Florida Senate - 2020                      CS for CS for SB 1870
       
       
        
       By the Committees on Banking and Insurance; and Innovation,
       Industry, and Technology; and Senator Hutson
       
       
       
       
       597-03961-20                                          20201870c2
    1                        A bill to be entitled                      
    2         An act relating to technology innovation; amending s.
    3         20.22, F.S.; renaming the Division of State Technology
    4         within the Department of Management Services as the
    5         Division of Telecommunications; deleting provisions
    6         relating to the appointment of the Division of State
    7         Technology’s director and qualifications for the state
    8         chief information officer; adding the Florida Digital
    9         Service to the department; amending s. 282.0041, F.S.;
   10         defining terms; revising the definition of the term
   11         “open data”; amending s. 282.0051, F.S.; establishing
   12         the Florida Digital Service within the department;
   13         transferring specified powers, duties, and functions
   14         of the department to the Florida Digital Service and
   15         revising such powers, duties, and functions; providing
   16         for designations of a state chief information officer
   17         and a chief data officer and specifying their duties;
   18         specifying duties of, and authorized actions by, the
   19         Florida Digital Service pursuant to legislative
   20         appropriation; providing duties of, and authorized
   21         actions by, the department, subject to legislative
   22         authorization and appropriation; authorizing the
   23         Florida Digital Service to adopt rules; amending s.
   24         282.00515, F.S.; revising standards that the
   25         Department of Legal Affairs, the Department of
   26         Financial Services, and the Department of Agriculture
   27         and Consumer Services must adopt; specifying
   28         notification requirements to the Governor and the
   29         Legislature if such an agency adopts alternative
   30         standards; providing construction; prohibiting the
   31         Florida Digital Service from retrieving or publishing
   32         data without a data sharing agreement with such an
   33         agency; amending ss. 282.318, 287.0591, 365.171,
   34         365.172, 365.173, and 943.0415, F.S.; conforming
   35         provisions to changes made by the act; creating s.
   36         559.952, F.S.; providing a short title; creating the
   37         Financial Technology Sandbox within the Office of
   38         Financial Regulation; defining terms; requiring the
   39         office, if certain conditions are met, to grant a
   40         license to a Financial Technology Sandbox applicant,
   41         grant exceptions to specified provisions of general
   42         law relating to consumer finance loans and money
   43         services businesses, and grant waivers of certain
   44         rules; authorizing a substantially affected person to
   45         seek a declaratory statement before applying to the
   46         Financial Technology Sandbox; specifying application
   47         requirements and procedures; specifying requirements,
   48         restrictions, and procedures for the office in
   49         reviewing and approving or denying applications;
   50         requiring the office to post on its website certain
   51         information relating to approved applications;
   52         specifying authorized actions of, limitations on, and
   53         requirements for licensees operating in the Financial
   54         Technology Sandbox; specifying disclosure requirements
   55         for licensees to consumers; authorizing the office to
   56         enter into certain agreements with other regulatory
   57         agencies; authorizing the office to examine licensee
   58         records; authorizing a licensee to apply for an
   59         extension of an initial sandbox period for a certain
   60         timeframe; specifying requirements and procedures for
   61         applying for an extension; specifying requirements and
   62         procedures for, and authorized actions of, licensees
   63         when concluding a sandbox period or extension;
   64         requiring licensees to submit certain reports to the
   65         office at specified intervals; providing construction;
   66         specifying the liability of a licensee; authorizing
   67         the office to take certain disciplinary actions
   68         against a licensee under certain circumstances;
   69         providing construction relating to service of process;
   70         specifying the rulemaking authority of the Financial
   71         Services Commission; providing the office authority to
   72         issue orders and enforce the orders; providing an
   73         appropriation; providing effective dates.
   74          
   75  Be It Enacted by the Legislature of the State of Florida:
   76  
   77         Section 1. Subsection (2) of section 20.22, Florida
   78  Statutes, is amended to read:
   79         20.22 Department of Management Services.—There is created a
   80  Department of Management Services.
   81         (2) The following divisions and programs within the
   82  Department of Management Services shall consist of the following
   83  are established:
   84         (a) The Facilities Program.
   85         (b) The Division of Telecommunications State Technology,
   86  the director of which is appointed by the secretary of the
   87  department and shall serve as the state chief information
   88  officer. The state chief information officer must be a proven,
   89  effective administrator who must have at least 10 years of
   90  executive-level experience in the public or private sector,
   91  preferably with experience in the development of information
   92  technology strategic planning and the development and
   93  implementation of fiscal and substantive information technology
   94  policy and standards.
   95         (c) The Workforce Program.
   96         (d)1. The Support Program.
   97         2. The Federal Property Assistance Program.
   98         (e) The Administration Program.
   99         (f) The Division of Administrative Hearings.
  100         (g) The Division of Retirement.
  101         (h) The Division of State Group Insurance.
  102         (i)The Florida Digital Service.
  103         Section 2. Section 282.0041, Florida Statutes, is amended
  104  to read:
  105         282.0041 Definitions.—As used in this chapter, the term:
  106         (1) “Agency assessment” means the amount each customer
  107  entity must pay annually for services from the Department of
  108  Management Services and includes administrative and data center
  109  services costs.
  110         (2) “Agency data center” means agency space containing 10
  111  or more physical or logical servers.
  112         (3) “Breach” has the same meaning as provided in s.
  113  501.171.
  114         (4) “Business continuity plan” means a collection of
  115  procedures and information designed to keep an agency’s critical
  116  operations running during a period of displacement or
  117  interruption of normal operations.
  118         (5) “Cloud computing” has the same meaning as provided in
  119  Special Publication 800-145 issued by the National Institute of
  120  Standards and Technology.
  121         (6) “Computing facility” or “agency computing facility”
  122  means agency space containing fewer than a total of 10 physical
  123  or logical servers, but excluding single, logical-server
  124  installations that exclusively perform a utility function such
  125  as file and print servers.
  126         (7) “Credential service provider” means a provider
  127  competitively procured by the department to supply secure
  128  identity management and verification services based on open
  129  standards to qualified entities.
  130         (8) “Customer entity” means an entity that obtains services
  131  from the Department of Management Services.
  132         (9)(8) “Data” means a subset of structured information in a
  133  format that allows such information to be electronically
  134  retrieved and transmitted.
  135         (10)“Data-call” means an electronic transaction with the
  136  credential service provider that verifies the authenticity of a
  137  digital identity by querying enterprise data.
  138         (11)(9) “Department” means the Department of Management
  139  Services.
  140         (12)(10) “Disaster recovery” means the process, policies,
  141  procedures, and infrastructure related to preparing for and
  142  implementing recovery or continuation of an agency’s vital
  143  technology infrastructure after a natural or human-induced
  144  disaster.
