the office on the approval of the person’s
  900  Financial Technology Sandbox application;
  901         b.A fact or condition exists that, if it had existed or
  902  become known at the time that the Financial Technology Sandbox
  903  application was pending, would have warranted denial of the
  904  application or the imposition of material conditions;
  905         c.A material error, false statement, misrepresentation, or
  906  material omission was made in the Financial Technology Sandbox
  907  application; or
  908         d.After consultation with the person, continued testing of
  909  the innovative financial product or service would:
  910         (I)Be likely to harm consumers; or
  911         (II)No longer serve the purposes of this section because
  912  of the financial or operational failure of the financial product
  913  or service.
  914         2.Written notice of a revocation or suspension order made
  915  under subparagraph 1. must be served using any means authorized
  916  by law. If the notice relates to a suspension, the notice must
  917  include any condition or remedial action that the person must
  918  complete before the office lifts the suspension.
  919         (c)The office may refer any suspected violation of law to
  920  an appropriate state or federal agency for investigation,
  921  prosecution, civil penalties, and other appropriate enforcement
  922  actions.
  923         (d)If service of process on a person making an innovative
  924  financial product or service available to consumers in the
  925  Financial Technology Sandbox is not feasible, service on the
  926  office shall be deemed service on such person.
  927         (11)RULES AND ORDERS.—
  928         (a)The commission shall adopt rules to administer this
  929  section.
  930         (b)The office may issue all necessary orders to enforce
  931  this section and may enforce the orders in accordance with
  932  chapter 120 or in any court of competent jurisdiction. These
  933  orders include, but are not limited to, orders for payment of
  934  restitution for harm suffered by consumers as a result of an
  935  innovative financial product or service.
  936         Section 11. Except as otherwise expressly provided in this
  937  act, this act shall take effect July 1, 2020.
  938  
  939  ================= T I T L E  A M E N D M E N T ================
  940  And the title is amended as follows:
  941         Delete everything before the enacting clause
  942  and insert:
  943                        A bill to be entitled                      
  944         An act relating to technology innovation; amending s.
  945         20.22, F.S.; renaming the Division of State Technology
  946         within the Department of Management Services as the
  947         Division of Telecommunications; deleting provisions
  948         relating to the appointment of the Division of State
  949         Technology’s director and qualifications for the state
  950         chief information officer; adding the Florida Digital
  951         Service to the department; amending s. 282.0051, F.S.;
  952         establishing the Florida Digital Service within the
  953         department; defining terms; transferring specified
  954         powers, duties, and functions of the department to the
  955         Florida Digital Service and revising such powers,
  956         duties, and functions; providing for appointments of a
  957         state chief information officer and a chief data
  958         officer and specifying their duties; requiring the
  959         Florida Digital Service to develop a comprehensive
  960         enterprise architecture; providing requirements for
  961         the enterprise architecture; specifying duties of and
  962         authorized actions by the Florida Digital Service;
  963         providing duties of the department; authorizing the
  964         Florida Digital Service to adopt rules; amending s.
  965         282.00515, F.S.; establishing the Enterprise
  966         Architecture Advisory Council; requiring the council
  967         to comply with specified requirements; providing
  968         membership and meeting requirements and duties of the
  969         council; deleting provisions relating to specified
  970         duties and powers of the Department of Legal Affairs,
  971         the Department of Financial Services, and the
  972         Department of Agriculture and Consumer Services;
  973         amending ss. 282.318, 287.0591, 365.171, 365.172,
  974         365.173, and 943.0415, F.S.; conforming provisions to
  975         changes made by the act; creating s. 559.952, F.S.;
  976         providing a short title; creating the Financial
  977         Technology Sandbox within the Office of Financial
  978         Regulation; defining terms; authorizing the office to
  979         grant waivers of specified financial regulatory
  980         requirements to certain applicants offering certain
  981         financial products or services during a sandbox
  982         period; specifying criteria for granting a waiver;
  983         requiring an application for the program for persons
  984         who want to make innovative financial products or
  985         services available to consumers; providing application
  986         requirements and procedures; providing standards for
  987         application approval or denial; requiring the office
  988         to perform certain actions upon approval of an
  989         application; specifying authorized actions of,
  990         limitations on, and disclosure requirements for
  991         persons making financial products or services
  992         available during a sandbox period; authorizing the
  993         office to enter into agreement with certain regulatory
  994         agencies for specified purposes; providing
  995         recordkeeping requirements; authorizing the office to
  996         examine specified records; providing requirements and
  997         procedures for applying for extensions and concluding
  998         sandbox periods; requiring written notification to
  999         consumers at the end of an extension or conclusion of
 1000         the sandbox period; providing acts that persons who
 1001         make innovative financial products or services
 1002         available to consumers may and may not engage in at
 1003         the end of an extension or conclusion of the sandbox
 1004         period; specifying reporting requirements to the
 1005         office; providing construction; providing that such
 1006         persons are not immune from civil damages and are
 1007         subject to criminal and consumer protection laws;
 1008         providing penalties; providing for service of process;
 1009         requiring the Financial Services Commission to adopt
 1010         rules; authorizing the office to issue orders and
 1011         enforce such orders through administrative or judicial
 1012         process; authorizing the office to issue and enforce
 1013         orders for payment of restitution; providing effective
 1014         dates.