Florida Senate - 2020 CS for SB 1870
By the Committee on Innovation, Industry, and Technology; and
1 A bill to be entitled
2 An act relating to technology innovation; amending s.
3 20.22, F.S.; renaming the Division of State Technology
4 within the Department of Management Services as the
5 Division of Telecommunications; deleting provisions
6 relating to the appointment of the Division of State
7 Technology’s director and qualifications for the state
8 chief information officer; adding the Florida Digital
9 Service to the department; amending s. 282.0041, F.S.;
10 defining terms; amending s. 282.0051, F.S.;
11 establishing the Florida Digital Service within the
12 department; transferring specified powers, duties, and
13 functions of the department to the Florida Digital
14 Service and revising such powers, duties, and
15 functions; providing for appointments of a state chief
16 information officer and a chief data officer and
17 specifying their duties; requiring the Florida Digital
18 Service to develop a comprehensive enterprise
19 architecture; providing requirements for the
20 enterprise architecture; specifying duties of, and
21 authorized actions by, the Florida Digital Service;
22 providing duties of, and authorized actions by, the
23 department; authorizing the Florida Digital Service to
24 adopt rules; amending s. 282.00515, F.S.; establishing
25 the Enterprise Architecture Advisory Council;
26 requiring the council to comply with specified
27 requirements; specifying the composition of the
28 council; providing membership and meeting requirements
29 and duties of the council; deleting provisions
30 relating to specified duties and powers of the
31 Department of Legal Affairs, the Department of
32 Financial Services, and the Department of Agriculture
33 and Consumer Services; amending ss. 282.318, 287.0591,
34 365.171, 365.172, 365.173, and 943.0415, F.S.;
35 conforming provisions to changes made by the act;
36 creating s. 559.952, F.S.; providing a short title;
37 creating the Financial Technology Sandbox within the
38 Office of Financial Regulation; defining terms;
39 authorizing the office to grant waivers of specified
40 financial regulatory requirements to certain
41 applicants offering certain financial products or
42 services during a sandbox period; authorizing certain
43 persons to seek a declaratory statement before filing
44 an application for the Financial Technology Sandbox;
45 specifying requirements and procedures for an
46 application to enter the Financial Technology Sandbox;
47 specifying requirements and procedures for the office
48 in reviewing applications; specifying authorized
49 actions of, limitations on, and disclosure
50 requirements for persons making financial products or
51 services available during a sandbox period;
52 authorizing the office to enter into agreement with
53 certain regulatory agencies for specified purposes;
54 providing recordkeeping requirements; authorizing the
55 office to examine specified records; providing
56 requirements and procedures for applying for
57 extensions and concluding sandbox periods; requiring
58 written notification to consumers at the end of an
59 extension or conclusion of the sandbox period;
60 providing acts that persons who make innovative
61 financial products or services available to consumers
62 may and may not engage in at the end of an extension
63 or conclusion of the sandbox period; specifying state
64 financial regulatory laws that the office may grant
65 exceptions to; specifying reporting requirements to
66 the office; providing construction; providing that
67 such persons are not immune from civil damages and are
68 subject to certain laws; providing penalties;
69 providing for service of process; requiring the
70 Financial Services Commission to adopt rules;
71 authorizing the office to issue orders and enforce
72 them through administrative or judicial process;
73 authorizing the office to issue and enforce orders for
74 payment of restitution; providing effective dates.
76 Be It Enacted by the Legislature of the State of Florida:
78 Section 1. Subsection (2) of section 20.22, Florida
79 Statutes, is amended to read:
80 20.22 Department of Management Services.—There is created a
81 Department of Management Services.
82 (2) The
following divisions and programs within the
83 Department of Management Services shall consist of the following
84 are established:
85 (a) The Facilities Program.
86 (b) The Division of Telecommunications State Technology,
87 the director of which is appointed by the secretary of the
88 department and shall serve as the state chief information
89 officer. The state chief information officer must be a proven,
90 effective administrator who must have at least 10 years of
91 executive-level experience in the public or private sector,
92 preferably with experience in the development of information
93 technology strategic planning and the development and
94 implementation of fiscal and substantive information technology
95 policy and standards.
96 (c) The Workforce Program.
97 (d)1. The Support Program.
98 2. The Federal Property Assistance Program.
99 (e) The Administration Program.
100 (f) The Division of Administrative Hearings.
101 (g) The Division of Retirement.
102 (h) The Division of State Group Insurance.
103 (i) The Florida Digital Service.
104 Section 2. Section 282.0041, Florida Statutes, is amended
105 to read:
106 282.0041 Definitions.—As used in this chapter, the term:
107 (1) “Agency assessment” means the amount each customer
108 entity must pay annually for services from the Department of
109 Management Services and includes administrative and data center
110 services costs.
111 (2) “Agency data center” means agency space containing 10
112 or more physical or logical servers.
113 (3) “Breach” has the same meaning as provided in s.
115 (4) “Business continuity plan” means a collection of
116 procedures and information designed to keep an agency’s critical
117 operations running during a period of displacement or
118 interruption of normal operations.
119 (5) “Cloud computing” has the same meaning as provided in
120 Special Publication 800-145 issued by the National Institute of
121 Standards and Technology.
122 (6) “Computing facility” or “agency computing facility”
123 means agency space containing fewer than a total of 10 physical
124 or logical servers, but excluding single, logical-server
125 installations that exclusively perform a utility function such
126 as file and print servers.
127 (7) “Credential service provider” means a provider
128 competitively procured by the department to supply secure
129 identity management and verification services based on open
130 standards to qualified entities.
131 (8) “Customer entity” means an entity that obtains services
132 from the Department of Management Services.
133 (9) (8) “Data” means a subset of structured information in a
134 format that allows such information to be electronically
135 retrieved and transmitted.
136 (10) “Data-call” means an electronic transaction with the
137 credential service provider that verifies the authenticity of a
138 digital identity by querying enterprise data.
139 (11) (9) “Department” means the Department of Management
141 (12) (10) “Disaster recovery” means the process, policies,
142 procedures, and infrastructure related to preparing for and
143 implementing recovery or continuation of an agency’s vital
144 technology infrastructure after a natural or human-induced
146 (13) “Electronic” means technology having electrical,
147 digital, magnetic, wireless, optical, electromagnetic, or
148 similar capabilities.