  145         (13)“Electronic” means technology having electrical,
  146  digital, magnetic, wireless, optical, electromagnetic, or
  147  similar capabilities.
  148         (14)“Electronic credential” means an electronic
  149  representation of the identity of a person, an organization, an
  150  application, or a device.
  151         (15)“Enterprise” means the collection of state agencies as
  152  defined in subsection (35). The term includes the Department of
  153  Legal Affairs, the Department of Agriculture and Consumer
  154  Services, and the Department of Financial Services.
  155         (16)“Enterprise architecture” means a comprehensive
  156  operational framework that contemplates the needs and assets of
  157  the enterprise to support interoperability across state
  158  government.
  159         (17)(11) “Enterprise information technology service” means
  160  an information technology service that is used in all agencies
  161  or a subset of agencies and is established in law to be
  162  designed, delivered, and managed at the enterprise level.
  163         (18)(12) “Event” means an observable occurrence in a system
  164  or network.
  165         (19)(13) “Incident” means a violation or imminent threat of
  166  violation, whether such violation is accidental or deliberate,
  167  of information technology resources, security, policies, or
  168  practices. An imminent threat of violation refers to a situation
  169  in which the state agency has a factual basis for believing that
  170  a specific incident is about to occur.
  171         (20)(14) “Information technology” means equipment,
  172  hardware, software, firmware, programs, systems, networks,
  173  infrastructure, media, and related material used to
  174  automatically, electronically, and wirelessly collect, receive,
  175  access, transmit, display, store, record, retrieve, analyze,
  176  evaluate, process, classify, manipulate, manage, assimilate,
  177  control, communicate, exchange, convert, converge, interface,
  178  switch, or disseminate information of any kind or form.
  179         (21)(15) “Information technology policy” means a definite
  180  course or method of action selected from among one or more
  181  alternatives that guide and determine present and future
  182  decisions.
  183         (22)(16) “Information technology resources” has the same
  184  meaning as provided in s. 119.011.
  185         (23)(17) “Information technology security” means the
  186  protection afforded to an automated information system in order
  187  to attain the applicable objectives of preserving the integrity,
  188  availability, and confidentiality of data, information, and
  189  information technology resources.
  190         (24)“Interoperability” means the technical ability to
  191  share and use data across and throughout the enterprise.
  192         (25)(18) “Open data” means data collected or created by a
  193  state agency, including the Department of Legal Affairs, the
  194  Department of Agriculture and Consumer Services, and the
  195  Department of Financial Services, and structured in a way that
  196  enables the data to be fully discoverable and usable by the
  197  public. The term does not include data that are restricted from
  198  public disclosure distribution based on federal or state
  199  privacy, confidentiality, and security laws and regulations or
  200  data for which a state agency is statutorily authorized to
  201  assess a fee for its distribution.
  202         (26)(19) “Performance metrics” means the measures of an
  203  organization’s activities and performance.
  204         (27)(20) “Project” means an endeavor that has a defined
  205  start and end point; is undertaken to create or modify a unique
  206  product, service, or result; and has specific objectives that,
  207  when attained, signify completion.
  208         (28)(21) “Project oversight” means an independent review
  209  and analysis of an information technology project that provides
  210  information on the project’s scope, completion timeframes, and
  211  budget and that identifies and quantifies issues or risks
  212  affecting the successful and timely completion of the project.
  213         (29)“Qualified entity” means a public or private entity or
  214  individual that enters into a binding agreement with the
  215  department, meets usage criteria, agrees to terms and
  216  conditions, and is subsequently and prescriptively authorized by
  217  the department to access data under the terms of that agreement
  218  as specified in s. 282.0051.
  219         (30)(22) “Risk assessment” means the process of identifying
  220  security risks, determining their magnitude, and identifying
  221  areas needing safeguards.
  222         (31)(23) “Service level” means the key performance
  223  indicators (KPI) of an organization or service which must be
  224  regularly performed, monitored, and achieved.
  225         (32)(24) “Service-level agreement” means a written contract
  226  between the Department of Management Services and a customer
  227  entity which specifies the scope of services provided, service
  228  level, the duration of the agreement, the responsible parties,
  229  and service costs. A service-level agreement is not a rule
  230  pursuant to chapter 120.
  231         (33)(25) “Stakeholder” means a person, group, organization,
  232  or state agency involved in or affected by a course of action.
  233         (34)(26) “Standards” means required practices, controls,
  234  components, or configurations established by an authority.
  235         (35)(27) “State agency” means any official, officer,
  236  commission, board, authority, council, committee, or department
  237  of the executive branch of state government; the Justice
  238  Administrative Commission; and the Public Service Commission.
  239  The term does not include university boards of trustees or state
  240  universities. As used in part I of this chapter, except as
  241  otherwise specifically provided, the term does not include the
  242  Department of Legal Affairs, the Department of Agriculture and
  243  Consumer Services, or the Department of Financial Services.
  244         (36)(28) “SUNCOM Network” means the state enterprise
  245  telecommunications system that provides all methods of
  246  electronic or optical telecommunications beyond a single
  247  building or contiguous building complex and used by entities
  248  authorized as network users under this part.
  249         (37)(29) “Telecommunications” means the science and
  250  technology of communication at a distance, including electronic
  251  systems used in the transmission or reception of information.
  252         (38)(30) “Threat” means any circumstance or event that has
  253  the potential to adversely impact a state agency’s operations or
  254  assets through an information system via unauthorized access,
  255  destruction, disclosure, or modification of information or
  256  denial of service.
  257         (39)(31) “Variance” means a calculated value that
  258  illustrates how far positive or negative a projection has
  259  deviated when measured against documented estimates within a
  260  project plan.
  261         Section 3. Section 282.0051, Florida Statutes, is amended
  262  to read:
  263         282.0051 Florida Digital Service Department of Management
  264  Services; powers, duties, and functions.—There is established
  265  the Florida Digital Service within the department to create
  266  innovative solutions that securely modernize state government,
  267  achieve value through digital transformation and
  268  interoperability, and fully support the cloud-first policy as
  269  specified in s. 282.206.
  270         (1) The Florida Digital Service department shall have the
  271  following powers, duties, and functions:
  272         (a)(1) Develop and publish information technology policy
  273  for the management of the state’s information technology
  274  resources.
  275         (b)(2)Develop an enterprise architecture that:
  276         1.Acknowledges the unique needs of those included within
  277  the enterprise, resulting in the publication of standards,
  278  terminologies, and procurement guidelines to facilitate digital
  279  interoperability;
  280         2.Supports the cloud-first policy as specified in s.
