Florida Senate - 2020                                    SB 1870
       
       
        
       By Senator Hutson
       
       
       
       
       
       7-01682B-20                                           20201870__
    1                        A bill to be entitled                      
    2         An act relating to technological development; amending
    3         s. 20.22, F.S.; renaming the Division of State
    4         Technology within the Department of Management
    5         Services; adding the Florida Digital Service to the
    6         department; amending s. 282.0051, F.S.; establishing
    7         the Florida Digital Service within the department;
    8         providing definitions; transferring specified powers,
    9         duties, and functions of the department to the Florida
   10         Digital Service and revising such powers, duties, and
   11         functions; providing appointments and requirements of
   12         the state chief information officer and chief data
   13         officer of the Florida Digital Service; requiring the
   14         Florida Digital Service to develop an enterprise
   15         architecture for all state departments and agencies;
   16         providing requirements for such enterprise
   17         architecture; providing duties of the Florida Digital
   18         Service under certain circumstances; authorizing the
   19         Florida Digital Service to enforce the enterprise
   20         architecture by specified means; amending ss. 282.318,
   21         287.0591, 365.171, 365.172, 365.173, and 943.0415,
   22         F.S.; conforming provisions to changes made by the
   23         act; creating s. 559.952, F.S.; providing a short
   24         title; creating the Financial Technology Sandbox
   25         Program; providing definitions; providing certain
   26         waivers of requirements to specified persons under
   27         certain circumstances; requiring an application for
   28         the program for persons who want to make innovative
   29         financial products or services available to consumers;
   30         providing application requirements; requiring the
   31         Office of Financial Regulation to pay an annual fee to
   32         the Department of Law Enforcement for a specified
   33         purpose; providing standards for application approval;
   34         requiring the Commissioner of Financial Regulation and
   35         any other persons exercising such powers to perform
   36         certain actions upon approval of an application;
   37         requiring posting of consumer protection bonds;
   38         providing disposition of such bonds under a specified
   39         circumstance; providing operation of the program;
   40         providing extensions and conclusion of sandbox
   41         periods; requiring persons who make innovative
   42         financial products or services available to consumers
   43         to submit a report; providing construction; providing
   44         that such persons are not immune from civil damages
   45         and are subject to criminal and consumer protection
   46         laws; providing penalties; providing service of
   47         process; requiring the office and the commissioner to
   48         adopt rules; authorizing the commissioner to issue
   49         certain orders and to enforce them in court;
   50         authorizing the commissioner to issue and enforce
   51         orders for payment of restitution and enforcement of
   52         certain bonds; requiring the commissioner to use
   53         certain proceeds for a specified purpose; providing an
   54         effective date.
   55          
   56  Be It Enacted by the Legislature of the State of Florida:
   57  
   58         Section 1. Subsection (2) of section 20.22, Florida
   59  Statutes, is amended to read:
   60         20.22 Department of Management Services.—There is created a
   61  Department of Management Services.
   62         (2) The following divisions and programs within The
   63  Department of Management Services shall consist of the following
   64  are established:
   65         (a) The Facilities Program.
   66         (b) The Division of Telecommunications State Technology,
   67  the director of which is appointed by the secretary of the
   68  department and shall serve as the state chief information
   69  officer. The state chief information officer must be a proven,
   70  effective administrator who must have at least 10 years of
   71  executive-level experience in the public or private sector,
   72  preferably with experience in the development of information
   73  technology strategic planning and the development and
   74  implementation of fiscal and substantive information technology
   75  policy and standards.
   76         (c) The Workforce Program.
   77         (d)1. The Support Program.
   78         2. The Federal Property Assistance Program.
   79         (e) The Administration Program.
   80         (f) The Division of Administrative Hearings.
   81         (g) The Division of Retirement.
   82         (h) The Division of State Group Insurance.
   83         (i)The Florida Digital Service.
   84         Section 2. Section 282.0051, Florida Statutes, is amended
   85  to read:
   86         282.0051 Florida Digital Service Department of Management
   87  Services; powers, duties, and functions.—There is established
   88  the Florida Digital Service within the department to create
   89  innovative solutions that securely modernize and optimize state
   90  government and achieve value through digital transformation and
   91  interoperability.
   92         (1)As used in this section, the term:
   93         (a)“Digital identity verifier” means a digital system
   94  capable of securely authenticating the identity of an external
   95  agent, including a person, an organization, an application, or a
   96  device, without physically storing the necessary data to
   97  validate a digital identity.
   98         (b)“Enterprise” means the state or the entirety of state
   99  government and its subdivisions.
  100         (c)“Enterprise architecture” means a comprehensive
  101  operational framework that contemplates the needs and assets of
  102  the enterprise to create a unified information technology
  103  environment.
  104         (d)“Interoperability” means the technical and legal
  105  ability to share data across and throughout the enterprise.
  106         (e)“Qualified entity” means a public or private entity or
  107  individual that enters into a binding agreement with the Florida
  108  Digital Service, meets usage criteria, agrees to terms and
  109  conditions, and is subsequently and prescriptively authorized by
  110  the Florida Digital Service to access digital assets as defined
  111  in the agreement.
  112         (2) The Florida Digital Service department shall have the
  113  following powers, duties, and functions:
  114         (a)(1) Develop and publish information technology policy
  115  for the management of the state’s information technology
  116  resources.
  117         (b)(2) Establish and publish information technology
  118  architecture standards to provide for the most efficient use of
  119  the state’s information technology resources and to ensure
  120  compatibility and alignment with the needs of state agencies.
  121  The Florida Digital Service department shall assist state
  122  agencies in complying with the standards.
  123         (c)(3) Establish project management and oversight standards
  124  with which state agencies must comply when implementing
  125  information technology projects. The Florida Digital Service
  126  department shall provide training opportunities to state
  127  agencies to assist in the adoption of the project management and
  128  oversight standards. To support data-driven decisionmaking, the
  129  standards must include, but are not limited to:
  130         1.(a) Performance measurements and metrics that objectively
  131  reflect the status of an information technology project based on
  132  a defined and documented project scope, cost, and schedule.
