Florida Senate - 2024 SB 972
By Senator Gruters
22-00466-24 2024972__
1 A bill to be entitled
2 An act relating to artificial intelligence; amending
3 s. 282.0041, F.S.; defining terms; creating s. 282.32,
4 F.S.; creating the Artificial Intelligence Advisory
5 Council within the Department of Management Services;
6 requiring the department to provide administrative
7 support to the council; specifying the purpose of the
8 council; providing duties of the council; providing
9 for membership of the council; requiring members to be
10 appointed to the council by a specified date;
11 providing that certain members are to serve as co
12 chairs of the council; providing for staggered terms;
13 authorizing the appointing authority to remove a
14 member and fill the vacancy; requiring that the
15 appointing authority fill a vacancy in the same manner
16 as the original appointment; providing that members
17 may not receive compensation for service but may be
18 reimbursed for per diem and travel expenses; requiring
19 the council to meet by a specified date, and monthly
20 thereafter; authorizing the co-chairs to call for a
21 meeting at any time; requiring the council to submit
22 quarterly reports to the Governor and the Legislature;
23 providing requirements for the report; creating s.
24 282.321, F.S.; requiring each state agency to prepare
25 and submit, by a specified date and using money
26 appropriated by the Legislature, an inventory report
27 for all automated decision systems that are being
28 developed, used, or procured by the agency; requiring
29 the agencies to submit the report to the department,
30 the council, and any applicable standing legislative
31 committees; providing requirements for the report;
32 requiring the department, by a specified date and in
33 consultation with the council, to prescribe by rule a
34 form, contents, and manner of submission for such
35 reports; creating s. 282.323, F.S.; providing
36 legislative intent; prohibiting a county or a
37 municipality or a political subdivision thereof from
38 regulating the private and public use of artificial
39 intelligence systems; providing an effective date.
40
41 Be It Enacted by the Legislature of the State of Florida:
42
43 Section 1. Section 282.0041, Florida Statutes, is amended
44 to read:
45 282.0041 Definitions.—As used in this chapter, the term:
46 (1) “Agency assessment” means the amount each customer
47 entity must pay annually for services from the Department of
48 Management Services and includes administrative and data center
49 services costs.
50 (2) “Agency data center” means agency space containing 10
51 or more physical or logical servers.
52 (3) “Algorithm” means a computerized procedure consisting
53 of a set of steps used to accomplish a determined task.
54 (4) “Artificial intelligence system” means a system capable
55 of all of the following:
56 (a) Perceiving an environment through data acquisition and
57 processing and interpreting the derived information to take an
58 action or actions or to imitate intelligent behavior given a
59 specific goal.
60 (b) Learning and adapting behavior by analyzing how the
61 environment is affected by prior actions.
62 (5) “Automated decision system” means an algorithm,
63 including an algorithm incorporating machine learning or other
64 artificial intelligence techniques, that uses data-based
65 analytics to make or support governmental decisions, judgments,
66 or conclusions.
67 (6) “Automated final decision system” means an automated
68 decision system that makes final decisions, judgments, or
69 conclusions without human intervention.
70 (7) “Automated support decision system” means an automated
71 decision system that provides information to inform the final
72 decision, judgment, or conclusion of a human decisionmaker.
73 (8) “Breach” has the same meaning as provided in s.
74 501.171.
75 (9)(4) “Business continuity plan” means a collection of
76 procedures and information designed to keep an agency’s critical
77 operations running during a period of displacement or
78 interruption of normal operations.
79 (10)(5) “Cloud computing” has the same meaning as provided
80 in Special Publication 800-145 issued by the National Institute
81 of Standards and Technology.
82 (11)(6) “Computing facility” or “agency computing facility”
83 means agency space containing fewer than a total of 10 physical
84 or logical servers, but excluding single, logical-server
85 installations that exclusively perform a utility function such
86 as file and print servers.
87 (12) “Council” means the Artificial Intelligence Advisory
88 Council created in s. 282.32.
89 (13)(7) “Customer entity” means an entity that obtains
90 services from the Department of Management Services.
91 (14)(8) “Cybersecurity” means the protection afforded to an
92 automated information system in order to attain the applicable
93 objectives of preserving the confidentiality, integrity, and
94 availability of data, information, and information technology
95 resources.
96 (15)(9) “Data” means a subset of structured information in
97 a format that allows such information to be electronically
98 retrieved and transmitted.