  281  282.206; and
  282         3.Addresses how information technology infrastructure may
  283  be modernized to achieve cloud-first objectives Establish and
  284  publish information technology architecture standards to provide
  285  for the most efficient use of the state’s information technology
  286  resources and to ensure compatibility and alignment with the
  287  needs of state agencies. The department shall assist state
  288  agencies in complying with the standards.
  289         (c)(3) Establish project management and oversight standards
  290  with which state agencies must comply when implementing projects
  291  that have an information technology component projects. The
  292  Florida Digital Service department shall provide training
  293  opportunities to state agencies to assist in the adoption of the
  294  project management and oversight standards. To support data
  295  driven decisionmaking, the standards must include, but are not
  296  limited to:
  297         1.(a) Performance measurements and metrics that objectively
  298  reflect the status of a project with an information technology
  299  component project based on a defined and documented project
  300  scope, cost, and schedule.
  301         2.(b) Methodologies for calculating acceptable variances in
  302  the projected versus actual scope, schedule, or cost of a
  303  project with an information technology component project.
  304         3.(c) Reporting requirements, including requirements
  305  designed to alert all defined stakeholders that a project with
  306  an information technology component project has exceeded
  307  acceptable variances defined and documented in a project plan.
  308         4.(d) Content, format, and frequency of project updates.
  309         (d)(4) Perform project oversight on all state agency
  310  information technology projects that have an information
  311  technology component with a total project cost costs of $10
  312  million or more and that are funded in the General
  313  Appropriations Act or any other law. The Florida Digital Service
  314  department shall report at least quarterly to the Executive
  315  Office of the Governor, the President of the Senate, and the
  316  Speaker of the House of Representatives on any project with an
  317  information technology component project that the Florida
  318  Digital Service department identifies as high-risk due to the
  319  project exceeding acceptable variance ranges defined and
  320  documented in a project plan. The report must include a risk
  321  assessment, including fiscal risks, associated with proceeding
  322  to the next stage of the project, and a recommendation for
  323  corrective actions required, including suspension or termination
  324  of the project. The Florida Digital Service shall establish a
  325  process for state agencies to apply for an exception to the
  326  requirements of this paragraph for a specific project with an
  327  information technology component.
  328         (e)(5) Identify opportunities for standardization and
  329  consolidation of information technology services that support
  330  interoperability and the cloud-first policy as specified in s.
  331  282.206, business functions and operations, including
  332  administrative functions such as purchasing, accounting and
  333  reporting, cash management, and personnel, and that are common
  334  across state agencies. The Florida Digital Service department
  335  shall biennially on April 1 provide recommendations for
  336  standardization and consolidation to the Executive Office of the
  337  Governor, the President of the Senate, and the Speaker of the
  338  House of Representatives.
  339         (f)(6) Establish best practices for the procurement of
  340  information technology products and cloud-computing services in
  341  order to reduce costs, increase the quality of data center
  342  services, or improve government services.
  343         (g)(7) Develop standards for information technology reports
  344  and updates, including, but not limited to, operational work
  345  plans, project spend plans, and project status reports, for use
  346  by state agencies.
  347         (h)(8) Upon request, assist state agencies in the
  348  development of information technology-related legislative budget
  349  requests.
  350         (i)(9) Conduct annual assessments of state agencies to
  351  determine compliance with all information technology standards
  352  and guidelines developed and published by the Florida Digital
  353  Service department and provide results of the assessments to the
  354  Executive Office of the Governor, the President of the Senate,
  355  and the Speaker of the House of Representatives.
  356         (j)(10) Provide operational management and oversight of the
  357  state data center established pursuant to s. 282.201, which
  358  includes:
  359         1.(a) Implementing industry standards and best practices
  360  for the state data center’s facilities, operations, maintenance,
  361  planning, and management processes.
  362         2.(b) Developing and implementing cost-recovery or other
  363  payment mechanisms that recover the full direct and indirect
  364  cost of services through charges to applicable customer
  365  entities. Such cost-recovery or other payment mechanisms must
  366  comply with applicable state and federal regulations concerning
  367  distribution and use of funds and must ensure that, for any
  368  fiscal year, no service or customer entity subsidizes another
  369  service or customer entity.
  370         3.(c) Developing and implementing appropriate operating
  371  guidelines and procedures necessary for the state data center to
  372  perform its duties pursuant to s. 282.201. The guidelines and
  373  procedures must comply with applicable state and federal laws,
  374  regulations, and policies and conform to generally accepted
  375  governmental accounting and auditing standards. The guidelines
  376  and procedures must include, but need not be limited to:
  377         a.1. Implementing a consolidated administrative support
  378  structure responsible for providing financial management,
  379  procurement, transactions involving real or personal property,
  380  human resources, and operational support.
  381         b.2. Implementing an annual reconciliation process to
  382  ensure that each customer entity is paying for the full direct
  383  and indirect cost of each service as determined by the customer
  384  entity’s use of each service.
  385         c.3. Providing rebates that may be credited against future
  386  billings to customer entities when revenues exceed costs.
  387         d.4. Requiring customer entities to validate that
  388  sufficient funds exist in the appropriate data processing
  389  appropriation category or will be transferred into the
  390  appropriate data processing appropriation category before
  391  implementation of a customer entity’s request for a change in
  392  the type or level of service provided, if such change results in
  393  a net increase to the customer entity’s cost for that fiscal
  394  year.
  395         e.5. By November 15 of each year, providing to the Office
  396  of Policy and Budget in the Executive Office of the Governor and
  397  to the chairs of the legislative appropriations committees the
  398  projected costs of providing data center services for the
  399  following fiscal year.
  400         f.6. Providing a plan for consideration by the Legislative
  401  Budget Commission if the cost of a service is increased for a
  402  reason other than a customer entity’s request made pursuant to
  403  sub-subparagraph d. subparagraph 4. Such a plan is required only
  404  if the service cost increase results in a net increase to a
  405  customer entity for that fiscal year.
  406         g.7. Standardizing and consolidating procurement and
  407  contracting practices.
  408         4.(d) In collaboration with the Department of Law
  409  Enforcement, developing and implementing a process for
  410  detecting, reporting, and responding to information technology
  411  security incidents, breaches, and threats.
  412         5.(e) Adopting rules relating to the operation of the state
  413  data center, including, but not limited to, budgeting and
  414  accounting procedures, cost-recovery or other payment
  415  methodologies, and operating procedures.
  416         (f) Conducting an annual market analysis to determine
  417  whether the state’s approach to the provision of data center
  418  services is the most effective and cost-efficient manner by
  419  which its customer entities can acquire such services, based on
  420  federal, state, and local government trends; best practices in
  421  service provision; and the acquisition of new and emerging
  422  technologies. The results of the market analysis shall assist
  423  the state data center in making adjustments to its data center
  424  service offerings.