149 (14) “Electronic credential” means a digital asset that
150 verifies the identity of a person, organization, application, or
152 (15) “Enterprise” means the collection of state agencies.
153 The term includes the Department of Legal Affairs, the
154 Department of Agriculture and Consumer Services, the Department
155 of Financial Services, and the judicial branch.
156 (16) “Enterprise architecture” means a comprehensive
157 operational framework that contemplates the needs and assets of
158 the enterprise to support interoperability across state
160 (17) (11) “Enterprise information technology service” means
161 an information technology service that is used in all agencies
162 or a subset of agencies and is established in law to be
163 designed, delivered, and managed at the enterprise level.
164 (18) (12) “Event” means an observable occurrence in a system
165 or network.
166 (19) (13) “Incident” means a violation or imminent threat of
167 violation, whether such violation is accidental or deliberate,
168 of information technology resources, security, policies, or
169 practices. An imminent threat of violation refers to a situation
170 in which the state agency has a factual basis for believing that
171 a specific incident is about to occur.
172 (20) (14) “Information technology” means equipment,
173 hardware, software, firmware, programs, systems, networks,
174 infrastructure, media, and related material used to
175 automatically, electronically, and wirelessly collect, receive,
176 access, transmit, display, store, record, retrieve, analyze,
177 evaluate, process, classify, manipulate, manage, assimilate,
178 control, communicate, exchange, convert, converge, interface,
179 switch, or disseminate information of any kind or form.
180 (21) (15) “Information technology policy” means a definite
181 course or method of action selected from among one or more
182 alternatives that guide and determine present and future
184 (22) (16) “Information technology resources” has the same
185 meaning as provided in s. 119.011.
186 (23) (17) “Information technology security” means the
187 protection afforded to an automated information system in order
188 to attain the applicable objectives of preserving the integrity,
189 availability, and confidentiality of data, information, and
190 information technology resources.
191 (24) “Interoperability” means the technical ability to
192 share and use data across and throughout the enterprise.
193 (25) (18) “Open data” means data collected or created by a
194 state agency and structured in a way that enables the data to be
195 fully discoverable and usable by the public. The term does not
196 include data that are restricted from public distribution based
197 on federal or state privacy, confidentiality, and security laws
198 and regulations or data for which a state agency is statutorily
199 authorized to assess a fee for its distribution.
200 (26) (19) “Performance metrics” means the measures of an
201 organization’s activities and performance.
202 (27) (20) “Project” means an endeavor that has a defined
203 start and end point; is undertaken to create or modify a unique
204 product, service, or result; and has specific objectives that,
205 when attained, signify completion.
206 (28) (21) “Project oversight” means an independent review
207 and analysis of an information technology project that provides
208 information on the project’s scope, completion timeframes, and
209 budget and that identifies and quantifies issues or risks
210 affecting the successful and timely completion of the project.
211 (29) “Qualified entity” means a public or private entity or
212 individual that enters into a binding agreement with the
213 department, meets usage criteria, agrees to terms and
214 conditions, and is subsequently and prescriptively authorized by
215 the department to access data under the terms of that agreement.
216 (30) (22) “Risk assessment” means the process of identifying
217 security risks, determining their magnitude, and identifying
218 areas needing safeguards.
219 (31) (23) “Service level” means the key performance
220 indicators (KPI) of an organization or service which must be
221 regularly performed, monitored, and achieved.
222 (32) (24) “Service-level agreement” means a written contract
223 between the Department of Management Services and a customer
224 entity which specifies the scope of services provided, service
225 level, the duration of the agreement, the responsible parties,
226 and service costs. A service-level agreement is not a rule
227 pursuant to chapter 120.
228 (33) (25) “Stakeholder” means a person, group, organization,
229 or state agency involved in or affected by a course of action.
230 (34) (26) “Standards” means required practices, controls,
231 components, or configurations established by an authority.
232 (35) (27) “State agency” means any official, officer,
233 commission, board, authority, council, committee, or department
234 of the executive branch of state government; the Justice
235 Administrative Commission; and the Public Service Commission.
236 The term does not include university boards of trustees or state
237 universities. As used in part I of this chapter, except as
238 otherwise specifically provided, the term does not include the
239 Department of Legal Affairs, the Department of Agriculture and
240 Consumer Services, or the Department of Financial Services.
241 (36) (28) “SUNCOM Network” means the state enterprise
242 telecommunications system that provides all methods of
243 electronic or optical telecommunications beyond a single
244 building or contiguous building complex and used by entities
245 authorized as network users under this part.
246 (37) (29) “Telecommunications” means the science and
247 technology of communication at a distance, including electronic
248 systems used in the transmission or reception of information.
249 (38) (30) “Threat” means any circumstance or event that has
250 the potential to adversely impact a state agency’s operations or
251 assets through an information system via unauthorized access,
252 destruction, disclosure, or modification of information or
253 denial of service.
254 (39) (31) “Variance” means a calculated value that
255 illustrates how far positive or negative a projection has
256 deviated when measured against documented estimates within a
257 project plan.
258 Section 3. Section 282.0051, Florida Statutes, is amended
259 to read:
260 282.0051 Florida Digital Service Department of Management
261 Services; powers, duties, and functions.—There is established
262 the Florida Digital Service within the department to create
263 innovative solutions that securely modernize state government,
264 achieve value through digital transformation and
265 interoperability, and fully support the cloud-first policy as
266 specified in s. 282.206.
267 (1) The Florida Digital Service department shall have the
268 following powers, duties, and functions:
269 (a) (1) Develop and publish information technology policy
270 for the management of the state’s information technology
272 (b) (2) Establish and publish information technology
273 architecture standards to provide for the most efficient use of
274 the state’s information technology resources and to ensure
275 compatibility and alignment with the needs of state agencies.
276 The Florida Digital Service department shall assist state
277 agencies in complying with the standards.
278 (c) (3) Establish project management and oversight standards
279 with which state agencies must comply when implementing projects
280 that have an information technology component projects. The
281 Florida Digital Service department shall provide training
282 opportunities to state agencies to assist in the adoption of the
283 project management and oversight standards. To support data
284 driven decisionmaking, the standards must include, but are not
285 limited to:
286 1. (a) Performance measurements and metrics that objectively
287 reflect the status of a project with an information technology
288 component project based on a defined and documented project
289 scope, cost, and schedule.