  133         2.(b) Methodologies for calculating acceptable variances in
  134  the projected versus actual scope, schedule, or cost of an
  135  information technology project.
  136         3.(c) Reporting requirements, including requirements
  137  designed to alert all defined stakeholders that an information
  138  technology project has exceeded acceptable variances defined and
  139  documented in a project plan.
  140         4.(d) Content, format, and frequency of project updates.
  141         (d)(4) Perform project oversight on all state agency
  142  information technology projects that have a technology component
  143  with a total project cost costs of $10 million or more and that
  144  are funded in the General Appropriations Act or any other law.
  145  The Florida Digital Service department shall report at least
  146  quarterly to the Executive Office of the Governor, the President
  147  of the Senate, and the Speaker of the House of Representatives
  148  on any information technology project that the Florida Digital
  149  Service department identifies as high-risk due to the project
  150  exceeding acceptable variance ranges defined and documented in a
  151  project plan. The report must include a risk assessment,
  152  including fiscal risks, associated with proceeding to the next
  153  stage of the project, and a recommendation for corrective
  154  actions required, including suspension or termination of the
  155  project.
  156         (e)(5) Identify opportunities for standardization and
  157  consolidation of information technology services that support
  158  business functions and operations, including administrative
  159  functions such as purchasing, accounting and reporting, cash
  160  management, and personnel, and that are common across state
  161  agencies. The Florida Digital Service department shall
  162  biennially on April 1 provide recommendations for
  163  standardization and consolidation to the Executive Office of the
  164  Governor, the President of the Senate, and the Speaker of the
  165  House of Representatives.
  166         (f)(6) Establish best practices for the procurement of
  167  information technology products and cloud-computing services in
  168  order to reduce costs, increase the quality of data center
  169  services, or improve government services.
  170         (g)(7) Develop standards for information technology reports
  171  and updates, including, but not limited to, operational work
  172  plans, project spend plans, and project status reports, for use
  173  by state agencies.
  174         (h)(8) Upon request, assist state agencies in the
  175  development of information technology-related legislative budget
  176  requests.
  177         (i)(9) Conduct annual assessments of state agencies to
  178  determine compliance with all information technology standards
  179  and guidelines developed and published by the Florida Digital
  180  Service department and provide results of the assessments to the
  181  Executive Office of the Governor, the President of the Senate,
  182  and the Speaker of the House of Representatives.
  183         (j)(10) Provide operational management and oversight of the
  184  state data center established pursuant to s. 282.201, which
  185  includes:
  186         1.(a) Implementing industry standards and best practices
  187  for the state data center’s facilities, operations, maintenance,
  188  planning, and management processes.
  189         2.(b) Developing and implementing cost-recovery or payment
  190  mechanisms that recover the full direct and indirect cost of
  191  services through charges to applicable customer entities. Such
  192  cost-recovery mechanisms must comply with applicable state and
  193  federal regulations concerning distribution and use of funds and
  194  must ensure that, for any fiscal year, no service or customer
  195  entity subsidizes another service or customer entity.
  196         3.(c) Developing and implementing appropriate operating
  197  guidelines and procedures necessary for the state data center to
  198  perform its duties pursuant to s. 282.201. The guidelines and
  199  procedures must comply with applicable state and federal laws,
  200  regulations, and policies and conform to generally accepted
  201  governmental accounting and auditing standards. The guidelines
  202  and procedures must include, but need not be limited to:
  203         a.1. Implementing a consolidated administrative support
  204  structure responsible for providing financial management,
  205  procurement, transactions involving real or personal property,
  206  human resources, and operational support.
  207         b.2. Implementing an annual reconciliation process to
  208  ensure that each customer entity is paying for the full direct
  209  and indirect cost of each service as determined by the customer
  210  entity’s use of each service.
  211         c.3. Providing rebates that may be credited against future
  212  billings to customer entities when revenues exceed costs.
  213         d.4. Requiring customer entities to validate that
  214  sufficient funds exist in the appropriate data processing
  215  appropriation category or will be transferred into the
  216  appropriate data processing appropriation category before
  217  implementation of a customer entity’s request for a change in
  218  the type or level of service provided, if such change results in
  219  a net increase to the customer entity’s cost for that fiscal
  220  year.
  221         e.5. By November 15 of each year, providing to the Office
  222  of Policy and Budget in the Executive Office of the Governor and
  223  to the chairs of the legislative appropriations committees the
  224  projected costs of providing data center services for the
  225  following fiscal year.
  226         f.6. Providing a plan for consideration by the Legislative
  227  Budget Commission if the cost of a service is increased for a
  228  reason other than a customer entity’s request made pursuant to
  229  sub-subparagraph d. subparagraph 4. Such a plan is required only
  230  if the service cost increase results in a net increase to a
  231  customer entity for that fiscal year.
  232         7.Standardizing and consolidating procurement and
  233  contracting practices.
  234         4.(d) In collaboration with the Department of Law
  235  Enforcement, developing and implementing a process for
  236  detecting, reporting, and responding to information technology
  237  security incidents, breaches, and threats.
  238         5.(e) Adopting rules relating to the operation of the state
  239  data center, including, but not limited to, budgeting and
  240  accounting procedures, cost-recovery methodologies, and
  241  operating procedures.
  242         (f)Conducting an annual market analysis to determine
  243  whether the state’s approach to the provision of data center
  244  services is the most effective and cost-efficient manner by
  245  which its customer entities can acquire such services, based on
  246  federal, state, and local government trends; best practices in
  247  service provision; and the acquisition of new and emerging
  248  technologies. The results of the market analysis shall assist
  249  the state data center in making adjustments to its data center
  250  service offerings.
  251         (k)(11) Recommend other information technology services
  252  that should be designed, delivered, and managed as enterprise
  253  information technology services. Recommendations must include
  254  the identification of existing information technology resources
  255  associated with the services, if existing services must be
  256  transferred as a result of being delivered and managed as
  257  enterprise information technology services.