  425         (k)(11) Recommend other information technology services
  426  that should be designed, delivered, and managed as enterprise
  427  information technology services. Recommendations must include
  428  the identification of existing information technology resources
  429  associated with the services, if existing services must be
  430  transferred as a result of being delivered and managed as
  431  enterprise information technology services.
  432         (l)(12) In consultation with state agencies, propose a
  433  methodology and approach for identifying and collecting both
  434  current and planned information technology expenditure data at
  435  the state agency level.
  436         (m)1.(13)(a) Notwithstanding any other law, provide project
  437  oversight on any project with an information technology
  438  component project of the Department of Financial Services, the
  439  Department of Legal Affairs, and the Department of Agriculture
  440  and Consumer Services which has a total project cost of $25
  441  million or more and which impacts one or more other agencies.
  442  Such projects with an information technology component projects
  443  must also comply with the applicable information technology
  444  architecture, project management and oversight, and reporting
  445  standards established by the Florida Digital Service department.
  446  The Florida Digital Service shall establish a process for the
  447  Department of Financial Services, the Department of Legal
  448  Affairs, and the Department of Agriculture and Consumer Services
  449  to apply for an exception to the requirements of this paragraph
  450  for a specific project with an information technology component.
  451         2.(b) When performing the project oversight function
  452  specified in subparagraph 1. paragraph (a), report at least
  453  quarterly to the Executive Office of the Governor, the President
  454  of the Senate, and the Speaker of the House of Representatives
  455  on any project with an information technology component project
  456  that the Florida Digital Service department identifies as high
  457  risk due to the project exceeding acceptable variance ranges
  458  defined and documented in the project plan. The report shall
  459  include a risk assessment, including fiscal risks, associated
  460  with proceeding to the next stage of the project and a
  461  recommendation for corrective actions required, including
  462  suspension or termination of the project.
  463         (n)(14) If a project with an information technology
  464  component project implemented by a state agency must be
  465  connected to or otherwise accommodated by an information
  466  technology system administered by the Department of Financial
  467  Services, the Department of Legal Affairs, or the Department of
  468  Agriculture and Consumer Services, consult with these
  469  departments regarding the risks and other effects of such
  470  projects on their information technology systems and work
  471  cooperatively with these departments regarding the connections,
  472  interfaces, timing, or accommodations required to implement such
  473  projects.
  474         (o)(15) If adherence to standards or policies adopted by or
  475  established pursuant to this section causes conflict with
  476  federal regulations or requirements imposed on a state agency
  477  and results in adverse action against the state agency or
  478  federal funding, work with the state agency to provide
  479  alternative standards, policies, or requirements that do not
  480  conflict with the federal regulation or requirement. The Florida
  481  Digital Service department shall annually report such
  482  alternative standards to the Governor, the President of the
  483  Senate, and the Speaker of the House of Representatives.
  484         (p)1.(16)(a) Establish an information technology policy for
  485  all information technology-related state contracts, including
  486  state term contracts for information technology commodities,
  487  consultant services, and staff augmentation services. The
  488  information technology policy must include:
  489         a.1. Identification of the information technology product
  490  and service categories to be included in state term contracts.
  491         b.2. Requirements to be included in solicitations for state
  492  term contracts.
  493         c.3. Evaluation criteria for the award of information
  494  technology-related state term contracts.
  495         d.4. The term of each information technology-related state
  496  term contract.
  497         e.5. The maximum number of vendors authorized on each state
  498  term contract.
  499         2.(b) Evaluate vendor responses for information technology
  500  related state term contract solicitations and invitations to
  501  negotiate.
  502         3.(c) Answer vendor questions on information technology
  503  related state term contract solicitations.
  504         4.(d) Ensure that the information technology policy
  505  established pursuant to subparagraph 1. paragraph (a) is
  506  included in all solicitations and contracts that are
  507  administratively executed by the department.
  508         (q)(17) Recommend potential methods for standardizing data
  509  across state agencies which will promote interoperability and
  510  reduce the collection of duplicative data.
  511         (r)(18) Recommend open data technical standards and
  512  terminologies for use by the enterprise state agencies.
  513         (2)(a)The Secretary of Management Services shall designate
  514  a state chief information officer, who shall administer the
  515  Florida Digital Service and is included in the Senior Management
  516  Service.
  517         (b)The state chief information officer shall designate a
  518  chief data officer, who shall report to the state chief
  519  information officer and is included in the Senior Management
  520  Service.
  521         (3)The Florida Digital Service shall, pursuant to
  522  legislative appropriation:
  523         (a)Create and maintain a comprehensive indexed data
  524  catalog that lists what data elements are housed within the
  525  enterprise and in which legacy system or application these data
  526  elements are located.
  527         (b)Develop and publish, in collaboration with the
  528  enterprise, a data dictionary for each agency which reflects the
  529  nomenclature in the comprehensive indexed data catalog.
  530         (c)Review and document use cases across the enterprise
  531  architecture.
  532         (d)Develop and publish standards that support the creation
  533  and deployment of application programming interfaces to
  534  facilitate integration throughout the enterprise.
  535         (e)Publish standards necessary to facilitate a secure
  536  ecosystem of data interoperability which is compliant with the
  537  enterprise architecture and allows for a qualified entity to
  538  access the enterprise’s data under the terms of the agreements
  539  with the department. However, enterprise data do not include
  540  data that are restricted from public distribution based on
  541  federal or state privacy, confidentiality, or security laws and
  542  regulations.
  543         (f)Publish standards that facilitate the deployment of
  544  applications or solutions to existing enterprise obligations in
  545  a controlled and phased approach, including, but not limited to:
  546         1.Electronic credentials, including digital proofs of a
  547  driver license as specified in s. 322.032.
  548         2.Interoperability that enables supervisors of elections
  549  to authenticate voter eligibility in real time at the point of
  550  service.
  551         3.The criminal justice database.
  552         4.Motor vehicle insurance cancellation integration between
  553  insurers and the Department of Highway Safety and Motor
  554  Vehicles.
  555         5.Interoperability solutions between agencies, including,
  556  but not limited to, the Department of Health, the Agency for
  557  Health Care Administration, the Agency for Persons with
  558  Disabilities, the Department of Education, the Department of
  559  Elderly Affairs, and the Department of Children and Families.
  560         6.Interoperability solutions to support military members,
  561  veterans, and their families.
  562         (4) Pursuant to legislative authorization and subject to
  563  appropriation:
  564         (a) The department may procure a credential service
  565  provider through a competitive process pursuant to s. 287.057.