99 (16)(10) “Data governance” means the practice of
100 organizing, classifying, securing, and implementing policies,
101 procedures, and standards for the effective use of an
102 organization’s data.
103 (17)(11) “Department” means the Department of Management
104 Services.
105 (18)(12) “Disaster recovery” means the process, policies,
106 procedures, and infrastructure related to preparing for and
107 implementing recovery or continuation of an agency’s vital
108 technology infrastructure after a natural or human-induced
109 disaster.
110 (19)(13) “Electronic” means technology having electrical,
111 digital, magnetic, wireless, optical, electromagnetic, or
112 similar capabilities.
113 (20)(14) “Electronic credential” means an electronic
114 representation of the identity of a person, an organization, an
115 application, or a device.
116 (21)(15) “Enterprise” means state agencies and the
117 Department of Legal Affairs, the Department of Financial
118 Services, and the Department of Agriculture and Consumer
119 Services.
120 (22)(16) “Enterprise architecture” means a comprehensive
121 operational framework that contemplates the needs and assets of
122 the enterprise to support interoperability.
123 (23)(17) “Enterprise information technology service” means
124 an information technology service that is used in all agencies
125 or a subset of agencies and is established in law to be
126 designed, delivered, and managed at the enterprise level.
127 (24)(18) “Event” means an observable occurrence in a system
128 or network.
129 (25)(19) “Incident” means a violation or an imminent threat
130 of violation, whether such violation is accidental or
131 deliberate, of information technology resources, security,
132 policies, or practices. An imminent threat of violation refers
133 to a situation in which a state agency, county, or municipality
134 has a factual basis for believing that a specific incident is
135 about to occur.
136 (26)(20) “Information technology” means equipment,
137 hardware, software, firmware, programs, systems, networks,
138 infrastructure, media, and related material used to
139 automatically, electronically, and wirelessly collect, receive,
140 access, transmit, display, store, record, retrieve, analyze,
141 evaluate, process, classify, manipulate, manage, assimilate,
142 control, communicate, exchange, convert, converge, interface,
143 switch, or disseminate information of any kind or form.
144 (27)(21) “Information technology policy” means a definite
145 course or method of action selected from among one or more
146 alternatives that guide and determine present and future
147 decisions.
148 (28)(22) “Information technology resources” has the same
149 meaning as provided in s. 119.011.
150 (29)(23) “Interoperability” means the technical ability to
151 share and use data across and throughout the enterprise.
152 (30)(24) “Open data” means data collected or created by a
153 state agency, the Department of Legal Affairs, the Department of
154 Financial Services, and the Department of Agriculture and
155 Consumer Services, and structured in a way that enables the data
156 to be fully discoverable and usable by the public. The term does
157 not include data that are restricted from public disclosure
158 based on federal or state laws and regulations, including, but
159 not limited to, those related to privacy, confidentiality,
160 security, personal health, business or trade secret information,
161 and exemptions from state public records laws; or data for which
162 a state agency, the Department of Legal Affairs, the Department
163 of Financial Services, or the Department of Agriculture and
164 Consumer Services is statutorily authorized to assess a fee for
165 its distribution.
166 (31)(25) “Performance metrics” means the measures of an
167 organization’s activities and performance.
168 (32)(26) “Project” means an endeavor that has a defined
169 start and end point; is undertaken to create or modify a unique
170 product, service, or result; and has specific objectives that,
171 when attained, signify completion.
172 (33)(27) “Project oversight” means an independent review
173 and analysis of an information technology project that provides
174 information on the project’s scope, completion timeframes, and
175 budget and that identifies and quantifies issues or risks
176 affecting the successful and timely completion of the project.
177 (34) “Public or private institution of higher education”
178 means:
179 (a) A state university or a Florida College System
180 institution as those terms are defined in s. 1000.21(8) and (5),
181 respectively; or
182 (b) An independent postsecondary educational institution as
183 defined in s. 1005.02.
184 (35)(28) “Ransomware incident” means a malicious
185 cybersecurity incident in which a person or an entity introduces
186 software that gains unauthorized access to or encrypts,
187 modifies, or otherwise renders unavailable a state agency’s,
188 county’s, or municipality’s data and thereafter the person or
189 entity demands a ransom to prevent the publication of the data,
190 restore access to the data, or otherwise remediate the impact of
191 the software.