290 2. (b) Methodologies for calculating acceptable variances in
291 the projected versus actual scope, schedule, or cost of a
292 project with an information technology component project.
293 3. (c) Reporting requirements, including requirements
294 designed to alert all defined stakeholders that a project with
295 an information technology component project has exceeded
296 acceptable variances defined and documented in a project plan.
297 4. (d) Content, format, and frequency of project updates.
298 (d) (4) Perform project oversight on all state agency
299 information technology projects that have an information
300 technology component with a total project cost costs of $10
301 million or more and that are funded in the General
302 Appropriations Act or any other law. The Florida Digital Service
303 department shall report at least quarterly to the Executive
304 Office of the Governor, the President of the Senate, and the
305 Speaker of the House of Representatives on any project with an
306 information technology component project that the Florida
307 Digital Service department identifies as high-risk due to the
308 project exceeding acceptable variance ranges defined and
309 documented in a project plan. The report must include a risk
310 assessment, including fiscal risks, associated with proceeding
311 to the next stage of the project, and a recommendation for
312 corrective actions required, including suspension or termination
313 of the project. The Florida Digital Service shall establish a
314 process for state agencies to apply for an exception to the
315 requirements of this paragraph for a specific project with an
316 information technology component.
317 (e) (5) Identify opportunities for standardization and
318 consolidation of information technology services that support
319 interoperability and the cloud-first policy as specified in s.
320 282.206, business functions and operations, including
321 administrative functions such as purchasing, accounting and
322 reporting, cash management, and personnel, and that are common
323 across state agencies. The Florida Digital Service department
324 shall biennially on April 1 provide recommendations for
325 standardization and consolidation to the Executive Office of the
326 Governor, the President of the Senate, and the Speaker of the
327 House of Representatives.
328 (f) (6) Establish best practices for the procurement of
329 information technology products and cloud-computing services in
330 order to reduce costs, increase the quality of data center
331 services, or improve government services.
332 (g) (7) Develop standards for information technology reports
333 and updates, including, but not limited to, operational work
334 plans, project spend plans, and project status reports, for use
335 by state agencies.
336 (h) (8) Upon request, assist state agencies in the
337 development of information technology-related legislative budget
339 (i) (9) Conduct annual assessments of state agencies to
340 determine compliance with all information technology standards
341 and guidelines developed and published by the Florida Digital
342 Service department and provide results of the assessments to the
343 Executive Office of the Governor, the President of the Senate,
344 and the Speaker of the House of Representatives.
345 (j) (10) Provide operational management and oversight of the
346 state data center established pursuant to s. 282.201, which
348 1. (a) Implementing industry standards and best practices
349 for the state data center’s facilities, operations, maintenance,
350 planning, and management processes.
351 2. (b) Developing and implementing cost-recovery or other
352 payment mechanisms that recover the full direct and indirect
353 cost of services through charges to applicable customer
354 entities. Such cost-recovery or other payment mechanisms must
355 comply with applicable state and federal regulations concerning
356 distribution and use of funds and must ensure that, for any
357 fiscal year, no service or customer entity subsidizes another
358 service or customer entity.
359 3. (c) Developing and implementing appropriate operating
360 guidelines and procedures necessary for the state data center to
361 perform its duties pursuant to s. 282.201. The guidelines and
362 procedures must comply with applicable state and federal laws,
363 regulations, and policies and conform to generally accepted
364 governmental accounting and auditing standards. The guidelines
365 and procedures must include, but need not be limited to:
366 a. 1. Implementing a consolidated administrative support
367 structure responsible for providing financial management,
368 procurement, transactions involving real or personal property,
369 human resources, and operational support.
370 b. 2. Implementing an annual reconciliation process to
371 ensure that each customer entity is paying for the full direct
372 and indirect cost of each service as determined by the customer
373 entity’s use of each service.
374 c. 3. Providing rebates that may be credited against future
375 billings to customer entities when revenues exceed costs.
376 d. 4. Requiring customer entities to validate that
377 sufficient funds exist in the appropriate data processing
378 appropriation category or will be transferred into the
379 appropriate data processing appropriation category before
380 implementation of a customer entity’s request for a change in
381 the type or level of service provided, if such change results in
382 a net increase to the customer entity’s cost for that fiscal
384 e. 5. By November 15 of each year, providing to the Office
385 of Policy and Budget in the Executive Office of the Governor and
386 to the chairs of the legislative appropriations committees the
387 projected costs of providing data center services for the
388 following fiscal year.
389 f. 6. Providing a plan for consideration by the Legislative
390 Budget Commission if the cost of a service is increased for a
391 reason other than a customer entity’s request made pursuant to
392 sub-subparagraph d. subparagraph 4. Such a plan is required only
393 if the service cost increase results in a net increase to a
394 customer entity for that fiscal year.
395 g. 7. Standardizing and consolidating procurement and
396 contracting practices.
397 4. (d) In collaboration with the Department of Law
398 Enforcement, developing and implementing a process for
399 detecting, reporting, and responding to information technology
400 security incidents, breaches, and threats.
401 5. (e) Adopting rules relating to the operation of the state
402 data center, including, but not limited to, budgeting and
403 accounting procedures, cost-recovery or other payment
404 methodologies, and operating procedures.
405 (f) Conducting an annual market analysis to determine
406 whether the state’s approach to the provision of data center
407 services is the most effective and cost-efficient manner by
408 which its customer entities can acquire such services, based on
409 federal, state, and local government trends; best practices in
410 service provision; and the acquisition of new and emerging
411 technologies. The results of the market analysis shall assist
412 the state data center in making adjustments to its data center
413 service offerings.
414 (k) (11) Recommend other information technology services
415 that should be designed, delivered, and managed as enterprise
416 information technology services. Recommendations must include
417 the identification of existing information technology resources
418 associated with the services, if existing services must be
419 transferred as a result of being delivered and managed as
420 enterprise information technology services.
421 (l) (12) In consultation with state agencies, propose a
422 methodology and approach for identifying and collecting both
423 current and planned information technology expenditure data at
424 the state agency level.
425 (m)1. (13)(a) Notwithstanding any other law, provide project
426 oversight on any project with an information technology
427 component project of the Department of Financial Services, the
428 Department of Legal Affairs, and the Department of Agriculture
429 and Consumer Services which has a total project cost of $25
430 million or more and which impacts one or more other agencies.