  258         (l)(12) In consultation with state agencies, propose a
  259  methodology and approach for identifying and collecting both
  260  current and planned information technology expenditure data at
  261  the state agency level.
  262         (m)1.(13)(a) Notwithstanding any other law, provide project
  263  oversight on any information technology project of the
  264  Department of Financial Services with a technology component,
  265  the Department of Legal Affairs, and the Department of
  266  Agriculture and Consumer Services which has a total project cost
  267  of $25 million or more and which impacts one or more other
  268  agencies. Such information technology projects must also comply
  269  with the applicable information technology architecture, project
  270  management and oversight, and reporting standards established by
  271  the Florida Digital Service department.
  272         2.(b) When performing the project oversight function
  273  specified in subparagraph 1. paragraph (a), report at least
  274  quarterly to the Executive Office of the Governor, the President
  275  of the Senate, and the Speaker of the House of Representatives
  276  on any information technology project that the Florida Digital
  277  Service department identifies as high-risk due to the project
  278  exceeding acceptable variance ranges defined and documented in
  279  the project plan. The report shall include a risk assessment,
  280  including fiscal risks, associated with proceeding to the next
  281  stage of the project and a recommendation for corrective actions
  282  required, including suspension or termination of the project.
  283         (n)(14) If an information technology project implemented by
  284  a state agency must be connected to or otherwise accommodated by
  285  an information technology system administered by the Department
  286  of Financial Services, the Department of Legal Affairs, or the
  287  Department of Agriculture and Consumer Services, consult with
  288  these departments regarding the risks and other effects of such
  289  projects on their information technology systems and work
  290  cooperatively with these departments regarding the connections,
  291  interfaces, timing, or accommodations required to implement such
  292  projects.
  293         (o)(15) If adherence to standards or policies adopted by or
  294  established pursuant to this section causes conflict with
  295  federal regulations or requirements imposed on a state agency
  296  and results in adverse action against the state agency or
  297  federal funding, work with the state agency to provide
  298  alternative standards, policies, or requirements that do not
  299  conflict with the federal regulation or requirement. The Florida
  300  Digital Service department shall annually report such
  301  alternative standards to the Governor, the President of the
  302  Senate, and the Speaker of the House of Representatives.
  303         (p)Follow best purchasing practices of state procurement
  304  to the extent practicable for the purpose of creating innovative
  305  solutions that securely modernize and optimize state government
  306  to achieve value through digital transformation and to use best
  307  business practices employed by the private sector,
  308  notwithstanding chapter 287 and the authority of the department.
  309         (16)(a)Establish an information technology policy for all
  310  information technology-related state contracts, including state
  311  term contracts for information technology commodities,
  312  consultant services, and staff augmentation services. The
  313  information technology policy must include:
  314         1.Identification of the information technology product and
  315  service categories to be included in state term contracts.
  316         2.Requirements to be included in solicitations for state
  317  term contracts.
  318         3.Evaluation criteria for the award of information
  319  technology-related state term contracts.
  320         4.The term of each information technology-related state
  321  term contract.
  322         5.The maximum number of vendors authorized on each state
  323  term contract.
  324         (b)Evaluate vendor responses for information technology
  325  related state term contract solicitations and invitations to
  326  negotiate.
  327         (c)Answer vendor questions on information technology
  328  related state term contract solicitations.
  329         (d)Ensure that the information technology policy
  330  established pursuant to paragraph (a) is included in all
  331  solicitations and contracts that are administratively executed
  332  by the department.
  333         (q)(17) Recommend potential methods for standardizing data
  334  across state agencies which will promote interoperability and
  335  reduce the collection of duplicative data.
  336         (r)(18) Recommend open data technical standards and
  337  terminologies for use by state agencies.
  338         (3)(a)The Secretary of Management Services shall appoint a
  339  state chief information officer to head the Florida Digital
  340  Service. The state chief information officer must be a proven,
  341  effective administrator who must have at least 10 years of
  342  executive-level experience in the public or private sector,
  343  preferably with experience in the development of information
  344  technology strategic planning and the development and
  345  implementation of fiscal and substantive information technology
  346  policy and standards.
  347         (b)The state chief information officer shall appoint a
  348  chief data officer, who shall report to the state chief
  349  information officer. The chief data officer must be a proven,
  350  effective administrator who must have at least 10 years of
  351  experience in data management, data governance,
  352  interoperability, and security. The chief data officer is
  353  included in the Senior Management Service. As used in this
  354  paragraph, the term “data governance” means the practice of
  355  organizing, classifying, securing, and implementing policies,
  356  procedures, and standards for the effective use of an
  357  organization’s structured and unstructured information assets.
  358         (4)The Florida Digital Service shall develop an
  359  enforceable and comprehensive enterprise architecture for all
  360  state departments and agencies which:
  361         (a)Recognizes the unique needs of all stakeholders and
  362  results in the publication of standards and terminologies,
  363  procurement guidelines, and the facilitation of digital
  364  interoperability.
  365         (b)Establishes a comprehensive framework that accounts for
  366  all of the needs and responsibilities of a department and agency
  367  while defining how technology benefits and serves the overall
  368  mission of both entities.
  369         (c)Addresses how hardware, operating systems, legacy
  370  systems, and programming and networking solutions may be used or
  371  improved to achieve current and future objectives.
  372         (d)Allows the enterprise architecture to be enforced, as
  373  appropriate, to ensure stewardship of tax dollars.
  374         (5)Upon the required production of information from the
  375  stakeholders of the enterprise architecture, the Florida Digital
  376  Service shall:
  377         (a)Create and maintain a comprehensive indexed data
  378  catalog that lists what data elements are housed within which
  379  department or agency and in which legacy system or application.
  380         (b)Develop and publish for each state department and
  381  agency a data dictionary that reflects the nomenclature as
  382  existing in the comprehensive indexed data catalog.
  383         (c)Create and maintain an indexed integration catalog that
  384  includes all integration tools currently used by each state
  385  department and agency.