192 (36)(29) “Risk assessment” means the process of identifying
193 security risks, determining their magnitude, and identifying
194 areas needing safeguards.
195 (37)(30) “Service level” means the key performance
196 indicators (KPI) of an organization or service which must be
197 regularly performed, monitored, and achieved.
198 (38)(31) “Service-level agreement” means a written contract
199 between the Department of Management Services or a provider of
200 data center services and a customer entity which specifies the
201 scope of services provided, the service level, the duration of
202 the agreement, the responsible parties, and the service costs. A
203 service-level agreement is not a rule pursuant to chapter 120.
204 (39)(32) “Stakeholder” means a person, group, organization,
205 or state agency involved in or affected by a course of action.
206 (40)(33) “Standards” means required practices, controls,
207 components, or configurations established by an authority.
208 (41)(34) “State agency” means any official, officer,
209 commission, board, authority, council, committee, or department
210 of the executive branch of state government; the Justice
211 Administrative Commission; and the Public Service Commission.
212 The term does not include university boards of trustees or state
213 universities. As used in part I of this chapter, except as
214 otherwise specifically provided, the term does not include the
215 Department of Legal Affairs, the Department of Agriculture and
216 Consumer Services, or the Department of Financial Services.
217 (42)(35) “SUNCOM Network” means the state enterprise
218 telecommunications system that provides all methods of
219 electronic or optical telecommunications beyond a single
220 building or contiguous building complex and used by entities
221 authorized as network users under this part.
222 (43)(36) “Telecommunications” means the science and
223 technology of communication at a distance, including electronic
224 systems used in the transmission or reception of information.
225 (44)(37) “Threat” means any circumstance or event that has
226 the potential to adversely impact a state agency’s operations or
227 assets through an information system via unauthorized access,
228 destruction, disclosure, or modification of information or
229 denial of service.
230 (45)(38) “Variance” means a calculated value that
231 illustrates how far positive or negative a projection has
232 deviated when measured against documented estimates within a
233 project plan.
234 Section 2. Section 282.32, Florida Statutes, is created to
235 read:
236 282.32 Artificial Intelligence Advisory Council.—
237 (1) The Artificial Intelligence Advisory Council, an
238 advisory council as defined in s. 20.03, is created within the
239 department. Except as otherwise provided in this section, the
240 council shall operate in a manner consistent with s. 20.052. The
241 department shall provide administrative support to the council.
242 The purpose of the council is to study and monitor the
243 development and deployment of artificial intelligence systems in
244 state government. The council shall do all of the following:
245 (a) Assess the need for legislative reform and the creation
246 of a state code of ethics for the use of artificial intelligence
247 systems in state government.
248 (b) Study and monitor the effects of automated decision
249 systems on the constitutional and legal rights, duties, and
250 privileges of the residents of this state.
251 (c) Study and monitor the potential benefits, liabilities,
252 and risks that the state, private residents, and businesses
253 could incur as a result of implemented automated decision
254 systems.
255 (d) Recommend administrative and legislative actions that
256 state governmental agencies and the Legislature can use to
257 promote the development of artificial intelligence in this
258 state.
259 (2)(a) The council shall be composed of the following
260 members, whose appointments must be made by October 1, 2024:
261 1. Two members of the Senate, appointed by the President of
262 the Senate.
263 2. Two members of the House of Representatives, appointed
264 by the Speaker of the House of Representatives.
265 3. An academic professional specializing in ethics who is
266 employed by a public or private institution of higher education,
267 appointed by the Governor.
268 4. An academic professional specializing in artificial
269 intelligence systems who is employed by a public or private
270 institution of higher education, appointed by the Governor.
271 5. An expert on law enforcement usage of artificial
272 intelligence systems, appointed by the Governor.
273 6. A policy expert, appointed by the Governor.
274 7. A constitutional and legal rights expert, appointed by
275 the Governor.
276 (b) The members appointed pursuant to subparagraphs (a)1.
277 and 2. shall serve as co-chairs of the council.
278 (c) Each member of the council shall be appointed to a 4
279 year term; however, for the purpose of providing staggered
280 terms, of the initial appointments, the members appointed
281 pursuant to subparagraphs (a)1. and 2. shall be appointed to 2
282 year terms, and the other members shall be appointed to 4-year
283 terms. A member of the council may be removed at any time by the
284 member’s appointing authority, who shall fill the vacancy in the
285 same manner as the original appointment for the remainder of the
286 unexpired term.