  566  The terms of the contract developed from such procurement must
  567  pay for the value on a per-data-call or subscription basis, and
  568  there shall be no cost to the enterprise or law enforcement for
  569  using the services provided by the credential service provider.
  570         (b) The department may enter into agreements with qualified
  571  entities that have the technological capabilities necessary to
  572  integrate with the credential service provider; ensure secure
  573  validation and authentication of data; meet usage criteria; and
  574  agree to terms and conditions, privacy policies, and uniform
  575  remittance terms relating to the consumption of enterprise data.
  576  Enterprise data do not include data that are restricted from
  577  public disclosure based on federal or state privacy,
  578  confidentiality, or security laws and regulations. These
  579  agreements must include clear, enforceable, and significant
  580  penalties for violations of the agreements.
  581         (c) The terms of the agreements between the department and
  582  the credential service provider and between the department and
  583  the qualified entities must be based on the per-data-call or
  584  subscription charges to validate and authenticate an electronic
  585  credential and allow the department to recover any state costs
  586  for implementing and administering an electronic credential
  587  solution. Credential service provider and qualifying entity
  588  revenues may not be derived from any other transactions that
  589  generate revenue for the enterprise outside of the per-data-call
  590  or subscription charges.
  591         (d) All revenues generated from the agreements with the
  592  credential service provider and qualified entities shall be
  593  remitted to the department, and the department shall deposit
  594  these revenues into the Department of Management Services
  595  Operating Trust Fund for distribution pursuant to a legislative
  596  appropriation and department agreements with the credential
  597  service provider and qualified entities.
  598         (e) Upon the signing of the agreement and the enterprise
  599  architecture terms of service and privacy policies with a
  600  qualified entity, the department shall facilitate authorized
  601  integrations between the qualified entity and the credential
  602  service provider.
  603         (5)Upon the adoption of the enterprise architecture, the
  604  Florida Digital Service may develop a process to:
  605         (a)Receive written notice from the enterprise of any
  606  procurement of an information technology project that is subject
  607  to enterprise architecture standards.
  608         (b)Participate in the development of specifications and
  609  recommend modifications of any procurement by state agencies so
  610  that the procurement complies with the enterprise architecture.
  611         (6)(19)The Florida Digital Service may adopt rules to
  612  administer this section.
  613         Section 4. Section 282.00515, Florida Statutes, is amended
  614  to read:
  615         282.00515 Duties of Cabinet agencies.—
  616         (1) The Department of Legal Affairs, the Department of
  617  Financial Services, and the Department of Agriculture and
  618  Consumer Services shall adopt the standards established in s.
  619  282.0051(1)(b), (c), (g), (r), and (3)(e) s. 282.0051(2), (3),
  620  and (7) or adopt alternative standards based on best practices
  621  and industry standards that allow for the interoperability of
  622  open data within the enterprise.
  623         (2)If the Department of Legal Affairs, the Department of
  624  Financial Services, or the Department of Agriculture and
  625  Consumer Services adopts alternative standards in lieu of the
  626  enterprise architecture standards in s. 282.0051, such agency
  627  shall notify the Governor, the President of the Senate, and
  628  Speaker of the House of Representatives in writing before the
  629  adoption of the alternative standards and annually thereafter,
  630  until such agency adopts the enterprise architecture standards
  631  in s. 282.0051. The notification must include the following:
  632         (a)A detailed plan of how such agency will comply with the
  633  interoperability requirements referenced in this chapter.
  634         (b)An estimated cost and time difference between adhering
  635  to the enterprise architecture or choosing alternative
  636  standards.
  637         (c)A detailed security risk assessment of adopting
  638  alternative standards versus adopting the enterprise
  639  architecture.
  640         (d)Certification by the agency head or the agency head’s
  641  designated representative that the agency’s strategic and
  642  operational information technology security plans as required by
  643  s. 282.318(4) include provisions related to interoperability.
  644         (3)The Department of Legal Affairs, the Department of
  645  Financial Services, or the Department of Agriculture and
  646  Consumer Services may contract with the department to provide or
  647  perform any of the services and functions described in s.
  648  282.0051.
  649         (4)(a)This section or s. 282.0051 does not require the
  650  Department of Legal Affairs, the Department of Financial
  651  Services, or the Department of Agriculture and Consumer Services
  652  to integrate with any information technology outside its own
  653  department or contract with a credential service provider.
  654         (b)The Florida Digital Service may not retrieve or publish
  655  data without a data sharing agreement in place between the
  656  Florida Digital Service and the Department of Legal Affairs, the
  657  Department of Financial Services, or the Department of
  658  Agriculture and Consumer Services, and may contract with the
  659  department to provide or perform any of the services and
  660  functions described in s. 282.0051 for the Department of Legal
  661  Affairs, the Department of Financial Services, or the Department
  662  of Agriculture and Consumer Services.
  663         Section 5. Paragraph (a) of subsection (3) of section
  664  282.318, Florida Statutes, is amended to read:
  665         282.318 Security of data and information technology.—
  666         (3) The department is responsible for establishing
  667  standards and processes consistent with generally accepted best
  668  practices for information technology security, to include
  669  cybersecurity, and adopting rules that safeguard an agency’s
  670  data, information, and information technology resources to
  671  ensure availability, confidentiality, and integrity and to
  672  mitigate risks. The department shall also:
  673         (a) Designate a state chief information security officer
  674  who shall report to the state chief information officer of the
  675  Florida Digital Service and is in the Senior Management Service.
  676  The state chief information security officer must have
  677  experience and expertise in security and risk management for
  678  communications and information technology resources.
  679         Section 6. Subsection (4) of section 287.0591, Florida
  680  Statutes, is amended to read:
  681         287.0591 Information technology.—
  682         (4) If the department issues a competitive solicitation for
  683  information technology commodities, consultant services, or
  684  staff augmentation contractual services, the Florida Digital
  685  Service Division of State Technology within the department shall
  686  participate in such solicitations.
  687         Section 7. Paragraph (a) of subsection (3) of section
  688  365.171, Florida Statutes, is amended to read:
  689         365.171 Emergency communications number E911 state plan.—
  690         (3) DEFINITIONS.—As used in this section, the term:
  691         (a) “Office” means the Division of Telecommunications State
  692  Technology within the Department of Management Services, as
  693  designated by the secretary of the department.
  694         Section 8. Paragraph (s) of subsection (3) of section
  695  365.172, Florida Statutes, is amended to read:
  696         365.172 Emergency communications number “E911.”—
  697         (3) DEFINITIONS.—Only as used in this section and ss.