  386         (d)Review, confirm, and document operational use cases
  387  with all stakeholders across the enterprise architecture,
  388  including the Legislature and all state departments and
  389  agencies.
  390         (e)Identify core functionality use cases reliant on
  391  digital and data infrastructure.
  392         (f)Develop, collaboratively with stakeholders, solutions
  393  for authorized, mandated, or encouraged use cases within the
  394  enterprise.
  395         (g)Develop, publish, and manage an application programming
  396  interface to facilitate integration throughout the enterprise.
  397         (h)Facilitate collaborative analysis of enterprise
  398  architecture data to improve service delivery.
  399         (i)Provide a testing environment in which any newly
  400  developed solution can be tested for compliance within the
  401  enterprise architecture and for functionality assurance before
  402  deployment.
  403         (j)Create the functionality necessary for a secure
  404  ecosystem of data interoperability that is compliant with the
  405  enterprise architecture and allows for governmental and
  406  nongovernmental stakeholders to access the data store by:
  407         1.Competitively procuring a credential service provider.
  408  As used in this subparagraph, the term “credential service
  409  provider” means an electronic credential provider that supplies
  410  secure credential services based on open standards for identity
  411  management and verification to qualified entities.
  412         2.Upon the signing of the enterprise architecture terms of
  413  service and privacy policies, providing to qualified entities
  414  and digital identity verifiers appropriate access to the data
  415  store to facilitate authorized integrations to collaboratively,
  416  less expensively, or at no taxpayer cost, solve enterprise use
  417  cases.
  418         (k)Architect and deploy applications or solutions to
  419  existing department and agency obligations in a controlled and
  420  phased approach, including, but not limited to:
  421         1.Digital licenses, including full identification
  422  management.
  423         2.Interoperability that contains the data functionality to
  424  enable supervisors of elections to authenticate voter
  425  eligibility in real time at the point of service.
  426         3.The criminal justice database.
  427         4.Motor vehicle insurance cancellation integration between
  428  insurers and the Department of Highway Safety and Motor
  429  Vehicles.
  430         5.Interoperability solutions between agencies, including,
  431  but not limited to, the Department of Health, the Agency for
  432  Health Care Administration, the Agency for Persons with
  433  Disabilities, the Department of Education, the Department of
  434  Elderly Affairs, and the Department of Children and Families.
  435         (6)The Florida Digital Service may enforce the enterprise
  436  architecture by:
  437         (a)Receiving written notice of any planned or existing
  438  procurement of digital solutions which is subject to governance
  439  by the enterprise architecture, which includes:
  440         1.An attestation of compliance with the enterprise
  441  architecture.
  442         2.A list of integrations tools needed.
  443         3.Enterprise stakeholders actually or potentially involved
  444  or affected by the procurement.
  445         4.Resources that would reduce the cost or increase the
  446  speed to deployment.
  447         (b)Intervening in any procurement that does not comply
  448  with the enterprise architecture after the Florida Digital
  449  Service provided notice of noncompliance to relevant
  450  stakeholders through the following acts:
  451         1.Delaying the procurement until it complies with the
  452  enterprise architecture.
  453         2.Providing recommendations to cure the portions of the
  454  procurement which do not comply with the enterprise
  455  architecture.
  456         (19)Adopt rules to administer this section.
  457         Section 3. Paragraph (a) of subsection (3), paragraphs (d),
  458  (e), (g), and (j) of subsection (4), and paragraph (b) of
  459  subsection (5) of section 282.318, Florida Statutes, are amended
  460  to read:
  461         282.318 Security of data and information technology.—
  462         (3) The department is responsible for establishing
  463  standards and processes consistent with generally accepted best
  464  practices for information technology security, to include
  465  cybersecurity, and adopting rules that safeguard an agency’s
  466  data, information, and information technology resources to
  467  ensure availability, confidentiality, and integrity and to
  468  mitigate risks. The department shall also:
  469         (a) Designate a state chief information security officer
  470  for the Florida Digital Service, who must be a proven, effective
  471  administrator and have at least 10 years of executive-level
  472  experience in the public or private sector, preferably with
  473  experience in the development of information technology
  474  strategic planning and the development and implementation of
  475  fiscal and substantive information technology policy and
  476  standards and expertise in security and risk management for
  477  communications and information technology resources.
  478         (4) Each state agency head shall, at a minimum:
  479         (d) Conduct, and update every 3 years, a comprehensive risk
  480  assessment, which may be completed by a private sector vendor,
  481  to determine the security threats to the data, information, and
  482  information technology resources, including mobile devices and
  483  print environments, of the agency. The risk assessment must
  484  comply with the risk assessment methodology developed by the
  485  department and is confidential and exempt from s. 119.07(1),
  486  except that such information shall be available to the Auditor
  487  General, the Florida Digital Service Division of State
  488  Technology within the department, the Cybercrime Office of the
  489  Department of Law Enforcement, and, for state agencies under the
  490  jurisdiction of the Governor, the Chief Inspector General.
  491         (e) Develop, and periodically update, written internal
  492  policies and procedures, which include procedures for reporting
  493  information technology security incidents and breaches to the
  494  Cybercrime Office of the Department of Law Enforcement and the
  495  Florida Digital Service Division of State Technology within the
  496  department. Such policies and procedures must be consistent with
  497  the rules, guidelines, and processes established by the
  498  department to ensure the security of the data, information, and
  499  information technology resources of the agency. The internal
  500  policies and procedures that, if disclosed, could facilitate the
  501  unauthorized modification, disclosure, or destruction of data or
  502  information technology resources are confidential information
  503  and exempt from s. 119.07(1), except that such information shall
  504  be available to the Auditor General, the Cybercrime Office of
  505  the Department of Law Enforcement, the Florida Digital Service
  506  Division of State Technology within the department, and, for
  507  state agencies under the jurisdiction of the Governor, the Chief
  508  Inspector General.
  509         (g) Ensure that periodic internal audits and evaluations of
  510  the agency’s information technology security program for the
  511  data, information, and information technology resources of the
  512  agency are conducted. The results of such audits and evaluations
  513  are confidential information and exempt from s. 119.07(1),
  514  except that such information shall be available to the Auditor
  515  General, the Cybercrime Office of the Department of Law
  516  Enforcement, the Florida Digital Service Division of State
  517  Technology within the department, and, for agencies under the
  518  jurisdiction of the Governor, the Chief Inspector General.
