| 1 | A bill to be entitled |
| 2 | An act relating to data destruction; providing |
| 3 | definitions; requiring all state agencies and private |
| 4 | entities that collect personal information to adhere to |
| 5 | the procedures provided in the National Institute of |
| 6 | Standards and Technology "Guidelines for Media |
| 7 | Sanitization" when destroying such information; requiring |
| 8 | such agencies and entities to maintain a copy of the |
| 9 | guidelines; requiring all state agencies to submit a |
| 10 | sampling of sanitized media to a third-party vendor for |
| 11 | verification of data destruction; authorizing the |
| 12 | Department of Management Services to adopt rules; |
| 13 | providing an effective date. |
| 14 |
|
| 15 | Be It Enacted by the Legislature of the State of Florida: |
| 16 |
|
| 17 | Section 1. Media sanitization.-- |
| 18 | (1) As used in this section, the term: |
| 19 | (a) "Media" means: |
| 20 | 1. "Hard copy information," which is the physical |
| 21 | representation of information, including, but not limited to, |
| 22 | paper printouts, printer and facsimile ribbons, drums, and |
| 23 | platens; and |
| 24 | 2. "Electronic information," which is the bits and bytes |
| 25 | contained in hard drives, random-access memory, read-only |
| 26 | memory, optical disc storage media, memory devices, telephones, |
| 27 | mobile computing devices, networking equipment, and other types |
| 28 | of information storage equipment. |
| 29 | (b) "Sanitization" or "sanitize" means the process of |
| 30 | removing data from media, such that the data may not be |
| 31 | retrieved or reconstructed. |
| 32 | (2) All state agencies, as defined in s. 119.011, Florida |
| 33 | Statutes, and all private corporations, business trusts, |
| 34 | partnerships, limited liability companies, associations, joint |
| 35 | ventures, estates, trusts, or any other legal or commercial |
| 36 | entity, for profit or not for profit, located in or doing |
| 37 | business in this state, which collects any information that: is |
| 38 | deemed secret, private, personal, or confidential in nature; |
| 39 | contains identifying information, including names, personal or |
| 40 | business addresses, social security numbers, credit or debit |
| 41 | card numbers, bank account numbers, telephone numbers, or |
| 42 | photographs that are recorded on media; and is subject to |
| 43 | sanitization or meets the criteria for destruction as set forth |
| 44 | in the "Guidelines for Media Sanitization: Recommendation of the |
| 45 | National Institute of Standards and Technology," NIST Special |
| 46 | Publication 800-88, must use the purge or physical destruction |
| 47 | techniques for media destruction described in that document. |
| 48 | (3) All state agencies and private entities subject to |
| 49 | subsection (2) must keep a copy of the Guidelines for Media |
| 50 | Sanitization available for use. An electronic copy of the |
| 51 | document must be kept on the computer desktop of the chief |
| 52 | information officer, security officer, records management |
| 53 | officer, or other person responsible for the sanitization of the |
| 54 | personal or private data at the agency or entity. |
| 55 | (4) All state agencies must submit a sampling of sanitized |
| 56 | electronic media to a third-party vendor without a stake in the |
| 57 | sanitization process for verification of data destruction. The |
| 58 | Department of Management Services shall adopt by rule criteria |
| 59 | for the selection of such vendor and procedures for the |
| 60 | submission and return of such samples. |
| 61 | Section 2. This act shall take effect July 1, 2009. |