  698  365.171, 365.173, 365.174, and 365.177, the term:
  699         (s) “Office” means the Division of Telecommunications State
  700  Technology within the Department of Management Services, as
  701  designated by the secretary of the department.
  702         Section 9. Paragraph (a) of subsection (1) of section
  703  365.173, Florida Statutes, is amended to read:
  704         365.173 Communications Number E911 System Fund.—
  705         (1) REVENUES.—
  706         (a) Revenues derived from the fee levied on subscribers
  707  under s. 365.172(8) must be paid by the board into the State
  708  Treasury on or before the 15th day of each month. Such moneys
  709  must be accounted for in a special fund to be designated as the
  710  Emergency Communications Number E911 System Fund, a fund created
  711  in the Division of Telecommunications State Technology, or other
  712  office as designated by the Secretary of Management Services.
  713         Section 10. Subsection (5) of section 943.0415, Florida
  714  Statutes, is amended to read:
  715         943.0415 Cybercrime Office.—There is created within the
  716  Department of Law Enforcement the Cybercrime Office. The office
  717  may:
  718         (5) Consult with the Florida Digital Service Division of
  719  State Technology within the Department of Management Services in
  720  the adoption of rules relating to the information technology
  721  security provisions in s. 282.318.
  722         Section 11. Effective January 1, 2021, section 559.952,
  723  Florida Statutes, is created to read:
  724         559.952 Financial Technology Sandbox.—
  725         (1)SHORT TITLE.—This section may be cited as the
  726  “Financial Technology Sandbox.”
  727         (2)CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—There is
  728  created the Financial Technology Sandbox within the Office of
  729  Financial Regulation to allow financial technology innovators to
  730  test new products and services in a supervised, flexible
  731  regulatory sandbox using exceptions to specified general law and
  732  waivers of the corresponding rule requirements under defined
  733  conditions. The creation of a supervised, flexible regulatory
  734  sandbox provides a welcoming business environment for technology
  735  innovators and may lead to significant business growth.
  736         (3)DEFINITIONS.—As used in this section, the term:
  737         (a)“Business entity” means a domestic corporation or other
  738  organized domestic entity with a physical presence, other than
  739  that of a registered office or agent or virtual mailbox, in this
  740  state.
  741         (b)“Commission” means the Financial Services Commission.
  742         (c)“Consumer” means a person in this state, whether a
  743  natural person or a business entity, who purchases, uses,
  744  receives, or enters into an agreement to purchase, use, or
  745  receive an innovative financial product or service made
  746  available through the Financial Technology Sandbox.
  747         (d)“Control person” means an individual, a partnership, a
  748  corporation, a trust, or other organization that possesses the
  749  power, directly or indirectly, to direct the management or
  750  policies of a company, whether through ownership of securities,
  751  by contract, or through other means. A person is presumed to
  752  control a company if, with respect to a particular company, that
  753  person:
  754         1. Is a director, a general partner, or an officer
  755  exercising executive responsibility or having similar status or
  756  functions;
  757         2. Directly or indirectly may vote 10 percent or more of a
  758  class of a voting security or sell or direct the sale of 10
  759  percent or more of a class of voting securities; or
  760         3. In the case of a partnership, may receive upon
  761  dissolution or has contributed 10 percent or more of the
  762  capital.
  763         (e)“Financial product or service” means a product or
  764  service related to a consumer finance loan, as defined in s.
  765  516.01, or a money transmitter and payment instrument seller, as
  766  defined in s. 560.103, including mediums of exchange that are in
  767  electronic or digital form, which is subject to general law or
  768  corresponding rule requirements in the sections enumerated in
  769  paragraph (4)(a) and which is under the jurisdiction of the
  770  office.
  771         (f)“Financial Technology Sandbox” means the program
  772  created in this section which allows a licensee to make an
  773  innovative financial product or service available to consumers
  774  as a person who makes and collects consumer finance loans, as
  775  defined in s. 516.01, or as a money transmitter or payment
  776  instrument seller, as defined in s. 560.103, during a sandbox
  777  period through an exception to general laws or a waiver of rule
  778  requirements, or portions thereof, as specified in this section.
  779         (g)“Innovative” means new or emerging technology, or new
  780  uses of existing technology, which provides a product, service,
  781  business model, or delivery mechanism to the public and which is
  782  not known to have a comparable offering in this state outside
  783  the Financial Technology Sandbox.
  784         (h)“Licensee” means a person who has been approved by the
  785  office to participate in the Financial Technology Sandbox.
  786         (i)“Office” means, unless the context clearly indicates
  787  otherwise, the Office of Financial Regulation.
  788         (j)“Sandbox period” means the period, initially not longer
  789  than 24 months, in which the office has:
  790         1.Authorized an innovative financial product or service to
  791  be made available to consumers.
  792         2.Granted the licensee who makes the innovative financial
  793  product or service available an exception to general law or a
  794  waiver of the corresponding rule requirements, as determined by
  795  the office, so that the authorization under subparagraph 1. is
  796  possible.
  797         (4)EXCEPTIONS TO GENERAL LAW AND WAIVERS OF RULE
  798  REQUIREMENTS.—
  799         (a) Notwithstanding any other law, upon approval of a
  800  Financial Technology Sandbox application, the office shall grant
  801  an applicant a license and a waiver of a requirement, or a
  802  portion thereof, which is imposed by rule as authorized by any
  803  of the following provisions of general law, if all of the
  804  conditions in paragraph (b) are met. If the application is
  805  approved for a person who otherwise would be subject to chapter
  806  516 or chapter 560, the following provisions are not applicable
  807  to the licensee:
  808         1. Section 516.03, except for the application fee for a
  809  license, the investigation fee, evidence of liquid assets of at
  810  least $25,000, and the office’s authority to make an
  811  investigation of the facts concerning the applicant’s background
  812  as provided in s. 516.03(1). The office may prorate the license
  813  renewal fees for an extension granted under subsection (7).
  814         2. Section 516.05, except for s. 516.05(4), (5), and (7)
  815  (9).
  816         3.Section 560.109, to the extent that it requires the
  817  office to examine a licensee at least once every 5 years.
  818         4.Section 560.118, except for s. 560.118(1).
  819         5.Section 560.125(1), to the extent that subsection would
  820  prohibit a licensee from engaging in the business of a money
  821  services business during the sandbox period; and s. 560.125(2),
  822  to the extent that subsection would prohibit a licensee from
  823  appointing an authorized vendor during the sandbox period.
  824         6.Section 560.128.
  825         7.Section 560.141, except for s. 560.141(1)(a)3., 8., 9.,
  826  and 10. and (1)(b), (c), and (d).
  827         8.Section 560.142, except that the office may prorate, but
  828  may not entirely waive, the license renewal fees provided in ss.