431 Such projects with an information technology component projects
432 must also comply with the applicable information technology
433 architecture, project management and oversight, and reporting
434 standards established by the Florida Digital Service department.
435 The Florida Digital Service shall establish a process for the
436 Department of Financial Services, the Department of Legal
437 Affairs, and the Department of Agriculture and Consumer Services
438 to apply for an exception to the requirements of this paragraph
439 for a specific project with an information technology component.
440 2. (b) When performing the project oversight function
441 specified in subparagraph 1. paragraph (a), report at least
442 quarterly to the Executive Office of the Governor, the President
443 of the Senate, and the Speaker of the House of Representatives
444 on any project with an information technology component project
445 that the Florida Digital Service department identifies as high
446 risk due to the project exceeding acceptable variance ranges
447 defined and documented in the project plan. The report shall
448 include a risk assessment, including fiscal risks, associated
449 with proceeding to the next stage of the project and a
450 recommendation for corrective actions required, including
451 suspension or termination of the project.
452 (n) (14) If a project with an information technology
453 component project implemented by a state agency must be
454 connected to or otherwise accommodated by an information
455 technology system administered by the Department of Financial
456 Services, the Department of Legal Affairs, or the Department of
457 Agriculture and Consumer Services, consult with these
458 departments regarding the risks and other effects of such
459 projects on their information technology systems and work
460 cooperatively with these departments regarding the connections,
461 interfaces, timing, or accommodations required to implement such
463 (o) (15) If adherence to standards or policies adopted by or
464 established pursuant to this section causes conflict with
465 federal regulations or requirements imposed on a state agency
466 and results in adverse action against the state agency or
467 federal funding, work with the state agency to provide
468 alternative standards, policies, or requirements that do not
469 conflict with the federal regulation or requirement. The Florida
470 Digital Service department shall annually report such
471 alternative standards to the Governor, the President of the
472 Senate, and the Speaker of the House of Representatives.
473 (p)1. (16)(a) Establish an information technology policy for
474 all information technology-related state contracts, including
475 state term contracts for information technology commodities,
476 consultant services, and staff augmentation services. The
477 information technology policy must include:
478 a. 1. Identification of the information technology product
479 and service categories to be included in state term contracts.
480 b. 2. Requirements to be included in solicitations for state
481 term contracts.
482 c. 3. Evaluation criteria for the award of information
483 technology-related state term contracts.
484 d. 4. The term of each information technology-related state
485 term contract.
486 e. 5. The maximum number of vendors authorized on each state
487 term contract.
488 2. (b) Evaluate vendor responses for information technology
489 related state term contract solicitations and invitations to
491 3. (c) Answer vendor questions on information technology
492 related state term contract solicitations.
493 4. (d) Ensure that the information technology policy
494 established pursuant to subparagraph 1. paragraph (a) is
495 included in all solicitations and contracts that are
496 administratively executed by the department.
497 (q) (17) Recommend potential methods for standardizing data
498 across state agencies which will promote interoperability and
499 reduce the collection of duplicative data.
500 (r) (18) Recommend open data technical standards and
501 terminologies for use by state agencies.
502 (2)(a) The Secretary of Management Services shall appoint a
503 state chief information officer, who shall administer the
504 Florida Digital Service and is included in the Senior Management
506 (b) The state chief information officer shall appoint a
507 chief data officer, who shall report to the state chief
508 information officer and is included in the Senior Management
510 (3) The Florida Digital Service shall develop a
511 comprehensive enterprise architecture that:
512 (a) Recognizes the unique needs of those included within
513 the enterprise that results in the publication of standards,
514 terminologies, and procurement guidelines to facilitate digital
516 (b) Supports the cloud-first policy as specified in s.
518 (c) Addresses how information technology infrastructure may
519 be modernized to achieve cloud-first objectives.
520 (4) The Florida Digital Service shall, pursuant to
521 legislative appropriation:
522 (a) Create and maintain a comprehensive indexed data
523 catalog that lists what data elements are housed within the
524 enterprise and in which legacy system or application these data
525 elements are located.
526 (b) Develop and publish, in collaboration with the
527 enterprise, a data dictionary for each agency that reflects the
528 nomenclature in the comprehensive indexed data catalog.
529 (c) Review and document use cases across the enterprise
531 (d) Develop and publish standards that support the creation
532 and deployment of application programming interfaces to
533 facilitate integration throughout the enterprise.
534 (e) Facilitate collaborative analysis of enterprise
535 architecture data to improve service delivery.
536 (f) Develop plans to provide a testing environment in which
537 any newly developed solution can be tested for compliance within
538 the enterprise architecture and for functionality assurance
539 before deployment.
540 (g) Publish standards necessary to facilitate a secure
541 ecosystem of data interoperability that is compliant with the
542 enterprise architecture and allows for a qualified entity to
543 access the enterprise’s data under the terms of the agreements
544 with the department.
545 (h) Publish standards that facilitate the deployment of
546 applications or solutions to existing enterprise obligations in
547 a controlled and phased approach, including, but not limited to:
548 1. Electronic credentials, including digital licenses as
549 referenced in s. 322.032.
550 2. Interoperability that enables supervisors of elections
551 to authenticate voter eligibility in real time at the point of
553 3. The criminal justice database.
554 4. Motor vehicle insurance cancellation integration between
555 insurers and the Department of Highway Safety and Motor
557 5. Interoperability solutions between agencies, including,
558 but not limited to, the Department of Health, the Agency for
559 Health Care Administration, the Agency for Persons with
560 Disabilities, the Department of Education, the Department of
561 Elderly Affairs, and the Department of Children and Families.
562 6. Interoperability solutions to support military members,
563 veterans, and their families.
564 (5) Pursuant to legislative authorization and subject to
566 (a) The department may procure a credential service
567 provider through a competitive process pursuant to s. 287.057.
568 The terms of the contract developed from such procurement must
569 pay for the value on a per-data-call or subscription basis, and
570 there shall be no cost to the enterprise or law enforcement for
571 using the services provided by the credential service provider.
572 (b) The department may enter into agreements with qualified
573 entities that have the technological capabilities necessary to
574 integrate with the credential service provider; ensure secure
575 validation and authentication of data; meet usage criteria; and
576 agree to terms and conditions, privacy policies, and uniform
577 remittance terms relating to the consumption of enterprise data.