  519         (j) Develop a process for detecting, reporting, and
  520  responding to threats, breaches, or information technology
  521  security incidents which is consistent with the security rules,
  522  guidelines, and processes established by the Agency for State
  523  Technology.
  524         1. All information technology security incidents and
  525  breaches must be reported to the Florida Digital Service
  526  Division of State Technology within the department and the
  527  Cybercrime Office of the Department of Law Enforcement and must
  528  comply with the notification procedures and reporting timeframes
  529  established pursuant to paragraph (3)(c).
  530         2. For information technology security breaches, state
  531  agencies shall provide notice in accordance with s. 501.171.
  532         3. Records held by a state agency which identify detection,
  533  investigation, or response practices for suspected or confirmed
  534  information technology security incidents, including suspected
  535  or confirmed breaches, are confidential and exempt from s.
  536  119.07(1) and s. 24(a), Art. I of the State Constitution, if the
  537  disclosure of such records would facilitate unauthorized access
  538  to or the unauthorized modification, disclosure, or destruction
  539  of:
  540         a. Data or information, whether physical or virtual; or
  541         b. Information technology resources, which includes:
  542         (I) Information relating to the security of the agency’s
  543  technologies, processes, and practices designed to protect
  544  networks, computers, data processing software, and data from
  545  attack, damage, or unauthorized access; or
  546         (II) Security information, whether physical or virtual,
  547  which relates to the agency’s existing or proposed information
  548  technology systems.
  549  
  550  Such records shall be available to the Auditor General, the
  551  Florida Digital Service Division of State Technology within the
  552  department, the Cybercrime Office of the Department of Law
  553  Enforcement, and, for state agencies under the jurisdiction of
  554  the Governor, the Chief Inspector General. Such records may be
  555  made available to a local government, another state agency, or a
  556  federal agency for information technology security purposes or
  557  in furtherance of the state agency’s official duties. This
  558  exemption applies to such records held by a state agency before,
  559  on, or after the effective date of this exemption. This
  560  subparagraph is subject to the Open Government Sunset Review Act
  561  in accordance with s. 119.15 and shall stand repealed on October
  562  2, 2021, unless reviewed and saved from repeal through
  563  reenactment by the Legislature.
  564         (5) The portions of risk assessments, evaluations, external
  565  audits, and other reports of a state agency’s information
  566  technology security program for the data, information, and
  567  information technology resources of the state agency which are
  568  held by a state agency are confidential and exempt from s.
  569  119.07(1) and s. 24(a), Art. I of the State Constitution if the
  570  disclosure of such portions of records would facilitate
  571  unauthorized access to or the unauthorized modification,
  572  disclosure, or destruction of:
  573         (b) Information technology resources, which include:
  574         1. Information relating to the security of the agency’s
  575  technologies, processes, and practices designed to protect
  576  networks, computers, data processing software, and data from
  577  attack, damage, or unauthorized access; or
  578         2. Security information, whether physical or virtual, which
  579  relates to the agency’s existing or proposed information
  580  technology systems.
  581  
  582  Such portions of records shall be available to the Auditor
  583  General, the Cybercrime Office of the Department of Law
  584  Enforcement, the Florida Digital Service Division of State
  585  Technology within the department, and, for agencies under the
  586  jurisdiction of the Governor, the Chief Inspector General. Such
  587  portions of records may be made available to a local government,
  588  another state agency, or a federal agency for information
  589  technology security purposes or in furtherance of the state
  590  agency’s official duties. For purposes of this subsection,
  591  “external audit” means an audit that is conducted by an entity
  592  other than the state agency that is the subject of the audit.
  593  This exemption applies to such records held by a state agency
  594  before, on, or after the effective date of this exemption. This
  595  subsection is subject to the Open Government Sunset Review Act
  596  in accordance with s. 119.15 and shall stand repealed on October
  597  2, 2021, unless reviewed and saved from repeal through
  598  reenactment by the Legislature.
  599         Section 4. Subsection (4) of section 287.0591, Florida
  600  Statutes, is amended to read:
  601         287.0591 Information technology.—
  602         (4) If the department issues a competitive solicitation for
  603  information technology commodities, consultant services, or
  604  staff augmentation contractual services, the Florida Digital
  605  Service Division of State Technology within the department shall
  606  participate in such solicitations.
  607         Section 5. Paragraph (a) of subsection (3) of section
  608  365.171, Florida Statutes, is amended to read:
  609         365.171 Emergency communications number E911 state plan.—
  610         (3) DEFINITIONS.—As used in this section, the term:
  611         (a) “Office” means the Division of Telecommunications State
  612  Technology within the Department of Management Services, as
  613  designated by the secretary of the department.
  614         Section 6. Paragraph (s) of subsection (3) of section
  615  365.172, Florida Statutes, is amended to read:
  616         365.172 Emergency communications number “E911.”—
  617         (3) DEFINITIONS.—Only as used in this section and ss.
  618  365.171, 365.173, 365.174, and 365.177, the term:
  619         (s) “Office” means the Division of Telecommunications State
  620  Technology within the Department of Management Services, as
  621  designated by the secretary of the department.
  622         Section 7. Paragraph (a) of subsection (1) of section
  623  365.173, Florida Statutes, is amended to read:
  624         365.173 Communications Number E911 System Fund.—
  625         (1) REVENUES.—
  626         (a) Revenues derived from the fee levied on subscribers
  627  under s. 365.172(8) must be paid by the board into the State
  628  Treasury on or before the 15th day of each month. Such moneys
  629  must be accounted for in a special fund to be designated as the
  630  Emergency Communications Number E911 System Fund, a fund created
  631  in the Division of Telecommunications State Technology, or other
  632  office as designated by the Secretary of Management Services.