  829  560.142 and 560.143 for an extension granted under subsection
  830  (7).
  831         9.Section 560.143(2), to the extent necessary for
  832  proration of the renewal fee under subparagraph 8.
  833         10.Section 560.204(1), to the extent that subsection would
  834  prohibit a licensee from engaging in, or advertising it engages
  835  in, the selling or issuing of payment instruments or in the
  836  activity of a money transmitter during the sandbox period.
  837         11.Section 560.205, except for s. 560.205(1), (3), and
  838  (4).
  839         12.Section 560.208, except for s. 560.208(3)-(6).
  840         13.Section 560.209, except that the office may modify, but
  841  may not entirely waive, the net worth, corporate surety bond,
  842  and collateral deposit amounts required under that section. The
  843  modified amounts must be in such lower amounts that the office
  844  determines to be commensurate with the considerations under
  845  paragraph (5)(d) and the maximum number of consumers authorized
  846  to receive the financial product or service under this section.
  847         (b)The office may grant, during a sandbox period, an
  848  exception of a requirement, or a portion thereof, imposed by a
  849  general law or waiver of a corresponding rule in any section
  850  enumerated in paragraph (a) to a licensee, if all of the
  851  following conditions are met:
  852         1.The general law or corresponding rule currently prevents
  853  the innovative financial product or service from being made
  854  available to consumers.
  855         2.The exceptions or rule waivers are not broader than
  856  necessary to accomplish the purposes and standards specified in
  857  this section, as determined by the office.
  858         3.No provision relating to the liability of an
  859  incorporator, a director, or an officer of the applicant is
  860  eligible for a waiver.
  861         4.The other requirements of this section are met.
  862         (5)FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS FOR
  863  APPROVAL.
  864         (a)Before filing an application for licensure under this
  865  section, a substantially affected person may seek a declaratory
  866  statement pursuant to s. 120.565 regarding the applicability of
  867  a statute, a rule, or an agency order to the petitioner’s
  868  particular set of circumstances.
  869         (b)Before making an innovative financial product or
  870  service available to consumers in the Financial Technology
  871  Sandbox, a person must file an application for licensure with
  872  the office. The commission shall, by rule, prescribe the form
  873  and manner of the application.
  874         1.In the application, the person must specify the general
  875  law or rule requirements for which an exception or waiver is
  876  sought and the reasons why these requirements prevent the
  877  innovative financial product or service from being made
  878  available to consumers.
  879         2.The application also must contain the information
  880  specified in paragraph (d).
  881         (c)1.A business entity may file an application for
  882  licensure.
  883         2.Before a person applies on behalf of a business entity
  884  intending to make an innovative financial product or service
  885  available to consumers, the person must obtain the consent of
  886  the business entity.
  887         (d)The office shall approve or deny in writing a Financial
  888  Technology Sandbox application within 60 days after receiving
  889  the completed application. The office and the applicant may
  890  jointly agree to extend the time beyond 60 days. Consistent with
  891  this section, the office may impose conditions on any approval.
  892  In deciding whether to approve or deny an application for
  893  licensure, the office must consider each of the following:
  894         1.The nature of the innovative financial product or
  895  service proposed to be made available to consumers in the
  896  Financial Technology Sandbox, including all relevant technical
  897  details.
  898         2.The potential risk to consumers and the methods that
  899  will be used to protect consumers and resolve complaints during
  900  the sandbox period.
  901         3.The business plan proposed by the applicant, including
  902  company information, market analysis, and financial projections
  903  or pro forma financial statements.
  904         4.Whether the applicant has the necessary personnel,
  905  adequate financial and technical expertise, and a sufficient
  906  plan to test, monitor, and assess the innovative financial
  907  product or service.
  908         5.If any control person of the applicant’s innovative
  909  financial product or service has pled no contest to, has been
  910  convicted or found guilty of, or is currently under
  911  investigation for, fraud, a state or federal securities
  912  violation, a property-based offense, or a crime involving moral
  913  turpitude or dishonest dealing, the application to the Financial
  914  Technology Sandbox must be denied. A plea of no contest, a
  915  conviction, or a finding of guilt must be reported under this
  916  subparagraph regardless of adjudication.
  917         6.A copy of the disclosures that will be provided to
  918  consumers under paragraph (6)(c).
  919         7.The financial responsibility of any control person.
  920         8.Any other factor that the office determines to be
  921  relevant.
  922         (e)The office may not approve an application if:
  923         1.The applicant had a prior Financial Technology Sandbox
  924  application that was approved and that related to a
  925  substantially similar financial product or service; or
  926         2.Any control person substantially involved in the
  927  development, operation, or management of the applicant’s
  928  innovative financial product or service was substantially
  929  involved in such with another Financial Technology Sandbox
  930  applicant whose application was approved and whose application
  931  related to a substantially similar financial product or service.
  932         (f)Upon approval of an application, the office shall
  933  specify the general law or rule requirements, or portions
  934  thereof, for which an exception or a waiver is granted during
  935  the sandbox period and the length of the initial sandbox period,
  936  not to exceed 24 months. The office shall post on its website
  937  notice of the approval of the application, a summary of the
  938  innovative financial product or service, and the contact
  939  information of the person making the financial product or
  940  service available.
  941         (6)OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.
  942         (a)A licensee under this section may make an innovative
  943  financial product or service available to consumers during the
  944  sandbox period.
  945         (b)The office, on a case-by-case basis, may specify the
  946  maximum number of consumers authorized to receive an innovative
  947  financial product or service, after consultation with the person
  948  who makes the financial product or service available to
  949  consumers. The office may not authorize more than 15,000
  950  consumers to receive the financial product or service until the
  951  licensee who makes the financial product or service available to
  952  consumers has filed the first report required under subsection
  953  (8). After the filing of that report, if the licensee
  954  demonstrates adequate financial capitalization, risk management
  955  processes, and management oversight, the office may authorize up
  956  to 25,000 consumers to receive the financial product or service.
  957         (c)1.Before a consumer purchases, uses, receives, or
  958  enters into an agreement to purchase, use, or receive an
  959  innovative financial product or service through the Financial
  960  Technology Sandbox, the licensee making the financial product or
  961  service available must provide a written statement of all of the
  962  following to the consumer:
  963         a.The name and contact information of the person making
  964  the financial product or service available to consumers.
  965         b.That the financial product or service has been
  966  authorized to be made available to consumers for a temporary
  967  period by the office, under the laws of this state.
  968         c.That the state does not endorse the financial product or
  969  service.
  970         d.That the financial product or service is undergoing
  971  testing, may not function as intended, and may entail financial
  972  risk.