578 These agreements must include clear, enforceable, and
579 significant penalties for violations of the agreements.
580 (c) The department may enter into agreements with qualified
581 entities that meet usage criteria and agree to the enterprise
582 architecture terms of service and privacy policies. These
583 agreements must include clear, enforceable, and significant
584 penalties for violations of the agreements.
585 (d) The terms of the agreements between the department, the
586 credential service provider, and the qualified entities shall be
587 based on the per-data-call or subscription charges to validate
588 and authenticate and allow the department to recover any state
589 costs for implementing and administering a solution. Credential
590 service provider and qualifying entity revenues may not be
591 derived from any other transactions that generate revenue for
592 the enterprise outside of the per-data-call or subscription
594 (e) All revenues generated from the agreements with the
595 credential service provider and qualified entities shall be
596 remitted to the department, and the department shall deposit
597 these revenues into the Department of Management Services
598 Operating Trust Fund for distribution pursuant to a legislative
599 appropriation and department agreements with the credential
600 service provider and qualified entities.
601 (f) Upon the signing of the agreement and the enterprise
602 architecture terms of service and privacy policies with a
603 qualified entity, the department shall provide to the qualified
604 entity, as applicable, appropriate access to enterprise data to
605 facilitate authorized integrations to collaboratively solve
606 enterprise use cases.
607 (6) The Florida Digital Service may develop a process to:
608 (a) Receive written notice from the state agencies within
609 the enterprise of any planned or existing procurement of an
610 information technology project that is subject to governance by
611 the enterprise architecture.
612 (b) Intervene in any planned procurement by a state agency
613 so that the procurement complies with the enterprise
615 (c) Report to the Governor, the President of the Senate,
616 and the Speaker of the House of Representatives on any
617 information technology project within the judicial branch that
618 does not comply with the enterprise architecture.
619 (7) (19) The Florida Digital Service may adopt rules to
620 administer this section.
621 Section 4. Section 282.00515, Florida Statutes, is amended
622 to read:
623 282.00515 Enterprise Architecture Advisory Council Duties
624 of Cabinet agencies.—
625 (1)(a) The Enterprise Architecture Advisory Council, an
626 advisory council as defined in s. 20.03(7), is established
627 within the Department of Management Services. The council shall
628 comply with the requirements of s. 20.052 except as otherwise
629 provided in this section.
630 (b) The council shall consist of the following members:
631 1. Four members appointed by the Governor.
632 2. One member appointed by the President of the Senate.
633 3. One member appointed by the Speaker of the House of
635 4. One member appointed by the Chief Justice of the Supreme
637 5. The director of the Office of Policy and Budget in the
638 Executive Office of the Governor, or the person acting in the
639 director’s capacity should the position be vacant.
640 6. The Secretary of Management Services, or the person
641 acting in the secretary’s capacity should the position be
643 7. The state chief information officer, or the person
644 acting in the state chief information officer’s capacity should
645 the position be vacant.
646 8. The chief information officer of the Department of
647 Financial Services, or the person acting in the chief
648 information officer’s capacity should the position be vacant.
649 9. The chief information officer of the Department of Legal
650 Affairs, or the person acting in the chief information officer’s
651 capacity should the position be vacant.
652 10. The chief information officer of the Department of
653 Agriculture and Consumer Services, or the person acting in the
654 chief information officer’s capacity should the position be
656 (2)(a) The appointments made by the Governor, the President
657 of the Senate, the Speaker of the House of Representatives, and
658 the Chief Justice of the Supreme Court are for terms of 4 years.
659 However, for the purpose of providing staggered terms:
660 1. The appointments made by the Governor, the President of
661 the Senate, and the Speaker of the House of Representatives are
662 for initial terms of 2 years.
663 2. The appointment made by the Chief Justice is for an
664 initial term of 3 years.
665 (b) A vacancy on the council among members appointed under
666 subparagraph (1)(b)1., subparagraph (1)(b)2., subparagraph
667 (1)(b)3., or subparagraph (1)(b)4. shall be filled in the same
668 manner as the original appointment for the remainder of the
669 unexpired term.
670 (c) The council shall elect a chair from among its members.
671 (d) The council shall meet at least semiannually, beginning
672 October 1, 2020, to discuss implementation, management, and
673 coordination of the enterprise architecture as defined in s.
674 282.0041; identify potential issues and threats with specific
675 use cases; and recommend proactive solutions. The council may
676 conduct its meetings through teleconferences or other similar
677 means The Department of Legal Affairs, the Department of
678 Financial Services, and the Department of Agriculture and
679 Consumer Services shall adopt the standards established in s.
680 282.0051(2), (3), and (7) or adopt alternative standards based
681 on best practices and industry standards, and may contract with
682 the department to provide or perform any of the services and
683 functions described in s. 282.0051 for the Department of Legal
684 Affairs, the Department of Financial Services, or the Department
685 of Agriculture and Consumer Services.
686 Section 5. Paragraph (a) of subsection (3) of section
687 282.318, Florida Statutes, is amended to read:
688 282.318 Security of data and information technology.—
689 (3) The department is responsible for establishing
690 standards and processes consistent with generally accepted best
691 practices for information technology security, to include
692 cybersecurity, and adopting rules that safeguard an agency’s
693 data, information, and information technology resources to
694 ensure availability, confidentiality, and integrity and to
695 mitigate risks. The department shall also:
696 (a) Designate a state chief information security officer
697 who shall be appointed by and report to the state chief
698 information officer of the Florida Digital Service and is in the
699 Senior Management Service. The state chief information security
700 officer must have experience and expertise in security and risk
701 management for communications and information technology
703 Section 6. Subsection (4) of section 287.0591, Florida
704 Statutes, is amended to read:
705 287.0591 Information technology.—
706 (4) If the department issues a competitive solicitation for
707 information technology commodities, consultant services, or
708 staff augmentation contractual services, the Florida Digital
709 Service Division of State Technology within the department shall
710 participate in such solicitations.
711 Section 7. Paragraph (a) of subsection (3) of section
712 365.171, Florida Statutes, is amended to read:
713 365.171 Emergency communications number E911 state plan.—
714 (3) DEFINITIONS.—As used in this section, the term:
715 (a) “Office” means the Division of Telecommunications State
716 Technology within the Department of Management Services, as
717 designated by the secretary of the department.