  633         Section 8. Subsection (5) of section 943.0415, Florida
  634  Statutes, is amended to read:
  635         943.0415 Cybercrime Office.—There is created within the
  636  Department of Law Enforcement the Cybercrime Office. The office
  637  may:
  638         (5) Consult with the Florida Digital Service Division of
  639  State Technology within the Department of Management Services in
  640  the adoption of rules relating to the information technology
  641  security provisions in s. 282.318.
  642         Section 9. Section 559.952, Florida Statutes, is created to
  643  read:
  644         559.952Financial Technology Sandbox Act.—
  645         (1)SHORT TITLE.—This section may be cited as the
  646  “Financial Technology Sandbox Act.”
  647         (2)CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX PROGRAM.
  648  There is created the Financial Technology Sandbox Program within
  649  the Office of Financial Regulation to allow financial technology
  650  innovators to test new products and services in a supervised,
  651  flexible regulatory sandbox, using waivers of specified general
  652  law and rule requirements under defined conditions. The creation
  653  of a supervised, flexible regulatory sandbox provides a
  654  welcoming business environment for technology innovators and may
  655  lead to significant business growth.
  656         (3)DEFINITIONS.—As used in this section, the term:
  657         (a)“Blockchain” means a digital record of online
  658  transactions that are stored chronologically and obtained
  659  through consensus and that are decentralized and mathematically
  660  verified in nature.
  661         (b)“Commissioner” means the Director of the Office of
  662  Financial Regulation, also known as the Commissioner of
  663  Financial Regulation, and any other person lawfully exercising
  664  such powers.
  665         (c)“Consumer” means a person in this state, whether a
  666  natural person or a business entity, who purchases, uses, or
  667  enters into an agreement to receive an innovative financial
  668  product or service made available through the Financial
  669  Technology Sandbox.
  670         (d)“Financial product or service” means a product or
  671  service related to finance, including banking, securities,
  672  consumer credit, or money transmission, which is traditionally
  673  subject to general law or rule requirements in the chapters
  674  enumerated in paragraph (4)(a) and which is under the
  675  jurisdiction of the commissioner.
  676         (e)“Financial Technology Sandbox” means, unless the
  677  context clearly indicates otherwise, the program created in this
  678  section, which allows a person to make an innovative financial
  679  product or service available to consumers during a sandbox
  680  period through a waiver of existing general laws and rule
  681  requirements, or portions thereof, as determined by the
  682  commissioner.
  683         (f)“Innovative” means new or emerging technology, or new
  684  uses of existing technology, including blockchain technology,
  685  which provides a product, service, business model, or delivery
  686  mechanism to the public and has no substantially comparable,
  687  widely available analog in this state.
  688         (g)“Office” means, unless the context clearly indicates
  689  otherwise, the Office of Financial Regulation.
  690         (h)“Sandbox period” means the period, initially not longer
  691  than 24 months, in which the commissioner has:
  692         1.Authorized an innovative financial product or service to
  693  be made available to consumers.
  694         2.Granted the person who makes the innovative financial
  695  product or service available a waiver of general law or rule
  696  requirements, as determined by the commissioner, so that the
  697  authorization under subparagraph 1. is possible.
  698         (4)WAIVERS OF GENERAL LAW AND RULE REQUIREMENTS.—
  699         (a)Notwithstanding any other provision of law, upon
  700  approval of a Financial Technological Sandbox application, the
  701  commissioner may grant an applicant a waiver of a requirement,
  702  or a portion thereof, which is imposed by a general law or rule
  703  in any following chapter or part thereof, if all of the
  704  conditions in paragraph (b) are met:
  705         1.Chapter 516, consumer finance.
  706         2.Chapter 517, securities transactions.
  707         3.Chapter 520, retail installment sales.
  708         4.Chapter 537, title loans.
  709         5.Part I or part II of chapter 560, general provisions of
  710  money services businesses or payment instruments and funds
  711  transmission.
  712         6.Chapter 655, financial institutions generally.
  713         7.Chapter 657, credit unions.
  714         8.Chapter 658, banks and trust companies.
  715         9.Chapter 660, trust business.
  716         10.Chapter 662, family trust companies.
  717         11.Chapter 663, international banking.
  718         (b)The commissioner may grant, during a sandbox period, a
  719  waiver of a requirement, or a portion thereof, imposed by a
  720  general law or rule in any chapter enumerated in paragraph (a),
  721  if all of the following conditions are met:
  722         1.The general law or rule does not currently authorize the
  723  innovative financial product or service to be made available to
  724  consumers.
  725         2.The waiver is not broader than necessary to accomplish
  726  the purposes and standards specified in this section, as
  727  determined by the commissioner.
  728         3.No provision relating to the liability of an
  729  incorporator, director, or officer of the applicant is eligible
  730  for a waiver.
  731         (5)FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS FOR
  732  APPROVAL; CONSUMER PROTECTION BOND.—
  733         (a)Before making an innovative financial product or
  734  service available to consumers in the Financial Technology
  735  Sandbox, a person must file an application with the
  736  commissioner. The commissioner shall, by rule, prescribe the
  737  form and manner of the application.
  738         1.In the application, the person must specify the general
  739  law or rule requirements for which a waiver is sought, and the
  740  reasons why these requirements prohibit the innovative financial
  741  product or service from being made available to consumers.
  742         2.The application must also contain the information
  743  specified in subparagraphs (e)1.-7.
  744         (b)A business entity filing an application under this
  745  section must be a domestic corporation or other organized
  746  domestic entity with a physical presence, other than that of a
  747  registered office or agent or virtual mailbox, in this state.
  748         (c)Before an employee applies on behalf of a business
  749  entity intending to make an innovative financial product or
  750  service available to consumers, the employee must obtain the
  751  consent of the business entity.
  752         (d)The applicant must submit fingerprints for each
  753  individual filing an application under this section and each
  754  individual who is substantially involved in the development,
  755  operation, or management of the innovative financial product or
  756  service for live-scan processing in accordance with rules
  757  adopted by the office.