  973         e.That the licensee making the financial product or
  974  service available to consumers is not immune from civil
  975  liability for any losses or damages caused by the financial
  976  product or service.
  977         f.The expected end date of the sandbox period.
  978         g.The contact information for the office and notification
  979  that suspected legal violations, complaints, or other comments
  980  related to the financial product or service may be submitted to
  981  the office.
  982         h.Any other statements or disclosures required by rule of
  983  the commission which are necessary to further the purposes of
  984  this section.
  985         2.The written statement must contain an acknowledgement
  986  from the consumer, which must be retained for the duration of
  987  the sandbox period by the licensee making the financial product
  988  or service available.
  989         (d)The office may enter into an agreement with a state,
  990  federal, or foreign regulatory agency to allow persons who make
  991  an innovative financial product or service available in this
  992  state through the Financial Technology Sandbox to make their
  993  products or services available in other jurisdictions. The
  994  commission shall adopt rules to implement this paragraph.
  995         (e)The office may examine the records of a licensee at any
  996  time, with or without prior notice.
  997         (7)EXTENSIONS AND CONCLUSION OF SANDBOX PERIOD.
  998         (a)A licensee may apply for an extension of the initial
  999  sandbox period for up to 12 additional months for a purpose
 1000  specified in subparagraph (b)1. or subparagraph (b)2. A complete
 1001  application for an extension must be filed with the office at
 1002  least 90 days before the conclusion of the initial sandbox
 1003  period. The office shall approve or deny the application for
 1004  extension in writing at least 35 days before the conclusion of
 1005  the initial sandbox period. In deciding to approve or deny an
 1006  application for extension of the sandbox period, the office
 1007  must, at a minimum, consider the current status of the factors
 1008  previously considered under paragraph (5)(d).
 1009         (b)An application for an extension under paragraph (a)
 1010  must cite one of the following reasons as the basis for the
 1011  application and must provide all relevant supporting information
 1012  that:
 1013         1.Amendments to general law or rules are necessary to
 1014  offer the innovative financial product or service in this state
 1015  permanently.
 1016         2.An application for a license that is required in order
 1017  to offer the innovative financial product or service in this
 1018  state permanently has been filed with the office, and approval
 1019  is pending.
 1020         (c)At least 30 days before the conclusion of the initial
 1021  sandbox period or the extension, whichever is later, a licensee
 1022  shall provide written notification to consumers regarding the
 1023  conclusion of the initial sandbox period or the extension and
 1024  may not make the financial product or service available to any
 1025  new consumers after the conclusion of the initial sandbox period
 1026  or the extension, whichever is later, until legal authority
 1027  outside of the Financial Technology Sandbox exists for the
 1028  licensee to make the financial product or service available to
 1029  consumers. After the conclusion of the sandbox period or the
 1030  extension, whichever is later, the licensee may:
 1031         1.Collect and receive money owed to the person or pay
 1032  money owed by the person, based on agreements with consumers
 1033  made before the conclusion of the sandbox period or the
 1034  extension.
 1035         2.Take necessary legal action.
 1036         3.Take other actions authorized by commission rule which
 1037  are not inconsistent with this subsection.
 1038         (8)REPORT.A licensee shall submit a report to the office
 1039  twice a year as prescribed by commission rule. The report must,
 1040  at a minimum, include financial reports and the number of
 1041  consumers who have received the financial product or service.
 1042         (9)CONSTRUCTION.—A person whose Financial Technology
 1043  Sandbox application is approved is deemed licensed under this
 1044  section and is subject to chapter 516 or chapter 560 with the
 1045  applicable exceptions to general law or waiver of the rule
 1046  requirements of chapter 516 or chapter 560 specified under
 1047  paragraph (4)(a), unless the person’s license has been revoked
 1048  or suspended. Notwithstanding s. 560.204(2), a licensee may not
 1049  engage in activities authorized under part III of chapter 560.
 1050         (10)VIOLATIONS AND PENALTIES.
 1051         (a)A licensee who makes an innovative financial product or
 1052  service available to consumers in the Financial Technology
 1053  Sandbox is:
 1054         1.Not immune from civil damages for acts and omissions
 1055  relating to this section.
 1056         2.Subject to all criminal and any other statute not
 1057  specifically excepted under paragraph (4)(a).
 1058         (b)1.The office may, by order, revoke or suspend a license
 1059  of a person to make an innovative financial product or service
 1060  available to consumers if:
 1061         a.The person has violated or refused to comply with this
 1062  section, a rule of the commission, an order of the office, or a
 1063  condition placed by the office on the approval of the person’s
 1064  Financial Technology Sandbox application;
 1065         b.A fact or condition exists that, if it had existed or
 1066  become known at the time that the Financial Technology Sandbox
 1067  application was pending, would have warranted denial of the
 1068  application or the imposition of material conditions;
 1069         c.A material error, false statement, misrepresentation, or
 1070  material omission was made in the Financial Technology Sandbox
 1071  application; or
 1072         d.After consultation with the licensee, the office
 1073  determines that continued testing of the innovative financial
 1074  product or service would:
 1075         (I)Be likely to harm consumers; or
 1076         (II)No longer serve the purposes of this section because
 1077  of the financial or operational failure of the financial product
 1078  or service.
 1079         2.Written notice of a revocation or suspension order made
 1080  under subparagraph 1. must be served using any means authorized
 1081  by law. If the notice relates to a suspension, the notice must
 1082  include any condition or remedial action that the person must
 1083  complete before the office lifts the suspension.
 1084         (c)The office may refer any suspected violation of law to
 1085  an appropriate state or federal agency for investigation,
 1086  prosecution, civil penalties, and other appropriate enforcement
 1087  action.
 1088         (d)If service of process on a person making an innovative
 1089  financial product or service available to consumers in the
 1090  Financial Technology Sandbox is not feasible, service on the
 1091  office is deemed service on such person.
 1092         (11)RULES AND ORDERS.
 1093         (a)The commission shall adopt rules to administer this
 1094  section.
 1095         (b)The office may issue all necessary orders to enforce
 1096  this section and may enforce these orders in accordance with
 1097  chapter 120 or in any court of competent jurisdiction. These
 1098  orders include, but are not limited to, orders for payment of
 1099  restitution for harm suffered by consumers as a result of an
 1100  innovative financial product or service.
 1101         Section 12. For the 2020-2021 fiscal year, the sum of
 1102  $50,000 in nonrecurring funds is appropriated from the
 1103  Administrative Trust Fund to the Office of Financial Regulation
 1104  to implement s. 559.952, Florida Statutes, as created by this
 1105  act.
 1106         Section 13. Except as otherwise expressly provided in this
 1107  act, this act shall take effect July 1, 2020.