718 Section 8. Paragraph (s) of subsection (3) of section
719 365.172, Florida Statutes, is amended to read:
720 365.172 Emergency communications number “E911.”—
721 (3) DEFINITIONS.—Only as used in this section and ss.
722 365.171, 365.173, 365.174, and 365.177, the term:
723 (s) “Office” means the Division of Telecommunications State
724 Technology within the Department of Management Services, as
725 designated by the secretary of the department.
726 Section 9. Paragraph (a) of subsection (1) of section
727 365.173, Florida Statutes, is amended to read:
728 365.173 Communications Number E911 System Fund.—
729 (1) REVENUES.—
730 (a) Revenues derived from the fee levied on subscribers
731 under s. 365.172(8) must be paid by the board into the State
732 Treasury on or before the 15th day of each month. Such moneys
733 must be accounted for in a special fund to be designated as the
734 Emergency Communications Number E911 System Fund, a fund created
735 in the Division of Telecommunications State Technology, or other
736 office as designated by the Secretary of Management Services.
737 Section 10. Subsection (5) of section 943.0415, Florida
738 Statutes, is amended to read:
739 943.0415 Cybercrime Office.—There is created within the
740 Department of Law Enforcement the Cybercrime Office. The office
742 (5) Consult with the Florida Digital Service Division of
743 State Technology within the Department of Management Services in
744 the adoption of rules relating to the information technology
745 security provisions in s. 282.318.
746 Section 11. Effective January 1, 2021, section 559.952,
747 Florida Statutes, is created to read:
748 559.952 Financial Technology Sandbox.—
749 (1) SHORT TITLE.—This section may be cited as the
750 “Financial Technology Sandbox.”
751 (2) CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—There is
752 created the Financial Technology Sandbox within the Office of
753 Financial Regulation to allow financial technology innovators to
754 test new products and services in a supervised, flexible
755 regulatory sandbox using exceptions to specified general law and
756 waivers of the corresponding rule requirements under defined
757 conditions. The creation of a supervised, flexible regulatory
758 sandbox provides a welcoming business environment for technology
759 innovators and may lead to significant business growth.
760 (3) DEFINITIONS.—As used in this section, the term:
761 (a) “Commission” means the Financial Services Commission.
762 (b) “Consumer” means a person in this state, whether a
763 natural person or a business entity, who purchases, uses,
764 receives, or enters into an agreement to purchase, use, or
765 receive an innovative financial product or service made
766 available through the Financial Technology Sandbox.
767 (c) “Financial product or service” means a product or
768 service related to finance, including securities, consumer
769 credit, or money transmission, which is traditionally subject to
770 general law or rule requirements in the provisions enumerated in
771 paragraph (7)(a) and which is under the jurisdiction of the
773 (d) “Financial Technology Sandbox” means the program
774 created in this section which allows a person to make an
775 innovative financial product or service available to consumers
776 through the provisions enumerated in paragraph (7)(a) during a
777 sandbox period through an exception to general laws or a waiver
778 of rule requirements, or portions thereof, as specified in this
780 (e) “Innovative” means new or emerging technology, or new
781 uses of existing technology, which provides a product, service,
782 business model, or delivery mechanism to the public.
783 (f) “Office” means, unless the context clearly indicates
784 otherwise, the Office of Financial Regulation.
785 (g) “Sandbox period” means the period, initially not longer
786 than 24 months, in which the office has:
787 1. Authorized an innovative financial product or service to
788 be made available to consumers.
789 2. Granted the person who makes the innovative financial
790 product or service available an exception to general law or a
791 waiver of the corresponding rule requirements, as determined by
792 the office, so that the authorization under subparagraph 1. is
794 (4) FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS FOR
796 (a) Before filing an application to enter the Financial
797 Technology Sandbox, a substantially affected person may seek a
798 declaratory statement pursuant to s. 120.565 regarding the
799 applicability of a statute, rule, or agency order to the
800 petitioner’s particular set of circumstances.
801 (b) Before making an innovative financial product or
802 service available to consumers in the Financial Technology
803 Sandbox, a person must file an application with the office. The
804 commission shall prescribe by rule the form and manner of the
806 1. In the application, the person must specify the general
807 law or rule requirements for which an exception or a waiver is
808 sought and the reasons why these requirements prevent the
809 innovative financial product or service from being made
810 available to consumers.
811 2. The application must also contain the information
812 specified in paragraph (e).
813 (c) A business entity filing an application under this
814 section must be a domestic corporation or other organized
815 domestic entity with a physical presence, other than that of a
816 registered office or agent or virtual mailbox, in this state.
817 (d) Before a person applies on behalf of a business entity
818 intending to make an innovative financial product or service
819 available to consumers, the person must obtain the consent of
820 the business entity.
821 (e) The office shall approve or deny in writing a Financial
822 Technology Sandbox application within 60 days after receiving
823 the completed application. The office and the applicant may
824 jointly agree to extend the time beyond 60 days. Consistent with
825 this section, the office may impose conditions on any approval.
826 In deciding to approve or deny an application, the office must
827 consider each of the following:
828 1. The nature of the innovative financial product or
829 service proposed to be made available to consumers in the
830 Financial Technology Sandbox, including all relevant technical
832 2. The potential risk to consumers and the methods that
833 will be used to protect consumers and resolve complaints during
834 the sandbox period.
835 3. The business plan proposed by the applicant, including a
836 statement regarding the applicant’s current and proposed
838 4. Whether the applicant has the necessary personnel,
839 adequate financial and technical expertise, and a sufficient
840 plan to test, monitor, and assess the innovative financial
841 product or service.
842 5. If any person substantially involved in the development,
843 operation, or management of the applicant’s innovative financial
844 product or service has pled no contest to, has been convicted or
845 found guilty of, or is currently under investigation for, fraud,
846 a state or federal securities violation, any property-based
847 offense, or any crime involving moral turpitude or dishonest
848 dealing, their application to the Financial Technology Sandbox
849 will be denied. A plea of no contest, a conviction, or a finding
850 of guilt must be reported under this subparagraph regardless of
852 6. A copy of the disclosures that will be provided to
853 consumers under paragraph (6)(c).