  758         1.The fingerprints may be submitted through a third-party
  759  vendor authorized by the Department of Law Enforcement to
  760  provide live-scan fingerprinting.
  761         2.The Department of Law Enforcement must conduct the state
  762  criminal history background check, and a federal criminal
  763  history background check must be conducted through the Federal
  764  Bureau of Investigation.
  765         3.All fingerprints submitted to the Department of Law
  766  Enforcement must be submitted electronically and entered into
  767  the statewide automated fingerprint identification system
  768  established in s. 943.05(2)(b) and available for use in
  769  accordance with s. 943.05(2)(g) and (h). The office shall pay an
  770  annual fee to the Department of Law Enforcement to participate
  771  in the system and shall inform the Department of Law Enforcement
  772  of any person whose fingerprints no longer must be retained.
  773         4.The office shall review the results of the state and
  774  federal criminal history background checks and determine whether
  775  the applicant meets the office’s requirements.
  776         5.For purposes of this paragraph, fingerprints are not
  777  required to be submitted if the applicant is a publicly traded
  778  corporation or is exempted under s. 560.104(1). The term
  779  “publicly traded” means a stock is currently traded on a
  780  national securities exchange registered with the Securities and
  781  Exchange Commission or traded on an exchange in a country other
  782  than the United States which is regulated by a regulator
  783  equivalent to the Securities and Exchange Commission and the
  784  disclosure and reporting requirements of such regulator are
  785  substantially similar to those of the Securities and Exchange
  786  Commission.
  787         (e)The commissioner shall approve or deny in writing a
  788  Financial Technology Sandbox application within 60 days after
  789  receiving the completed application. The commissioner and the
  790  applicant may jointly agree to extend the time beyond 60 days.
  791  The commissioner may impose conditions on any approval,
  792  consistent with this section. In deciding to approve or deny an
  793  application, the commissioner must consider each of the
  794  following:
  795         1.The nature of the innovative financial product or
  796  service proposed to be made available to consumers in the
  797  Financial Technology Sandbox, including all relevant technical
  798  details, which may include whether the product or service uses
  799  blockchain technology.
  800         2.The potential risk to consumers and the methods that
  801  will be used to protect consumers and resolve complaints during
  802  the sandbox period.
  803         3.The business plan proposed by the applicant, including a
  804  statement of arranged capital.
  805         4.Whether the applicant has the necessary personnel,
  806  adequate financial and technical expertise, and a sufficient
  807  plan to test, monitor, and assess the innovative financial
  808  product or service.
  809         5.Whether any person substantially involved in the
  810  development, operation, or management of the innovative
  811  financial product or service has been convicted of, or is
  812  currently under investigation for, fraud, a state or federal
  813  securities violation, or any property-based offense.
  814         6.A copy of the disclosures that will be provided to
  815  consumers under paragraph (6)(c).
  816         7.Any other factor that the commissioner determines to be
  817  relevant.
  818         (f)If an application is approved pursuant to paragraph
  819  (e), the commissioner shall specify the general law or rule
  820  requirements, or portions thereof, for which a waiver is granted
  821  and the length of the initial sandbox period, not to exceed 24
  822  months. The commissioner shall post on the office’s website
  823  notice of the approval of the application, a summary of the
  824  innovative financial product or service, and the contact
  825  information of the person making the financial product or
  826  service available.
  827         (g)A person whose Financial Technology Sandbox application
  828  is approved shall post a consumer protection bond with the
  829  commissioner as security for potential losses suffered by
  830  consumers. The commissioner shall determine the bond amount,
  831  which must be at least $10,000 and commensurate with the risk
  832  profile of the innovative financial product or service. The
  833  commissioner may require that a bond under this paragraph be
  834  increased or decreased at any time based on the risk profile.
  835  Unless a bond is enforced under subparagraph (11)(b)2., the
  836  commissioner shall cancel the bond or allow it to expire 2 years
  837  after the date of the conclusion of the sandbox period.
  838         (6)OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—
  839         (a)A person whose Financial Technology Sandbox application
  840  is approved may make an innovative financial product or service
  841  available to consumers during the sandbox period.
  842         (b)The commissioner may, on a case-by-case basis, specify
  843  the maximum number of consumers authorized to receive an
  844  innovative financial product or service, after consultation with
  845  the person who makes the financial product or service available
  846  to consumers.
  847         (c)1.Before a consumer purchases or enters into an
  848  agreement to receive an innovative financial product or service
  849  through the Financial Technology Sandbox, the person making the
  850  financial product or service available must provide a written
  851  statement of all of the following to the consumer:
  852         a.The name and contact information of the person making
  853  the financial product or service available to consumers.
  854         b.That the financial product or service has been
  855  authorized to be made available to consumers for a temporary
  856  period by the commissioner, under the laws of this state.
  857         c.That the state does not endorse the financial product or
  858  service and is not subject to liability for losses or damages
  859  caused by the financial product or service.
  860         d.That the financial product or service is undergoing
  861  testing, may not function as intended, and may entail financial
  862  risk.
  863         e.That the person making the product or service available
  864  to consumers is not immune from civil liability for any losses
  865  or damages caused by the financial product or service.
  866         f.The expected end date of the sandbox period.
  867         g.The name and contact information of the commissioner,
  868  and notification that suspected legal violations, complaints, or
  869  other comments related to the financial product or service may
  870  be submitted to the commissioner.
  871         h.Any other statements or disclosures required by rule of
  872  the commissioner which are necessary to further the purposes of
  873  this section.
  874         2.The written statement must contain an acknowledgement
  875  from the consumer, which must be retained for the duration of
  876  the sandbox period by the person making the financial product or
  877  service available.
  878         (d)The commissioner may enter into an agreement with a
  879  state, federal, or foreign regulatory agency to allow persons:
  880         1.Who make an innovative financial product or service
  881  available in this state through the Financial Technology Sandbox
  882  to make their products or services available in other
  883  jurisdictions.