287 (d) A member of the council may not receive compensation
288 for serving on the council but may be reimbursed for per diem
289 and travel expenses in accordance with s. 112.061.
290 (3) The council shall meet no later than November 1, 2024,
291 and monthly thereafter, and at other times upon call of the co
292 chairs.
293 (4) The council shall submit quarterly reports to the
294 Governor, the President of the Senate, and the Speaker of the
295 House of Representatives. The reports must contain all of the
296 following:
297 (a) A summary of the council’s findings after reviewing the
298 automated decision systems inventory reports submitted pursuant
299 to s. 282.321.
300 (b) A summary of the recommendations of any relevant
301 national bodies on use of artificial intelligence systems in
302 state government.
303 (c) An assessment of the impact of using artificial
304 intelligence systems on the liberty, finances, livelihood, and
305 privacy interests of the residents of this state.
306 (d) Recommendations of policies necessary to accomplish all
307 of the following:
308 1. Protecting the privacy and interests of the residents of
309 this state from any negative effects caused by artificial
310 intelligence systems.
311 2. Ensuring that the residents of this state are free from
312 unfair discrimination caused or compounded by artificial
313 intelligence systems.
314 3. Promoting the development and deployment of artificial
315 intelligence in this state.
316 (e) Any other information the council considers relevant.
317 Section 3. Section 282.321, Florida Statutes, is created to
318 read:
319 282.321 Automated decision systems inventory report.—
320 (1) Each state agency shall, using money appropriated to
321 the agency by the Legislature, prepare an inventory report of
322 all automated decision systems that are being developed, used,
323 or procured by the agency. No later than July 1, 2025, each
324 state agency shall submit such reports to the department, the
325 council, and any standing committee of the Legislature which is
326 responsible for overseeing the state’s information technology,
327 and the inventory report must include all of the following:
328 (a) The name and vendor of the automated decision system,
329 if any.
330 (b) The automated decision system’s general capabilities,
331 including all of the following:
332 1. Reasonably foreseeable capabilities outside the scope of
333 the agency’s proposed use.
334 2. Whether the automated decision system is used or may be
335 used for independent decisionmaking powers and the impact or
336 potential impact of those decisions on the residents of this
337 state.
338 (c) The types of data inputs that the automated decision
339 system uses.
340 (d) How the data described by paragraph (c) is or will be
341 generated, collected, and processed.
342 (e) The types of data the automated decision system
343 generates or is reasonably likely to generate.
344 (f) Whether the automated decision system has or has not
345 been tested by an independent third party to determine if it has
346 a known bias or is untested for bias.
347 (g) The purpose and use or proposed use of the automated
348 decision system, including all of the following:
349 1. The decisions the automated decision system is or will
350 be used to make or support.
351 2. Whether the automated decision system is an automated
352 final decision system or an automated support decision system.
353 3. The automated decision system’s intended benefits,
354 including any data or research relevant to the outcome of those
355 benefits.
356 (h) How automated decision system data is or will be
357 securely stored and processed, and the reasons the agency does
358 or does not share access to the automated decision system or
359 data from the automated decision system with any other entity.
360 (i) The fiscal impacts of the automated decision system or
361 potential fiscal impacts on information technology, including
362 all of the following:
363 1. Initial acquisition costs and ongoing operating costs,
364 such as maintenance, licensing, personnel, legal compliance, use
365 auditing, data retention, and security costs.
366 2. Any cost savings that have been or will be achieved
367 through the use of the technology.
368 3. Any current or potential sources of funding, including
369 any subsidies or free products being offered by vendors or
370 governmental entities.
371 (2) No later than January 1, 2025, the department, in
372 consultation with the council, shall prescribe by rule the form,
373 contents, and manner of submission of the automated decision
374 systems inventory report required under this section.
375 Section 4. Section 282.323, Florida Statutes, is created to
376 read:
377 282.323 Local government preemption.—
378 (1) It is the intent of the Legislature to create a
379 statewide uniform policy regulating the public and private use
380 of artificial intelligence.
381 (2) A county or a municipality or any political subdivision
382 thereof may not regulate the private or public use of artificial
383 intelligence systems.
384 Section 5. This act shall take effect July 1, 2024.