854 7. The financial responsibility of any person substantially
855 involved in the development, operation, or management of the
856 applicant’s innovative financial product or service.
857 8. Any other factor that the office determines to be
859 (f) The office may not approve an application if:
860 1. The applicant had a prior Financial Technology Sandbox
861 application that was approved and that related to a
862 substantially similar financial product or service; or
863 2. Any person substantially involved in the development,
864 operation, or management of the applicant’s innovative financial
865 product or service was substantially involved with another
866 Financial Technology Sandbox applicant whose application was
867 approved and whose application related to a substantially
868 similar financial product or service.
869 (g) Upon approval of an application, the office shall
870 specify the general law or rule requirements, or portions
871 thereof, for which an exception or rule waiver is granted during
872 the sandbox period and the length of the initial sandbox period,
873 not to exceed 24 months. The office shall post on its website
874 notice of the approval of the application, a summary of the
875 innovative financial product or service, and the contact
876 information of the person making the financial product or
877 service available.
878 (5) OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—
879 (a) A person whose Financial Technology Sandbox application
880 is approved may make an innovative financial product or service
881 available to consumers during the sandbox period.
882 (b) The office may, on a case-by-case basis and after
883 consultation with the person who makes the financial product or
884 service available to consumers, specify the maximum number of
885 consumers authorized to receive an innovative financial product
886 or service. The office may not authorize more than 15,000
887 consumers to receive the financial product or service until the
888 person who makes the financial product or service available to
889 consumers has filed the first report required under subsection
890 (8). After the filing of the report, if the person demonstrates
891 adequate financial capitalization, risk management process, and
892 management oversight, the office may authorize up to 25,000
893 consumers to receive the financial product or service.
894 (c)1. Before a consumer purchases, uses, receives, or
895 enters into an agreement to purchase, use, or receive an
896 innovative financial product or service through the Financial
897 Technology Sandbox, the person making the financial product or
898 service available must provide a written statement of all of the
899 following to the consumer:
900 a. The name and contact information of the person making
901 the financial product or service available to consumers.
902 b. That the financial product or service has been
903 authorized to be made available to consumers for a temporary
904 period by the office, under the laws of this state.
905 c. That this state does not endorse the financial product
906 or service.
907 d. That the financial product or service is undergoing
908 testing, may not function as intended, and may entail financial
910 e. That the person making the financial product or service
911 available to consumers is not immune from civil liability for
912 any losses or damages caused by the financial product or
914 f. The expected end date of the sandbox period.
915 g. The contact information for the office, and notification
916 that suspected legal violations, complaints, or other comments
917 related to the financial product or service may be submitted to
918 the office.
919 h. Any other statements or disclosures required by rule of
920 the commission which are necessary to further the purposes of
921 this section.
922 2. The written statement must contain an acknowledgment
923 from the consumer, which must be retained for the duration of
924 the sandbox period by the person making the financial product or
925 service available.
926 (d) The office may enter into an agreement with a state,
927 federal, or foreign regulatory agency to allow persons:
928 1. Who make an innovative financial product or service
929 available in this state through the Financial Technology Sandbox
930 to make their products or services available in other
932 2. Who operate in similar financial technology sandboxes in
933 other jurisdictions to make innovative financial products and
934 services available in this state under the standards of this
936 (e)1. A person whose Financial Technology Sandbox
937 application is approved by the office shall maintain
938 comprehensive records relating to the innovative financial
939 product or service. The person shall keep these records for at
940 least 5 years after the conclusion of the sandbox period. The
941 commission may specify by rule additional records requirements.
942 2. The office may examine the records maintained under
943 subparagraph 1. at any time, with or without notice.
944 (6) EXTENSIONS AND CONCLUSION OF SANDBOX PERIOD.—
945 (a) A person who is authorized to make an innovative
946 financial product or service available to consumers may apply
947 for an extension of the initial sandbox period for up to 12
948 additional months for a purpose specified in subparagraph (b)1.
949 or subparagraph (b)2. A complete application for an extension
950 must be filed with the office at least 90 days before the
951 conclusion of the initial sandbox period. The office shall
952 approve or deny the application for extension in writing at
953 least 35 days before the conclusion of the initial sandbox
954 period. In deciding to approve or deny an application for
955 extension of the sandbox period, the office must, at a minimum,
956 consider the current status of the factors previously considered
957 under paragraph (4)(e).
958 (b) An application for an extension under paragraph (a)
959 must cite one of the following reasons as the basis for the
960 application and must provide all relevant supporting information
962 1. Amendments to general law or rules are necessary to
963 offer the innovative financial product or service in this state
965 2. An application for a license that is required in order
966 to offer the innovative financial product or service in this
967 state permanently has been filed with the office, and approval
968 is pending.
969 (c) At least 30 days before the conclusion of the initial
970 sandbox period or the extension, whichever is later, a person
971 who makes an innovative financial product or service available
972 shall provide written notification to consumers regarding the
973 conclusion of the initial sandbox period or the extension and
974 may not make the financial product or service available to any
975 new consumers after the conclusion of the initial sandbox period
976 or the extension, whichever is later, until legal authority
977 outside of the Financial Technology Sandbox exists to make the
978 financial product or service available to consumers. After the
979 conclusion of the sandbox period or the extension, whichever is
980 later, the person who makes the innovative financial product or
981 service available may:
982 1. Collect and receive money owed to the person or pay
983 money owed by the person, based on agreements with consumers
984 made before the conclusion of the sandbox period or the
986 2. Take necessary legal action.
987 3. Take other actions authorized by commission rule which
988 are not inconsistent with this subsection.
989 (7) EXCEPTIONS TO GENERAL LAW AND WAIVERS OF RULE
991 (a) Notwithstanding any other provision of law, upon
992 approval of a Financial Technology Sandbox application, the
993 office may grant an applicant a waiver of a requirement, or a
994 portion thereof, which is imposed by rule as authorized by any
995 of the following provisions of general law, if all of the
996 conditions in paragraph (b) are met. If the application is
997 approved for a person who otherwise would be subject to the
998 provisions of chapter 560, chapter 516, chapter 517, chapter
999 520, or chapter 537, the following provisions shall not be
1000 applicable to the approved sandbox participant:
1001 1. Section 560.1105.
1002 2. Section 560.118.
1003 3. Section 560.125, except for s. 560.125(2).