  884         2.Who operate in similar financial technology sandboxes in
  885  other jurisdictions to make innovative financial products and
  886  services available in this state under the standards of this
  887  section.
  888         (e)1.A person whose Financial Technology Sandbox
  889  application is approved by the commissioner shall maintain
  890  comprehensive records relating to the innovative financial
  891  product or service. The person shall keep these records for at
  892  least 5 years after the conclusion of the sandbox period. The
  893  commissioner may specify by rule additional records
  894  requirements.
  895         2.The commissioner may examine the records maintained
  896  under subparagraph 1. at any time, with or without notice. All
  897  direct and indirect costs of an examination conducted under this
  898  subparagraph shall be paid by the person making the innovative
  899  financial product or service available to consumers.
  900         (7)EXTENSIONS AND CONCLUSION OF SANDBOX PERIOD.—
  901         (a)A person who is authorized to make an innovative
  902  financial product or service available to consumers may apply
  903  for an extension of the initial sandbox period for up to 12
  904  additional months, with the option of multiple extensions for
  905  the purpose of pursuing licensure from the office. An
  906  application for an extension must be made at least 60 days
  907  before the conclusion of the initial sandbox period or, if the
  908  extension is a second or subsequent extension, at least 60 days
  909  before the conclusion of the current extension. The commissioner
  910  shall approve or deny the application for extension in writing
  911  at least 35 days before the conclusion of the initial sandbox
  912  period or the conclusion of the current extension, if
  913  applicable.
  914         (b)An application for an extension under paragraph (a)
  915  must cite one of the following reasons as the basis for the
  916  application and must provide all relevant supporting information
  917  that:
  918         1.Amendments to general law or rules are necessary to
  919  conduct financial technology business in this state permanently.
  920         2.An application for a license or other authorization
  921  required to conduct business in this state has been filed with
  922  the appropriate office, and approval is pending.
  923         (c)Unless granted an extension under this subsection at
  924  least 30 days before the conclusion of the initial sandbox
  925  period or the current extension, a person who makes an
  926  innovative financial product or service available shall provide
  927  written notification to consumers regarding the conclusion of
  928  the initial sandbox period or the current extension and may not
  929  make the financial product or service available to any new
  930  consumers after the conclusion of the initial sandbox period or
  931  the current extension until legal authority outside of the
  932  Financial Technology Sandbox exists to make the financial
  933  product or service available to consumers. The person shall wind
  934  down operations with existing consumers within 60 days after the
  935  conclusion of the sandbox period or the current extension,
  936  except that, after the 60th day, the person may:
  937         1.Collect and receive money owed to the person and service
  938  loans made by the person, based on agreements with consumers
  939  made before the conclusion of the sandbox period or the current
  940  extension.
  941         2.Take necessary legal action.
  942         3.Take other actions authorized by rule by the
  943  commissioner which are not inconsistent with this subsection.
  944         (8)REPORT.—A person authorized to make an innovative
  945  financial product or service available to consumers under
  946  subsection (5) shall submit a report to the commissioner twice a
  947  year as prescribed by rule.
  948         (9)CONSTRUCTION.—
  949         (a)A person whose Financial Technology Sandbox application
  950  is approved shall be deemed to possess an appropriate license
  951  under any general law requiring state licensure or
  952  authorization.
  953         (b)Authorization to make an innovative financial product
  954  or service available to consumers under subsection (5) does not
  955  create a property right.
  956         (c)The state does not endorse the financial product or
  957  service and is not subject to liability for losses or damages
  958  caused by the financial product or service.
  959         (10)VIOLATIONS AND PENALTIES.—
  960         (a)A person who makes an innovative financial product or
  961  service available to consumers in the Financial Technology
  962  Sandbox is:
  963         1.Not immune from civil damages for acts and omissions
  964  relating to this section.
  965         2.Subject to all criminal and consumer protection laws.
  966         (b)1.The commissioner may, by order, revoke or suspend
  967  authorization granted to a person to make an innovative
  968  financial product or service available to consumers if:
  969         a.The person has violated or refused to comply with this
  970  section or any rule, order, or decision adopted by the
  971  commissioner;
  972         b.A fact or condition exists that, if it had existed or
  973  become known at the time of the Financial Technology Sandbox
  974  application, would have warranted denial of the application or
  975  the imposition of material conditions;
  976         c.A material error, false statement, misrepresentation, or
  977  material omission was made in the Financial Technology Sandbox
  978  application; or
  979         d.After consultation with the person, continued testing of
  980  the innovative financial product or service would:
  981         (I)Be likely to harm consumers; or
  982         (II)No longer serve the purposes of this section because
  983  of the financial or operational failure of the financial product
  984  or service.
  985         2.Written notice of a revocation or suspension order made
  986  under subparagraph 1. shall be served using any means authorized
  987  by law. If the notice relates to a suspension, the notice must
  988  include any condition or remedial action that the person must
  989  complete before the commissioner lifts the suspension.
  990         (c)The commissioner may refer any suspected violation of
  991  law relating to this section to an appropriate state or federal
  992  agency for investigation, prosecution, civil penalties, and
  993  other appropriate enforcement actions.
  994         (d)If service of process on a person making an innovative
  995  financial product or service available to consumers in the
  996  Financial Technology Sandbox is not feasible, service on the
  997  commissioner shall be deemed service on such person.
  998         (11)RULES AND ORDERS.—
  999         (a)The office and the commissioner shall adopt rules to
 1000  administer this section.
 1001         (b)The commissioner may issue all necessary orders to
 1002  enforce this section and may enforce these orders in any court
 1003  of competent jurisdiction. These orders include, but are not
 1004  limited to, orders for:
 1005         1.Payment of restitution.
 1006         2.Enforcement of a bond, or a portion of a bond, posted
 1007  under paragraph (5)(g). The commissioner shall use proceeds from
 1008  such bonds to offset losses suffered by consumers as a result of
 1009  an innovative financial product or service.
 1010         Section 10. This act shall take effect July 1, 2020.