1004 4. Section 560.128.
1005 5. Section 560.1401, except for s. 560.1401(2)-(4).
1006 6. Section 560.141, except for s. 560.141(1)(b)-(d).
1007 7. Section 560.142, except that the office may prorate the
1008 license renewal fees provided in ss. 560.142 and 560.143 for an
1009 extension granted under subsection (6).
1010 8. Section 560.143(2), to the extent necessary for
1011 proration of the renewal fee under subparagraph 7.
1012 9. Section 560.205, except for s. 560.205(1) and (3).
1013 10. Section 560.208, except for s. 560.208(3)-(6).
1014 11. Section 560.209, except that the office may modify the
1015 net worth, corporate surety bond, and collateral deposit amounts
1016 required under s. 560.209. The modified amounts must be in such
1017 lower amounts that the office determines to be commensurate with
1018 the considerations under paragraph (4)(e) and the maximum number
1019 of consumers authorized to receive the financial product or
1020 service under this section.
1021 12. Section 516.03, except for the license and
1022 investigation fee. The office may prorate the license renewal
1023 fees for an extension granted under subsection (6). The office
1024 may not waive the evidence of liquid assets of at least $25,000.
1025 13. Section 516.05, except that the office may make an
1026 investigation of the facts concerning the applicant’s
1028 14. Section 516.12.
1029 15. Section 516.19.
1030 16. Section 517.07.
1031 17. Section 517.12.
1032 18. Section 517.121.
1033 19. Section 520.03, except for the application fee. The
1034 office may prorate the license renewal fees for an extension
1035 granted under subsection (6).
1036 20. Section 520.12.
1037 21. Section 520.25.
1038 22. Section 520.32, except for the application fee. The
1039 office may prorate the license renewal fees for an extension
1040 granted under subsection (6).
1041 23. Section 520.39.
1042 24. Section 520.52, except for the application fee. The
1043 office may prorate the license renewal fees for an extension
1044 granted under subsection (6).
1045 25. Section 520.57.
1046 26. Section 520.63, except for the application fee. The
1047 office may prorate the license renewal fees for an extension
1048 granted under subsection (6).
1049 27. Section 520.997.
1050 28. Section 520.98.
1051 29. Section 537.004, except for s. 537.004(2) and (5). The
1052 office may prorate the license renewal fees for an extension
1053 granted under subsection (6).
1054 30. Section 537.005, except that the office may modify the
1055 corporate surety bond amount required by s. 537.005. The
1056 modified amount must be in such lower amount that the office
1057 determines to be commensurate with the considerations under
1058 paragraph (4)(e) and the maximum number of consumers authorized
1059 to receive the product or service under this section.
1060 31. Section 537.007.
1061 32. Section 537.009.
1062 33. Section 537.015.
1063 (b) During a sandbox period, the exceptions granted in
1064 paragraph (a) are applicable if all of the following conditions
1065 are met:
1066 1. The general law or corresponding rule currently prevents
1067 the innovative financial product or service to be made available
1068 to consumers.
1069 2. The exceptions or rule waivers are not broader than
1070 necessary to accomplish the purposes and standards specified in
1071 this section, as determined by the office.
1072 3. No provision relating to the liability of an
1073 incorporator, director, or officer of the applicant is eligible
1074 for a waiver.
1075 4. The other requirements of this section are met.
1076 (8) REPORT.—A person authorized to make an innovative
1077 financial product or service available to consumers under this
1078 section shall submit a report to the office twice a year as
1079 prescribed by commission rule. The report must, at a minimum,
1080 include financial reports and the number of consumers who have
1081 received the financial product or service.
1082 (9) CONSTRUCTION.—A person whose Financial Technology
1083 Sandbox application is approved shall be deemed licensed under
1084 the applicable exceptions to general law or waiver of the rule
1085 requirements specified under subsection (7), unless the person’s
1086 authorization to make the financial product or service available
1087 to consumers under this section has been revoked or suspended.
1088 (10) VIOLATIONS AND PENALTIES.—
1089 (a) A person who makes an innovative financial product or
1090 service available to consumers in the Financial Technology
1091 Sandbox is:
1092 1. Not immune from civil damages for acts and omissions
1093 relating to this section.
1094 2. Subject to all criminal statutes and any other statute
1095 not specifically excepted under subsection (7).
1096 (b)1. The office may, by order, revoke or suspend
1097 authorization granted to a person to make an innovative
1098 financial product or service available to consumers if:
1099 a. The person has violated or refused to comply with this
1100 section, a rule of the commission, an order of the office, or a
1101 condition placed by the office on the approval of the person’s
1102 Financial Technology Sandbox application;
1103 b. A fact or condition exists that, if it had existed or
1104 become known at the time that the Financial Technology Sandbox
1105 application was pending, would have warranted denial of the
1106 application or the imposition of material conditions;
1107 c. A material error, false statement, misrepresentation, or
1108 material omission was made in the Financial Technology Sandbox
1109 application; or
1110 d. After consultation with the person, continued testing of
1111 the innovative financial product or service would:
1112 (I) Be likely to harm consumers; or
1113 (II) No longer serve the purposes of this section because
1114 of the financial or operational failure of the financial product
1115 or service.
1116 2. Written notice of a revocation or suspension order made
1117 under subparagraph 1. must be served using any means authorized
1118 by law. If the notice relates to a suspension, the notice must
1119 include any condition or remedial action that the person must
1120 complete before the office lifts the suspension.
1121 (c) The office may refer any suspected violation of law to
1122 an appropriate state or federal agency for investigation,
1123 prosecution, civil penalties, and other appropriate enforcement
1125 (d) If service of process on a person making an innovative
1126 financial product or service available to consumers in the
1127 Financial Technology Sandbox is not feasible, service on the
1128 office shall be deemed service on such person.
1129 (11) RULES AND ORDERS.—
1130 (a) The commission shall adopt rules to administer this
1132 (b) The office may issue all necessary orders to enforce
1133 this section and may enforce the orders in accordance with
1134 chapter 120 or in any court of competent jurisdiction. These
1135 orders include, but are not limited to, orders for payment of
1136 restitution for harm suffered by consumers as a result of an
1137 innovative financial product or service.
1138 Section 12. Except as otherwise expressly provided in this
1139 act, this act shall take effect July 1, 2020.